From 64edab790ff4fd06c4e62fdc36c45b3d1dfc5632 Mon Sep 17 00:00:00 2001 From: Warren Williams Date: Thu, 29 Jun 2023 15:54:58 -0500 Subject: [PATCH 001/110] Learn Editor: Update windows-upgrade-and-migration-considerations.md --- .../upgrade/windows-upgrade-and-migration-considerations.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md index 9d45ea81e3..6df13ed120 100644 --- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md +++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md @@ -34,6 +34,8 @@ With Windows Easy Transfer, files and settings can be transferred using a networ ### Migrate with the User State Migration Tool You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they're migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded. +Note USMT supports devices that are joined to an Active Directory domain. USMT does not support hybrid or AAD joined devices. + ## Upgrade and migration considerations Whether you're upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations: From 56e24c41f93f2871cbe00a53070a303c48f059e7 Mon Sep 17 00:00:00 2001 From: mattweberms <138896848+mattweberms@users.noreply.github.com> Date: Fri, 7 Jul 2023 10:12:19 -0600 Subject: [PATCH 003/110] Update provisioning-multivariant.md Add SocIdentifier information --- .../provisioning-packages/provisioning-multivariant.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md index a22a2e2dc5..f6bda1fbba 100644 --- a/windows/configuration/provisioning-packages/provisioning-multivariant.md +++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md @@ -66,6 +66,7 @@ The following table shows the conditions supported in Windows client provisionin | ProcessorName | P1 | Supported | String | Use to target settings based on the processor name. | | AoAc ("Always On, Always Connected") | P1 | Supported | Boolean | Set the value to **0** (false) or **1** (true). If this condition is TRUE, the system supports the S0 low power idle model. | | PowerPlatformRole | P1 | Supported | Enumeration | Indicates the preferred power management profile. Set the value based on the [POWER_PLATFORM_ROLE enumeration](/windows/win32/api/winnt/ne-winnt-power_platform_role). | +| SocIdentifier | P1 | Supported | String | Use to target settings based on the Soc Identifier. Available since 25301 OS build version. | | Architecture | P1 | Supported | String | Matches the PROCESSOR_ARCHITECTURE environment variable. | | Server | P1 | Supported | Boolean | Set the value to **0** (false) or **1** (true) to identify a server. | | Region | P1 | Supported | Enumeration | Use to target settings based on country/region, using the 2-digit alpha ISO code per [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2). | From eef87f3a0c7b2c6e0a2e4a3c1e9e25473cfbe0ad Mon Sep 17 00:00:00 2001 From: Andy Rivas <45184653+andyrivMSFT@users.noreply.github.com> Date: Fri, 7 Jul 2023 17:03:31 -0700 Subject: [PATCH 004/110] Update mcc-isp-signup.md Adding emphasis to the free aspect of the service. --- windows/deployment/do/mcc-isp-signup.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md index 9ae3e9ed19..f0739c591c 100644 --- a/windows/deployment/do/mcc-isp-signup.md +++ b/windows/deployment/do/mcc-isp-signup.md @@ -29,6 +29,10 @@ Before you begin sign up, ensure you have the following components: 1. **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a completely free-of-charge service hosted in Azure. You'll need to have a Pay-As-You-Go subscription in order to onboard to our service. To create a subscription, go to the [Pay-As-You-Go subscription page](https://azure.microsoft.com/offers/ms-azr-0003p/). +> [!NOTE] +> Microsoft Connected Cache is a completely free service for operators. None of the resources created in Azure will incure any charges. +> Please be aware of any additional services that may be selected as part of the Azure sign up process. + 1. **Access to Azure portal**: Ensure you have the credentials needed to access your organization's Azure portal. 1. **Peering DB**: Ensure your organization's [Peering DB](https://www.peeringdb.com/) page is up-to-date and active. Check that the NOC email listed is accurate, and that you have access to this email. From 273f10acac0246beb704da4e6e2f5002c63b2e08 Mon Sep 17 00:00:00 2001 From: Andy Rivas <45184653+andyrivMSFT@users.noreply.github.com> Date: Mon, 10 Jul 2023 10:01:14 -0700 Subject: [PATCH 005/110] Update windows/deployment/do/mcc-isp-signup.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/do/mcc-isp-signup.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md index f0739c591c..b83d78d4c8 100644 --- a/windows/deployment/do/mcc-isp-signup.md +++ b/windows/deployment/do/mcc-isp-signup.md @@ -30,8 +30,8 @@ Before you begin sign up, ensure you have the following components: 1. **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a completely free-of-charge service hosted in Azure. You'll need to have a Pay-As-You-Go subscription in order to onboard to our service. To create a subscription, go to the [Pay-As-You-Go subscription page](https://azure.microsoft.com/offers/ms-azr-0003p/). > [!NOTE] -> Microsoft Connected Cache is a completely free service for operators. None of the resources created in Azure will incure any charges. -> Please be aware of any additional services that may be selected as part of the Azure sign up process. +> - Microsoft Connected Cache is a completely free service for operators. None of the resources created in Azure will incur any charges. +> - Be aware, however, that any additional services that might be selected as part of the Azure sign-up process might incur charges. 1. **Access to Azure portal**: Ensure you have the credentials needed to access your organization's Azure portal. From abc2bbad821b38aed08d056813ef9c3908c61c1c Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Thu, 13 Jul 2023 14:40:03 -0400 Subject: [PATCH 006/110] Update Boot Image with CU Article --- windows/deployment/update-boot-image.md | 27 +++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 windows/deployment/update-boot-image.md diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md new file mode 100644 index 0000000000..1e1246c0a1 --- /dev/null +++ b/windows/deployment/update-boot-image.md @@ -0,0 +1,27 @@ +--- +title: Update Windows PE boot image with the latest cumulative updates +description: This article describes how to update a Windows PE (WinPE) boot image with the latest cumulative update. +ms.prod: windows-client +ms.localizationpriority: medium +author: frankroj +manager: aaroncz +ms.author: frankroj +ms.topic: article +ms.date: 07/13/2023 +ms.technology: itpro-deploy +appliesto: + - ✅ Windows 11 + - ✅ Windows 10 + - ✅ Windows Server 2022 + - ✅ Windows Server 2019 + - ✅ Windows Server 2016 +--- +--- + +# Update Windows PE boot image with the latest cumulative update + +This walkthrough describes how to update a Windows PE (WinPE) boot image with the latest cumulative update. + +## Prerequisites + +- [Windows Assessment and Deployment Kit (ADK)](https://docs.microsoft.com/windows-hardware/get-started/adk-install). Recommended to use the latest version of the ADK. \ No newline at end of file From b19b980b2e4a4f94a2fa65d3677fb85f86cd65fa Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 14 Jul 2023 18:02:18 -0400 Subject: [PATCH 007/110] Update Boot Image with CU Article 2 --- windows/deployment/update-boot-image.md | 83 ++++++++++++++++++++++++- 1 file changed, 82 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 1e1246c0a1..4c8b669cc4 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -20,8 +20,89 @@ appliesto: # Update Windows PE boot image with the latest cumulative update + + This walkthrough describes how to update a Windows PE (WinPE) boot image with the latest cumulative update. ## Prerequisites -- [Windows Assessment and Deployment Kit (ADK)](https://docs.microsoft.com/windows-hardware/get-started/adk-install). Recommended to use the latest version of the ADK. \ No newline at end of file +- [Windows Assessment and Deployment Kit (ADK)](/windows-hardware/get-started/adk-install). Recommended to use the latest version of the ADK. + +## Overview + +Note about boot.wim from installation media + +## Steps + +1. Download and install ADK +2. Download cumulative update (CU) +3. Backup existing boot image (e.g. winpe.wim or boot.wim) +4. Mount boot image to temporary mount folder +5. Add optional components to boot image +6. Add cumulative update (CU) to boot image +7. Copy boot files from mounted image to ADK installation location +8. Perform component cleanup +9. Unmount boot image and save changes +10. Export boot image to reduce size + +## Step 1: Download and install ADK + +## Step 2: Download CU + +## Step 3: Backup existing boot image + +## Step 4: Mount boot image to temporary mount folder + +## Step 5: Add optional components to boot image + +## Step 6: Add cumulative update (CU) to boot image + +## Step 7: Copy boot files from mounted image to ADK installation location + +## Step 8: Perform component cleanup + +## Step 9: Unmount boot image and save changes + +## Step 10: Export boot image to reduce size + +## Script outline + +This PowerShell script appears to be a patching script for the Windows Assessment and Deployment Kit (ADK) and the Windows Preinstallation Environment (WinPE). Here's a breakdown of what the script does: + +1. It begins with some comments explaining the purpose of the script and providing links to relevant documentation. + +2. The script defines various variables such as `$SMSProvider2012R2`, `$MountFolder`, `$downloads`, and several `$CUDownloadUrl` variables. These variables specify download URLs for cumulative updates (CUs) and other files. + +3. The script includes functions like `Test-RegistryValue` and `Get-RegistryValue` for checking and retrieving registry values. + +4. It checks if the ADK is installed on the system by checking the registry key `HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows Kits\Installed Roots`. If the ADK is detected, it retrieves the installation location from the registry. + +5. The script verifies the existence of the WinPE image file (`winpe.wim`) and extracts the version information from it. + +6. Depending on the WinPE version, the script selects the appropriate CU download URL and sets the `$SSURequired` flag if a Servicing Stack Update (SSU) is needed. + +7. It checks if certain folders exist and creates them if necessary (`$downloads`, `$downloads\SSU`, and `$MountFolder`). + +8. If the CU file does not already exist in the specified download folder, it uses `Start-BitsTransfer` to download it from the provided URL. + +9. If an SSU is required, it performs a similar download process for the SSU file. + +10. The script creates a backup of the existing `winpe.wim` file by copying it to `winpe.bak`. If a previous backup already exists, it renames it with the current date appended. + +11. It mounts the `winpe.wim` file using `Mount-WindowsImage` to a temporary mount folder (`$MountFolder`). + +12. If an SSU is required, it adds the SSU package to the mounted image using `Add-WindowsPackage`. + +13. It then iterates through a list of optional components (`$OptionalComponents`) and adds the corresponding packages to the mounted image using `Add-WindowsPackage`. It also checks for language-specific versions of the components and adds them if available. + +14. The script adds the downloaded CU package to the mounted image using `Add-WindowsPackage`. + +15. It copies updated boot manager files (`bootmgr.efi` and `bootmgfw.efi`) from the mounted image back to the ADK installation location. + +16. It performs a component cleanup operation on the mounted image using `dism.exe` to reduce the image size. + +17. The script exports the list of installed packages in the modified image to a text file. + +18. Finally, it dismounts the image with the modifications, saves the changes, and exports the modified `winpe.wim` file as a new file with reduced file size. It also creates a backup of the original `winpe.wim` file and cleans up temporary files. + +The script appears to be designed to update and patch the WinPE image in the ADK installation based on the installed ADK version and the provided CU and SSU files. From 8e5971c66ef98ba71bffa1bfa461b3284f9054db Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 14 Jul 2023 18:37:13 -0400 Subject: [PATCH 008/110] Update Boot Image with CU Article 3 --- windows/deployment/update-boot-image.md | 54 +++++++++++++++++++------ 1 file changed, 42 insertions(+), 12 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 4c8b669cc4..8e7895218f 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -26,11 +26,16 @@ This walkthrough describes how to update a Windows PE (WinPE) boot image with th ## Prerequisites -- [Windows Assessment and Deployment Kit (ADK)](/windows-hardware/get-started/adk-install). Recommended to use the latest version of the ADK. +- [Windows Assessment and Deployment Kit (Windows ADK)](/windows-hardware/get-started/adk-install) - It's recommended to use the latest version of the ADK. +- [Windows PE add-on for the Windows ADK](/windows-hardware/get-started/adk-install). Make sure the version of Windows PE matches the version of Windows ADK that is being used. +- Boot image - This can be `winpe.wim` included with the Windows ADK. +- Latest cumulative update downloaded from the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site. ## Overview Note about boot.wim from installation media +Note about Win11 ADK only having x64 boot images +Note about Windows Server 2012 R2 ## Steps @@ -39,31 +44,56 @@ Note about boot.wim from installation media 3. Backup existing boot image (e.g. winpe.wim or boot.wim) 4. Mount boot image to temporary mount folder 5. Add optional components to boot image -6. Add cumulative update (CU) to boot image -7. Copy boot files from mounted image to ADK installation location -8. Perform component cleanup -9. Unmount boot image and save changes -10. Export boot image to reduce size +6. Add optional components OCs to boot image +7. Add cumulative update (CU) to boot image +8. Copy boot files from mounted image to ADK installation location +9. Perform component cleanup +10. Unmount boot image and save changes +11. Export boot image to reduce size ## Step 1: Download and install ADK -## Step 2: Download CU +- Download and install the **Windows Assessment and Deployment Kit (Windows ADK)** from [Download and install the Windows ADK](windows-hardware/get-started/adk-install). + +- Download and install the **Windows PE add-on for the Windows ADK** from [Download and install the Windows ADK](windows-hardware/get-started/adk-install). Make sure to download and install both components. + +- It's strongly recommended to download and install the latest version of the ADK. + +- When installing the Windows ADK, it's only necessary to install the **Deployment Tools**. + +## Step 2: Download cumulative update (CU) + +- Go to the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site and search for the latest cumulative update for the version of Windows that matches the version of Windows PE that was downloaded in [Step 1](#step-1-download-and-install-adk) or the version of the Windows PE boot image that will be updated. + +- When searching the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site, use the search term `"- cumulative update for windows "` where `year` is the four digit current year, `` is the two digit current month, and `` is the version of Windows that Windows PE is based on. For example, to search for the latest cumulative update for Windows 11 in July 2023, use the search term `"2023-07 cumulative update for windows 11"`. If the cumulative update hasn't been released yet for the current month, then search on the previous month. + +- Once the cumulative update has been found, download the appropriate version for the version and architecture of Windows that matches the Windows PE boot image. For example, if the version of the Windows PE boot image is Windows 11 22H2 64-bit, then download the **Cumulative Update for Windows 11 Version 22H2 for x64-based Systems" version of the update. + +- Store the downloaded cumulative update in a known location for later use. ## Step 3: Backup existing boot image +Before modifying the desired boot image, make a backup copy of the boot image being modified. For example, + +- For the boot image included with the **Windows PE add-on for the Windows ADK**, the boot image is located at `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim`. + +- For the boot image included with Microsoft Configuration Manager, the boot image is located at `\OSD\boot\x64\boot.wim` + ## Step 4: Mount boot image to temporary mount folder ## Step 5: Add optional components to boot image -## Step 6: Add cumulative update (CU) to boot image +## Step 6: Add optional components OCs to boot image -## Step 7: Copy boot files from mounted image to ADK installation location +## Step 7: Add cumulative update (CU) to boot image -## Step 8: Perform component cleanup +## Step 8: Copy boot files from mounted image to ADK installation location -## Step 9: Unmount boot image and save changes +## Step 9: Perform component cleanup -## Step 10: Export boot image to reduce size +## Step 10: Unmount boot image and save changes + +## Step 11: Export boot image to reduce size ## Script outline From 139b14ff6231958f61bbdeaf1ffa8b6d0bab301d Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Sat, 15 Jul 2023 12:26:04 -0400 Subject: [PATCH 009/110] Update Boot Image with CU Article 4 --- windows/deployment/update-boot-image.md | 200 ++++++++++++++++++++---- 1 file changed, 168 insertions(+), 32 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 8e7895218f..58a067d325 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -43,24 +43,27 @@ Note about Windows Server 2012 R2 2. Download cumulative update (CU) 3. Backup existing boot image (e.g. winpe.wim or boot.wim) 4. Mount boot image to temporary mount folder -5. Add optional components to boot image -6. Add optional components OCs to boot image +5. Add drivers to boot image +6. Add optional components to boot image 7. Add cumulative update (CU) to boot image 8. Copy boot files from mounted image to ADK installation location 9. Perform component cleanup -10. Unmount boot image and save changes -11. Export boot image to reduce size +10. Verify all desired packages have been added to boot image +11. Unmount boot image and save changes +12. Export boot image to reduce size ## Step 1: Download and install ADK -- Download and install the **Windows Assessment and Deployment Kit (Windows ADK)** from [Download and install the Windows ADK](windows-hardware/get-started/adk-install). +- Download and install the **Windows Assessment and Deployment Kit (Windows ADK)** from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). -- Download and install the **Windows PE add-on for the Windows ADK** from [Download and install the Windows ADK](windows-hardware/get-started/adk-install). Make sure to download and install both components. +- Download and install the **Windows PE add-on for the Windows ADK** from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). Make sure to download and install both components. - It's strongly recommended to download and install the latest version of the ADK. - When installing the Windows ADK, it's only necessary to install the **Deployment Tools**. +- The paths in this article assume the Windows ADK was installed to the default location of `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit`. If the Windows ADK was installed to a different location, then adjust the paths accordingly. + ## Step 2: Download cumulative update (CU) - Go to the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site and search for the latest cumulative update for the version of Windows that matches the version of Windows PE that was downloaded in [Step 1](#step-1-download-and-install-adk) or the version of the Windows PE boot image that will be updated. @@ -71,9 +74,15 @@ Note about Windows Server 2012 R2 - Store the downloaded cumulative update in a known location for later use. +> [!TIP] +> +> It is recommended to use the full cumulative update when updating boot images with a cumulative update. However, instead of downloading the full cumulative update, the cumulative update for SafeOS can be downloaded and used instead. This will reduce the size of the final updated boot image. If any issues occur with a boot image updated with the SafeOS cumulative update, then use the full cumulative update instead. +> +> The SafeOS cumulative update can be found in the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site by searching on... + ## Step 3: Backup existing boot image -Before modifying the desired boot image, make a backup copy of the boot image being modified. For example, +Before modifying the desired boot image, make a backup copy of the boot image. For example, - For the boot image included with the **Windows PE add-on for the Windows ADK**, the boot image is located at `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim`. @@ -81,58 +90,185 @@ Before modifying the desired boot image, make a backup copy of the boot image be ## Step 4: Mount boot image to temporary mount folder -## Step 5: Add optional components to boot image +- Create a new empty empty folder to mount the boot image to. For example, `C:\Mount`. -## Step 6: Add optional components OCs to boot image +```powershell +Mount-WindowsImage -Path "" -ImagePath "\.wim" -Index 1 -Verbose +``` + +For more information, see [Mount-WindowsImage](/powershell/module/dism/mount-windowsimage) + +```cmd +DISM.exe /Mount-image /imagefile:"" /Index:1 /MountDir:"" +``` + +For more information, see [Modify a Windows image using DISM: Mount an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism) and [DISM Image Management Command-Line Options: /Mount-Image](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14#mount-image). + +## Step 5: Add drivers to boot image + +If needed, add any drivers to the boot image. + +```powershell +Command to be determined +``` + +```cmd +DISM.exe/Image:"" /Add-Driver /Driver:"\.inf" + +DISM.exe /Image:"" /Add-Driver /Driver:" [!IMPORTANT] +> +> For Microsoft Configuration Manager boot images, don't manually add drivers to the boot image using the above steps. Instead, add drivers through Configuration Manager via the **Drivers** tab in the **Properties** of the boot image. This will ensure that the drivers in the boot image can be properly managed through Configuration Manager. Drivers are not affected by the cumulative update installed later in this walkthrough. + +## Step 6: Add optional components to boot image + +- Add any desired optional components to the boot image. +- The below examples assumes an x64 boot image. If a different architecture is being used, then adjust the commands accordingly. + +```powershell +Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" -Path "" -Verbose +``` + +For more information, see [Add-WindowsPackage](/powershell/module/dism/add-windowspackage). + +```cmd +DISM.exe /Image:"" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" +``` + +You can add as many desired optional components as needed on a single DISM.exe command line. + +For more information, see [Add or Remove Packages Offline Using DISM](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism) and [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Add-Package](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#add-package). + +- Make sure that after adding the optional component to also add the language specific component for that optional component. For example, for English United States (en-us), add the following: + +```powershell +Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" -Path "" -Verbose +``` + +```cmd +DISM.exe /Image:"" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" +``` + +You can add as many desired optional components as needed on a single DISM.exe command line. + +> [!IMPORTANT] +> +> For Microsoft Configuration Manager boot images, make sure to add any desired optional components manually using the above command lines instead of adding them through Configuration Manager via the **Optional Components** tab in the **Properties** of the boot image. This is because the cumulative update being applied at the next step will also update any optional components as needed. If the optional components are instead added through Configuration Manager, then the optional components will not be updated with the cumulative update. This could lead to unexpected behaviors and problems. +> +> For this reason, make sure to add the following required optional components need by Configuration Manager: +> +> - Scripting (WinPE-Scripting) +> - Startup (WinPE-SecureStartup) +> - Network (WinPE-WDS-Tools) +> - WMI (WinPE-WMI) +> +> Once any optional components has been manually added to a boot image, Configuration Manager will detect that the optional component has already been added. It will not try to add the optional component again whenever it is updating the boot image. + +### List of optional components ## Step 7: Add cumulative update (CU) to boot image +- Apply the cumulative update (CU) downloaded earlier in the walkthrough to the boot image. + +```powershell +Add-WindowsPackage -PackagePath "" -Path "" -Verbose +``` + +For more information, see [Add-WindowsPackage](/powershell/module/dism/add-windowspackage) + +```cmd +DISM.exe /Image:"" /Add-Package /PackagePath:"" +``` + +For more information, see [Add or Remove Packages Offline Using DISM](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism) and [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Add-Package](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#add-package). + +> [!IMPORTANT] +> +> Make sure not to apply the cumulative update (CU) until all desired optional components have been installed. This will make sure that the optional components are also properly updated by the cumulative update. If in the future any additional optional components need to be added to the boot image, make sure to reapply the cumulative update. + ## Step 8: Copy boot files from mounted image to ADK installation location +- Copy the updated bootmgr files from the updated boot image to the ADK installation location. +- This step doesn't update or change the boot image. However, it makes sure that the latest bootmgr files are available to the ADK when creating bootable media. In particular, this step is needed when addressing the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932). + +```powershell +Copy-Item "\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" -Force + +Copy-Item "\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" -Force +``` + +```cmd +CMD commands to be determined +``` + ## Step 9: Perform component cleanup -## Step 10: Unmount boot image and save changes +- Run DISM.exe commands that will clean up the mounted image and help reduce its size -## Step 11: Export boot image to reduce size +```powershell +Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:"" /Cleanup-image /StartComponentCleanup /Resetbase /Defer" -Wait -LoadUserProfile -## Script outline +Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:"" /Cleanup-image /StartComponentCleanup /Resetbase" -Wait -LoadUserProfile +``` -This PowerShell script appears to be a patching script for the Windows Assessment and Deployment Kit (ADK) and the Windows Preinstallation Environment (WinPE). Here's a breakdown of what the script does: +```cmd +DISM.exe /Image:"" /Cleanup-image /StartComponentCleanup /Resetbase /Defer -1. It begins with some comments explaining the purpose of the script and providing links to relevant documentation. +DISM.exe /Image:"" /Cleanup-image /StartComponentCleanup /Resetbase +``` -2. The script defines various variables such as `$SMSProvider2012R2`, `$MountFolder`, `$downloads`, and several `$CUDownloadUrl` variables. These variables specify download URLs for cumulative updates (CUs) and other files. +For more information, see [Modify a Windows image using DISM: Reduce the size of an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#reduce-the-size-of-an-image) and [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Cleanup-Image](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#cleanup-image). -3. The script includes functions like `Test-RegistryValue` and `Get-RegistryValue` for checking and retrieving registry values. +## Step 10: Verify all desired packages have been added to boot image -4. It checks if the ADK is installed on the system by checking the registry key `HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows Kits\Installed Roots`. If the ADK is detected, it retrieves the installation location from the registry. +- After the optional components and the cumulative update (CU) have been applied to the boot image, verify that they are showing as installed. -5. The script verifies the existence of the WinPE image file (`winpe.wim`) and extracts the version information from it. +```powershell +Get-WindowsPackage -Path "" +``` -6. Depending on the WinPE version, the script selects the appropriate CU download URL and sets the `$SSURequired` flag if a Servicing Stack Update (SSU) is needed. +For more information, see [Get-WindowsPackage](/powershell/module/dism/get-windowspackage). -7. It checks if certain folders exist and creates them if necessary (`$downloads`, `$downloads\SSU`, and `$MountFolder`). +```cmd +DISM.exe /Image:"" /Get-Packages +``` -8. If the CU file does not already exist in the specified download folder, it uses `Start-BitsTransfer` to download it from the provided URL. +For more information, see [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Get-Packages](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#get-packages). -9. If an SSU is required, it performs a similar download process for the SSU file. +## Step 11: Unmount boot image and save changes -10. The script creates a backup of the existing `winpe.wim` file by copying it to `winpe.bak`. If a previous backup already exists, it renames it with the current date appended. +- Once drivers, optional components, and the cumulative update (CU) have been applied to the boot image, unmount the boot image and save changes. -11. It mounts the `winpe.wim` file using `Mount-WindowsImage` to a temporary mount folder (`$MountFolder`). +```powershell +Dismount-WindowsImage -Path "" -Save -Verbose +``` -12. If an SSU is required, it adds the SSU package to the mounted image using `Add-WindowsPackage`. +For more information, see [Dismount-WindowsImage](/powershell/module/dism/dismount-windowsimage). -13. It then iterates through a list of optional components (`$OptionalComponents`) and adds the corresponding packages to the mounted image using `Add-WindowsPackage`. It also checks for language-specific versions of the components and adds them if available. +```cmd +DISM.exe /Unmount-Image /MountDir:"" /Commit +``` -14. The script adds the downloaded CU package to the mounted image using `Add-WindowsPackage`. +For more information, see [Modify a Windows image using DISM: Unmounting an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image) and [DISM Image Management Command-Line Options: /Unmount-Image](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14#unmount-image). -15. It copies updated boot manager files (`bootmgr.efi` and `bootmgfw.efi`) from the mounted image back to the ADK installation location. +## Step 12: Export boot image to reduce size -16. It performs a component cleanup operation on the mounted image using `dism.exe` to reduce the image size. +- Once the boot image has been unmounted and saved, its size can be further reduced by exporting it. -17. The script exports the list of installed packages in the modified image to a text file. +```powershell +Export-WindowsImage -SourceImagePath "\.wim" -SourceIndex 1 -DestinationImagePath "\-export.wim" -CompressionType max -Verbose +``` -18. Finally, it dismounts the image with the modifications, saves the changes, and exports the modified `winpe.wim` file as a new file with reduced file size. It also creates a backup of the original `winpe.wim` file and cleans up temporary files. +For more information, see [Export-WindowsImage](/powershell/module/dism/export-windowsimage). -The script appears to be designed to update and patch the WinPE image in the ADK installation based on the installed ADK version and the provided CU and SSU files. +```cmd +DISM.exe /Export-Image /SourceImageFile:"\.wim" /SourceIndex:1 /DestinationImageFile:"\-export.wim" +``` + +For more information, see [Modify a Windows image using DISM: Reduce the size of an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#reduce-the-size-of-an-image) and [DISM Image Management Command-Line Options: /Export-Image](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14#export-image). + +Once the export has completed, delete the original boot image and then rename the exported boot image with the name of the original boot image. From 41a226ea5de5399cd9bd1e26e2693c5a4052e730 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Sat, 15 Jul 2023 12:32:04 -0400 Subject: [PATCH 010/110] Update Boot Image with CU Article 5 --- windows/deployment/update-boot-image.md | 29 +++++++++++++++---------- 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 58a067d325..46fcd30cdd 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -39,18 +39,23 @@ Note about Windows Server 2012 R2 ## Steps -1. Download and install ADK -2. Download cumulative update (CU) -3. Backup existing boot image (e.g. winpe.wim or boot.wim) -4. Mount boot image to temporary mount folder -5. Add drivers to boot image -6. Add optional components to boot image -7. Add cumulative update (CU) to boot image -8. Copy boot files from mounted image to ADK installation location -9. Perform component cleanup -10. Verify all desired packages have been added to boot image -11. Unmount boot image and save changes -12. Export boot image to reduce size +- [Update Windows PE boot image with the latest cumulative update](#update-windows-pe-boot-image-with-the-latest-cumulative-update) + - [Prerequisites](#prerequisites) + - [Overview](#overview) + - [Steps](#steps) + - [Step 1: Download and install ADK](#step-1-download-and-install-adk) + - [Step 2: Download cumulative update (CU)](#step-2-download-cumulative-update-cu) + - [Step 3: Backup existing boot image](#step-3-backup-existing-boot-image) + - [Step 4: Mount boot image to temporary mount folder](#step-4-mount-boot-image-to-temporary-mount-folder) + - [Step 5: Add drivers to boot image](#step-5-add-drivers-to-boot-image) + - [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) + - [List of optional components](#list-of-optional-components) + - [Step 7: Add cumulative update (CU) to boot image](#step-7-add-cumulative-update-cu-to-boot-image) + - [Step 8: Copy boot files from mounted image to ADK installation location](#step-8-copy-boot-files-from-mounted-image-to-adk-installation-location) + - [Step 9: Perform component cleanup](#step-9-perform-component-cleanup) + - [Step 10: Verify all desired packages have been added to boot image](#step-10-verify-all-desired-packages-have-been-added-to-boot-image) + - [Step 11: Unmount boot image and save changes](#step-11-unmount-boot-image-and-save-changes) + - [Step 12: Export boot image to reduce size](#step-12-export-boot-image-to-reduce-size) ## Step 1: Download and install ADK From 727d16180edb5582cc1d0ecd012c0ee02f9e4ad9 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Sat, 15 Jul 2023 12:38:23 -0400 Subject: [PATCH 011/110] Update Boot Image with CU Article 6 --- windows/deployment/update-boot-image.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 46fcd30cdd..64f6474518 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -51,7 +51,7 @@ Note about Windows Server 2012 R2 - [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) - [List of optional components](#list-of-optional-components) - [Step 7: Add cumulative update (CU) to boot image](#step-7-add-cumulative-update-cu-to-boot-image) - - [Step 8: Copy boot files from mounted image to ADK installation location](#step-8-copy-boot-files-from-mounted-image-to-adk-installation-location) + - [Step 8: Copy boot files from mounted image to ADK installation path](#step-8-copy-boot-files-from-mounted-image-to-adk-installation-path) - [Step 9: Perform component cleanup](#step-9-perform-component-cleanup) - [Step 10: Verify all desired packages have been added to boot image](#step-10-verify-all-desired-packages-have-been-added-to-boot-image) - [Step 11: Unmount boot image and save changes](#step-11-unmount-boot-image-and-save-changes) @@ -87,11 +87,11 @@ Note about Windows Server 2012 R2 ## Step 3: Backup existing boot image -Before modifying the desired boot image, make a backup copy of the boot image. For example, +- Before modifying the desired boot image, make a backup copy of the boot image. For example, -- For the boot image included with the **Windows PE add-on for the Windows ADK**, the boot image is located at `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim`. + - For the boot image included with the **Windows PE add-on for the Windows ADK**, the boot image is located at `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim`. -- For the boot image included with Microsoft Configuration Manager, the boot image is located at `\OSD\boot\x64\boot.wim` + - For the boot image included with Microsoft Configuration Manager, the boot image is located at `\OSD\boot\x64\boot.wim` ## Step 4: Mount boot image to temporary mount folder @@ -111,7 +111,7 @@ For more information, see [Modify a Windows image using DISM: Mount an image](/w ## Step 5: Add drivers to boot image -If needed, add any drivers to the boot image. +- If needed, add any drivers to the boot image. ```powershell Command to be determined @@ -195,9 +195,9 @@ For more information, see [Add or Remove Packages Offline Using DISM](/windows-h > > Make sure not to apply the cumulative update (CU) until all desired optional components have been installed. This will make sure that the optional components are also properly updated by the cumulative update. If in the future any additional optional components need to be added to the boot image, make sure to reapply the cumulative update. -## Step 8: Copy boot files from mounted image to ADK installation location +## Step 8: Copy boot files from mounted image to ADK installation path -- Copy the updated bootmgr files from the updated boot image to the ADK installation location. +- Copy the updated bootmgr files from the updated boot image to the ADK installation path. - This step doesn't update or change the boot image. However, it makes sure that the latest bootmgr files are available to the ADK when creating bootable media. In particular, this step is needed when addressing the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932). ```powershell @@ -207,7 +207,7 @@ Copy-Item "\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files ``` ```cmd -CMD commands to be determined +Command to be determined ``` ## Step 9: Perform component cleanup @@ -276,4 +276,4 @@ DISM.exe /Export-Image /SourceImageFile:"\.wim" /So For more information, see [Modify a Windows image using DISM: Reduce the size of an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#reduce-the-size-of-an-image) and [DISM Image Management Command-Line Options: /Export-Image](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14#export-image). -Once the export has completed, delete the original boot image and then rename the exported boot image with the name of the original boot image. +- Once the export has completed, delete the original boot image and then rename the exported boot image with the name of the original boot image. From 0a707c7512d5b2baea2b8b0b9effee9d650fa843 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Sat, 15 Jul 2023 13:49:25 -0400 Subject: [PATCH 012/110] Update Boot Image with CU Article 7 --- windows/deployment/update-boot-image.md | 30 +++++++++++-------------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 64f6474518..c8356bd297 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -39,23 +39,19 @@ Note about Windows Server 2012 R2 ## Steps -- [Update Windows PE boot image with the latest cumulative update](#update-windows-pe-boot-image-with-the-latest-cumulative-update) - - [Prerequisites](#prerequisites) - - [Overview](#overview) - - [Steps](#steps) - - [Step 1: Download and install ADK](#step-1-download-and-install-adk) - - [Step 2: Download cumulative update (CU)](#step-2-download-cumulative-update-cu) - - [Step 3: Backup existing boot image](#step-3-backup-existing-boot-image) - - [Step 4: Mount boot image to temporary mount folder](#step-4-mount-boot-image-to-temporary-mount-folder) - - [Step 5: Add drivers to boot image](#step-5-add-drivers-to-boot-image) - - [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) - - [List of optional components](#list-of-optional-components) - - [Step 7: Add cumulative update (CU) to boot image](#step-7-add-cumulative-update-cu-to-boot-image) - - [Step 8: Copy boot files from mounted image to ADK installation path](#step-8-copy-boot-files-from-mounted-image-to-adk-installation-path) - - [Step 9: Perform component cleanup](#step-9-perform-component-cleanup) - - [Step 10: Verify all desired packages have been added to boot image](#step-10-verify-all-desired-packages-have-been-added-to-boot-image) - - [Step 11: Unmount boot image and save changes](#step-11-unmount-boot-image-and-save-changes) - - [Step 12: Export boot image to reduce size](#step-12-export-boot-image-to-reduce-size) +- [Step 1: Download and install ADK](#step-1-download-and-install-adk) +- [Step 2: Download cumulative update (CU)](#step-2-download-cumulative-update-cu) +- [Step 3: Backup existing boot image](#step-3-backup-existing-boot-image) +- [Step 4: Mount boot image to temporary mount folder](#step-4-mount-boot-image-to-temporary-mount-folder) +- [Step 5: Add drivers to boot image](#step-5-add-drivers-to-boot-image) +- [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) +- [Step 7: Add cumulative update (CU) to boot image](#step-7-add-cumulative-update-cu-to-boot-image) +- [Step 8: Copy boot files from mounted image to ADK installation path](#step-8-copy-boot-files-from-mounted-image-to-adk-installation-path) +- [Step 9: Perform component cleanup](#step-9-perform-component-cleanup) +- [Step 10: Verify all desired packages have been added to boot image](#step-10-verify-all-desired-packages-have-been-added-to-boot-image) +- [Step 11: Unmount boot image and save changes](#step-11-unmount-boot-image-and-save-changes) +- [Step 12: Export boot image to reduce size](#step-12-export-boot-image-to-reduce-size) + ## Step 1: Download and install ADK From 71dadf67dd0f959f043c4f83f170993608fd3a75 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Sat, 15 Jul 2023 14:01:22 -0400 Subject: [PATCH 013/110] Update Boot Image with CU Article 8 --- windows/deployment/update-boot-image.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index c8356bd297..020627f1e1 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -52,7 +52,6 @@ Note about Windows Server 2012 R2 - [Step 11: Unmount boot image and save changes](#step-11-unmount-boot-image-and-save-changes) - [Step 12: Export boot image to reduce size](#step-12-export-boot-image-to-reduce-size) - ## Step 1: Download and install ADK - Download and install the **Windows Assessment and Deployment Kit (Windows ADK)** from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). @@ -273,3 +272,9 @@ DISM.exe /Export-Image /SourceImageFile:"\.wim" /So For more information, see [Modify a Windows image using DISM: Reduce the size of an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#reduce-the-size-of-an-image) and [DISM Image Management Command-Line Options: /Export-Image](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14#export-image). - Once the export has completed, delete the original boot image and then rename the exported boot image with the name of the original boot image. + +## Considerations for Microsoft Configuration Manager + +## Considerations for Microsoft Deployment Toolkit (MDT) + +## Considerations for Windows Deployment Services (WDS) From d11813a895802a985d80e8769868a30ace2cfe85 Mon Sep 17 00:00:00 2001 From: Urbs3w <34245495+Urbs3w@users.noreply.github.com> Date: Mon, 24 Jul 2023 10:28:31 -0500 Subject: [PATCH 014/110] In getting-started-with-the-user-state-migration-tool.md, say to use the "/genconfig option" instead of the "ScanState Syntax option" The part that said, "use the ScanState Syntax option" didn't make sense, so--as you can probably see in the diff--I replaced that part with "use the /genconfig option" in order to make that part make sense. I also changed the link that's in that part to link directly to the "Migration rule options" section of the "ScanState syntax" article instead of the top of that article because that seems more helpful than linking to the top of the article. However, if it's Microsoft's style to link to the top of an article instead of directly to a relevant section, feel free to revert that change in order to be consistent with your prescribed style. --- .../getting-started-with-the-user-state-migration-tool.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md index b550aa4d52..e7cea642e3 100644 --- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md +++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md @@ -31,13 +31,13 @@ This article outlines the general process that you should follow to migrate file You can use the `MigXML.xsd` file to help you write and validate the .xml files. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md). -6. Create a [Config.xml File](usmt-configxml-file.md) if you want to exclude any components from the migration. To create this file, use the [ScanState Syntax](usmt-scanstate-syntax.md) option together with the other .xml files when you use the `ScanState.exe` command. For example, the following command creates a `Config.xml` file by using the `MigDocs.xml` and `MigApp.xml` files: +6. Create a [Config.xml File](usmt-configxml-file.md) if you want to exclude any components from the migration. To create this file, run the `ScanState.exe` command with the [/genconfig](usmt-scanstate-syntax.md#migration-rule-options) option and specify the .xml files that you use with `ScanState.exe` as arguments. For example, the following command creates a `Config.xml` file by using the `MigDocs.xml` and `MigApp.xml` files: ```cmd ScanState.exe /genconfig:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:ScanState.log ``` -7. Review the migration state of the components listed in the `Config.xml` file, and specify `migrate=no` for any components that you don't want to migrate. +7. Review and modify the `Config.xml` file to specify components that you don't want to migrate. Open the `Config.xml` that you generated, review the migration state of the components listed in it, and specify `migrate=no` for any components that you don't want to migrate. ## Step 2: Collect files and settings from the source computer From 26529560e5945ff543f1673fefd8011c3b451b9a Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Wed, 26 Jul 2023 17:01:41 -0400 Subject: [PATCH 015/110] Update Boot Image with CU Article 9 --- windows/deployment/update-boot-image.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 020627f1e1..ea37fe456d 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -7,7 +7,7 @@ author: frankroj manager: aaroncz ms.author: frankroj ms.topic: article -ms.date: 07/13/2023 +ms.date: 07/26/2023 ms.technology: itpro-deploy appliesto: - ✅ Windows 11 @@ -92,12 +92,16 @@ Note about Windows Server 2012 R2 - Create a new empty empty folder to mount the boot image to. For example, `C:\Mount`. +#### [**Intune**](#tab/powershell) + ```powershell Mount-WindowsImage -Path "" -ImagePath "\.wim" -Index 1 -Verbose ``` For more information, see [Mount-WindowsImage](/powershell/module/dism/mount-windowsimage) +#### [**Intune**](#tab/cmd) + ```cmd DISM.exe /Mount-image /imagefile:"" /Index:1 /MountDir:"" ``` From 11239b5bef1628a1a3eda78e3a145ad712ef524c Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Wed, 26 Jul 2023 17:13:43 -0400 Subject: [PATCH 016/110] Update Boot Image with CU Article 10 --- windows/deployment/update-boot-image.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index ea37fe456d..61569346a7 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -92,7 +92,7 @@ Note about Windows Server 2012 R2 - Create a new empty empty folder to mount the boot image to. For example, `C:\Mount`. -#### [**Intune**](#tab/powershell) +#### [**PowerShell**](#tab/powershell) ```powershell Mount-WindowsImage -Path "" -ImagePath "\.wim" -Index 1 -Verbose @@ -100,7 +100,7 @@ Mount-WindowsImage -Path "" -ImagePath "\" /Index:1 /MountDir:"" From a4bda15fba6942ae928430eed9b0a8ad14294b62 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Wed, 26 Jul 2023 17:21:46 -0400 Subject: [PATCH 017/110] Update Boot Image with CU Article 11 --- windows/deployment/update-boot-image.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 61569346a7..2ede59d33e 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -108,6 +108,8 @@ DISM.exe /Mount-image /imagefile:"" /Index:1 /MountDir:" Date: Wed, 26 Jul 2023 18:00:45 -0400 Subject: [PATCH 018/110] Update Boot Image with CU Article 12 --- windows/deployment/update-boot-image.md | 58 ++++++++++++++++++++++++- 1 file changed, 56 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 2ede59d33e..f35ddfa10d 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -92,7 +92,7 @@ Note about Windows Server 2012 R2 - Create a new empty empty folder to mount the boot image to. For example, `C:\Mount`. -#### [**PowerShell**](#tab/powershell) +### [**PowerShell**](#tab/powershell) ```powershell Mount-WindowsImage -Path "" -ImagePath "\.wim" -Index 1 -Verbose @@ -100,7 +100,7 @@ Mount-WindowsImage -Path "" -ImagePath "\" /Index:1 /MountDir:"" @@ -114,10 +114,14 @@ For more information, see [Modify a Windows image using DISM: Mount an image](/w - If needed, add any drivers to the boot image. +### [**PowerShell**](#tab/powershell) + ```powershell Command to be determined ``` +### [**Command Line]**](#tab/command-line) + ```cmd DISM.exe/Image:"" /Add-Driver /Driver:"\.inf" @@ -126,6 +130,8 @@ DISM.exe /Image:"" /Add-Driver /Driver:" [!IMPORTANT] > > For Microsoft Configuration Manager boot images, don't manually add drivers to the boot image using the above steps. Instead, add drivers through Configuration Manager via the **Drivers** tab in the **Properties** of the boot image. This will ensure that the drivers in the boot image can be properly managed through Configuration Manager. Drivers are not affected by the cumulative update installed later in this walkthrough. @@ -135,32 +141,44 @@ For more information, see [Add and Remove Driver packages to an offline Windows - Add any desired optional components to the boot image. - The below examples assumes an x64 boot image. If a different architecture is being used, then adjust the commands accordingly. +### [**PowerShell**](#tab/powershell) + ```powershell Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" -Path "" -Verbose ``` For more information, see [Add-WindowsPackage](/powershell/module/dism/add-windowspackage). +### [**Command Line]**](#tab/command-line) + ```cmd DISM.exe /Image:"" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" ``` +--- + You can add as many desired optional components as needed on a single DISM.exe command line. For more information, see [Add or Remove Packages Offline Using DISM](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism) and [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Add-Package](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#add-package). - Make sure that after adding the optional component to also add the language specific component for that optional component. For example, for English United States (en-us), add the following: +### [**PowerShell**](#tab/powershell) + ```powershell Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" -Path "" -Verbose ``` +### [**Command Line]**](#tab/command-line) + ```cmd DISM.exe /Image:"" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" ``` You can add as many desired optional components as needed on a single DISM.exe command line. +--- + > [!IMPORTANT] > > For Microsoft Configuration Manager boot images, make sure to add any desired optional components manually using the above command lines instead of adding them through Configuration Manager via the **Optional Components** tab in the **Properties** of the boot image. This is because the cumulative update being applied at the next step will also update any optional components as needed. If the optional components are instead added through Configuration Manager, then the optional components will not be updated with the cumulative update. This could lead to unexpected behaviors and problems. @@ -180,18 +198,24 @@ You can add as many desired optional components as needed on a single DISM.exe c - Apply the cumulative update (CU) downloaded earlier in the walkthrough to the boot image. +### [**PowerShell**](#tab/powershell) + ```powershell Add-WindowsPackage -PackagePath "" -Path "" -Verbose ``` For more information, see [Add-WindowsPackage](/powershell/module/dism/add-windowspackage) +### [**Command Line]**](#tab/command-line) + ```cmd DISM.exe /Image:"" /Add-Package /PackagePath:"" ``` For more information, see [Add or Remove Packages Offline Using DISM](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism) and [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Add-Package](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#add-package). +--- + > [!IMPORTANT] > > Make sure not to apply the cumulative update (CU) until all desired optional components have been installed. This will make sure that the optional components are also properly updated by the cumulative update. If in the future any additional optional components need to be added to the boot image, make sure to reapply the cumulative update. @@ -201,26 +225,36 @@ For more information, see [Add or Remove Packages Offline Using DISM](/windows-h - Copy the updated bootmgr files from the updated boot image to the ADK installation path. - This step doesn't update or change the boot image. However, it makes sure that the latest bootmgr files are available to the ADK when creating bootable media. In particular, this step is needed when addressing the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932). +### [**PowerShell**](#tab/powershell) + ```powershell Copy-Item "\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" -Force Copy-Item "\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" -Force ``` +### [**Command Line]**](#tab/command-line) + ```cmd Command to be determined ``` +--- + ## Step 9: Perform component cleanup - Run DISM.exe commands that will clean up the mounted image and help reduce its size +### [**PowerShell**](#tab/powershell) + ```powershell Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:"" /Cleanup-image /StartComponentCleanup /Resetbase /Defer" -Wait -LoadUserProfile Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:"" /Cleanup-image /StartComponentCleanup /Resetbase" -Wait -LoadUserProfile ``` +### [**Command Line]**](#tab/command-line) + ```cmd DISM.exe /Image:"" /Cleanup-image /StartComponentCleanup /Resetbase /Defer @@ -229,54 +263,74 @@ DISM.exe /Image:"" /Cleanup-image /StartComponentCleanup /Res For more information, see [Modify a Windows image using DISM: Reduce the size of an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#reduce-the-size-of-an-image) and [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Cleanup-Image](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#cleanup-image). +--- + ## Step 10: Verify all desired packages have been added to boot image - After the optional components and the cumulative update (CU) have been applied to the boot image, verify that they are showing as installed. +### [**PowerShell**](#tab/powershell) + ```powershell Get-WindowsPackage -Path "" ``` For more information, see [Get-WindowsPackage](/powershell/module/dism/get-windowspackage). +### [**Command Line]**](#tab/command-line) + ```cmd DISM.exe /Image:"" /Get-Packages ``` For more information, see [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Get-Packages](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#get-packages). +--- + ## Step 11: Unmount boot image and save changes - Once drivers, optional components, and the cumulative update (CU) have been applied to the boot image, unmount the boot image and save changes. +### [**PowerShell**](#tab/powershell) + ```powershell Dismount-WindowsImage -Path "" -Save -Verbose ``` For more information, see [Dismount-WindowsImage](/powershell/module/dism/dismount-windowsimage). +### [**Command Line]**](#tab/command-line) + ```cmd DISM.exe /Unmount-Image /MountDir:"" /Commit ``` For more information, see [Modify a Windows image using DISM: Unmounting an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image) and [DISM Image Management Command-Line Options: /Unmount-Image](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14#unmount-image). +--- + ## Step 12: Export boot image to reduce size - Once the boot image has been unmounted and saved, its size can be further reduced by exporting it. +### [**PowerShell**](#tab/powershell) + ```powershell Export-WindowsImage -SourceImagePath "\.wim" -SourceIndex 1 -DestinationImagePath "\-export.wim" -CompressionType max -Verbose ``` For more information, see [Export-WindowsImage](/powershell/module/dism/export-windowsimage). +### [**Command Line]**](#tab/command-line) + ```cmd DISM.exe /Export-Image /SourceImageFile:"\.wim" /SourceIndex:1 /DestinationImageFile:"\-export.wim" ``` For more information, see [Modify a Windows image using DISM: Reduce the size of an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#reduce-the-size-of-an-image) and [DISM Image Management Command-Line Options: /Export-Image](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14#export-image). +--- + - Once the export has completed, delete the original boot image and then rename the exported boot image with the name of the original boot image. ## Considerations for Microsoft Configuration Manager From 4be99c5118c6ff8769cf924c3368e93f98a378b9 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Wed, 26 Jul 2023 18:45:37 -0400 Subject: [PATCH 019/110] Update Boot Image with CU Article 13 --- windows/deployment/update-boot-image.md | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index f35ddfa10d..080b060656 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -16,7 +16,6 @@ appliesto: - ✅ Windows Server 2019 - ✅ Windows Server 2016 --- ---- # Update Windows PE boot image with the latest cumulative update @@ -100,7 +99,7 @@ Mount-WindowsImage -Path "" -ImagePath "\" /Index:1 /MountDir:"" @@ -120,7 +119,7 @@ For more information, see [Modify a Windows image using DISM: Mount an image](/w Command to be determined ``` -### [**Command Line]**](#tab/command-line) +### [**Command Line**](#tab/command-line) ```cmd DISM.exe/Image:"" /Add-Driver /Driver:"\.inf" @@ -149,7 +148,7 @@ Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessme For more information, see [Add-WindowsPackage](/powershell/module/dism/add-windowspackage). -### [**Command Line]**](#tab/command-line) +### [**Command Line**](#tab/command-line) ```cmd DISM.exe /Image:"" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" @@ -169,7 +168,7 @@ For more information, see [Add or Remove Packages Offline Using DISM](/windows-h Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" -Path "" -Verbose ``` -### [**Command Line]**](#tab/command-line) +### [**Command Line**](#tab/command-line) ```cmd DISM.exe /Image:"" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" @@ -206,7 +205,7 @@ Add-WindowsPackage -PackagePath "" -Path "" /Add-Package /PackagePath:"" @@ -233,7 +232,7 @@ Copy-Item "\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files ( Copy-Item "\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" -Force ``` -### [**Command Line]**](#tab/command-line) +### [**Command Line**](#tab/command-line) ```cmd Command to be determined @@ -253,7 +252,7 @@ Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:"" /Cleanup-image /StartComponentCleanup /Resetbase" -Wait -LoadUserProfile ``` -### [**Command Line]**](#tab/command-line) +### [**Command Line**](#tab/command-line) ```cmd DISM.exe /Image:"" /Cleanup-image /StartComponentCleanup /Resetbase /Defer @@ -277,7 +276,7 @@ Get-WindowsPackage -Path "" For more information, see [Get-WindowsPackage](/powershell/module/dism/get-windowspackage). -### [**Command Line]**](#tab/command-line) +### [**Command Line**](#tab/command-line) ```cmd DISM.exe /Image:"" /Get-Packages @@ -299,7 +298,7 @@ Dismount-WindowsImage -Path "" -Save -Verbose For more information, see [Dismount-WindowsImage](/powershell/module/dism/dismount-windowsimage). -### [**Command Line]**](#tab/command-line) +### [**Command Line**](#tab/command-line) ```cmd DISM.exe /Unmount-Image /MountDir:"" /Commit @@ -321,7 +320,7 @@ Export-WindowsImage -SourceImagePath "\.wim" -Sourc For more information, see [Export-WindowsImage](/powershell/module/dism/export-windowsimage). -### [**Command Line]**](#tab/command-line) +### [**Command Line**](#tab/command-line) ```cmd DISM.exe /Export-Image /SourceImageFile:"\.wim" /SourceIndex:1 /DestinationImageFile:"\-export.wim" From 1c1d83ed6034a4b5761aa3cb8b5ded4da7177162 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Thu, 27 Jul 2023 11:41:14 -0400 Subject: [PATCH 020/110] Update Boot Image with CU Article 14 --- .../images/icons/command-prompt-16.png | Bin 0 -> 343 bytes .../images/icons/command-prompt-24.png | Bin 0 -> 455 bytes .../images/icons/command-prompt-32.png | Bin 0 -> 510 bytes .../images/icons/command-prompt.svg | 3 + .../deployment/images/icons/powershell-16.png | Bin 0 -> 317 bytes .../deployment/images/icons/powershell-24.png | Bin 0 -> 425 bytes .../deployment/images/icons/powershell-32.png | Bin 0 -> 437 bytes .../images/icons/powershell-color-18.svg | 20 +++ .../deployment/images/icons/powershell.svg | 3 + windows/deployment/update-boot-image.md | 144 ++++++++++-------- 10 files changed, 104 insertions(+), 66 deletions(-) create mode 100644 windows/deployment/images/icons/command-prompt-16.png create mode 100644 windows/deployment/images/icons/command-prompt-24.png create mode 100644 windows/deployment/images/icons/command-prompt-32.png create mode 100644 windows/deployment/images/icons/command-prompt.svg create mode 100644 windows/deployment/images/icons/powershell-16.png create mode 100644 windows/deployment/images/icons/powershell-24.png create mode 100644 windows/deployment/images/icons/powershell-32.png create mode 100644 windows/deployment/images/icons/powershell-color-18.svg create mode 100644 windows/deployment/images/icons/powershell.svg diff --git a/windows/deployment/images/icons/command-prompt-16.png b/windows/deployment/images/icons/command-prompt-16.png new file mode 100644 index 0000000000000000000000000000000000000000..d3a5d0257cbb088e7d90f0751012d1bd70aa5f73 GIT binary patch literal 343 zcmeAS@N?(olHy`uVBq!ia0vp^0wB!61|;P_|4#%`jKx9jP7LeL$-D$|SkfJR9T^xl z_H+M9WCij$3p^r=85sBugD~Uq{1quc!8e{Rjv*HQYcK81VsaE|dw7vMz%eKyGID9} zTziFx3~?SaM%SDoW=$5(s4UHY3Brcv0{PCmTRo;*l~4SBCQ`gqT#VhmVp=}?Go9Vm z&*WAncKNdl&(MGK@!bRVZ!fKTWMmTAbN04I%O+ft@F+atq^I4pw8C>?vw2F&!PCO4 zqW+$^*UiYO^RdU~(u+r|ku}PF!A#64$^NV5f1Xuco7UD9Hv2#W+pnmLNodyved|HtB6=6={ jc(cTH=f4NrkIkspY!587t}w^}`kTSi)z4*}Q$iB}Xexfn literal 0 HcmV?d00001 diff --git a/windows/deployment/images/icons/command-prompt-24.png b/windows/deployment/images/icons/command-prompt-24.png new file mode 100644 index 0000000000000000000000000000000000000000..f5729faa7f8a423fbb8d5b494cb67b9adb34d0b4 GIT binary patch literal 455 zcmV;&0XY7NP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!vFvd!vV){sAK>D0bEH$K~zXf)zmvL z1wk0b@gam$NC=hCxP1c=iG)h6qf#m)isM#DC?pb5C`b^6hEgL6t;T2I14tA)4Wi)x z%!PAyWmaNV;z@qlclPYgn=`Y!<}cEYUi6ee^O|iuPx#1ZP1_K>z@;j|==^1poj532;bRa{vGi!vFvd!vV){sAK>D0h38YK~z{r?Uy-A z#6SQ><57qfUX@mYrC17rpddDar3xaVwH6+Tl~$J8c!Hg+cz}(Kje-gmTG*+LHvR(z zZS;MU9d@%$Ocs`8g?;eId=o;x>`sPVuMCXf4sNBO?(6O2cZz!3nZW_hB7Nuif4F(jp(8V-|@(#aAFnEQ|R0ZR%#-Lip+5ocd^$bpLx`EO(waCRp1=; zy8Oi<>iT7qd~{>Y&6(sTvOpbv;6d8&G(yBI6bKAb#xI~ zpccPy!lZCqYryh~C;spkkp;vRUi-sPTx-BGi#peAQjk~$x=`mfut5_UG`4Sro?O@F zuK{5f + + \ No newline at end of file diff --git a/windows/deployment/images/icons/powershell-16.png b/windows/deployment/images/icons/powershell-16.png new file mode 100644 index 0000000000000000000000000000000000000000..4ecfea848644068ea9bcb4506dabd981e216ef49 GIT binary patch literal 317 zcmeAS@N?(olHy`uVBq!ia0vp^0wB!61|;P_|4#%`jKx9jP7LeL$-D$|SkfJR9T^xl z_H+M9WCij$3p^r=85sBugD~Uq{1quc!AqVljv*HQYcJXJF*=GI|JZp>Fy-2v zBfctDf>IyVrRo;{FZg;r+;vs$-_@Xb7Z_^?Blf^*4VBhyXa7dr~3=S-a3 z+7cl>qvwN*@BW*@w-vfs^E6I7`K;kh+3@a$f-*PfMza?S-c4V{^)pY+Kg;rfi}{4? zDZbl81m^Cu@ws=s!nNX9FXy7e#?3$fHE1ntebIkEPx#1ZP1_K>z@;j|==^1poj532;bRa{vGi!vFvd!vV){sAK>D0X|7YK~zXf)z!O7 z13?tV@$mwhLI`MOOcjNISX!sDu=OE?6oLt8AqW-}&iYON5 z{|&P+#Jx=7uHXkhvKh{v!(K8me~~h(*eZbfnp=$VT>$kp_wGv@Cpo%=`kEd-pj)+q z)f}i#4R%1s9Tdgf;R_cy&(RI+fCt!zk#kD01EOc31wYH~bKdARO&qX*C%mAdg*lQr z;1ntt;Rv%PbwHFo44}d;;%br-G(cIx6;wRL0YVZyK&j&$I^i0+g;@z6a0V5=;ZO^K z$sDkQXQ-%;b T;xcYW00000NkvXXu0mjflQymO literal 0 HcmV?d00001 diff --git a/windows/deployment/images/icons/powershell-32.png b/windows/deployment/images/icons/powershell-32.png new file mode 100644 index 0000000000000000000000000000000000000000..c28fd8f833588b38eddc94d0acdfcaa0e30a8361 GIT binary patch literal 437 zcmV;m0ZRUfP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!vFvd!vV){sAK>D0ZK_kK~z{r?bp38 z1VJ3e@exGg6rvTCmMA3(|AGcBJ)KIT)1kO{38hvP3ZjrmC>0tSe}P1+(Mb3{VG_&A z{$_W~DDFu<$-c~Hp1a-K%(+g;9QLr2f#!9Gc+1G`er_CLDWPi=3e0LJVb)P7aD{D@ z-K*F%&m9T{a``{cz=C!XW)p=1YLzm6-pT@l82#9c8dHH@oZ}huIuJ3Y0{u9J&dWYp zh!Il(pJlv2 zzQnSY)cI+Y#Z*A)fo{Y197EStSwmUO1%8V@nXaiaj + + + + + + + + + MsPortalFx.base.images-10 + + + + + + + + + + \ No newline at end of file diff --git a/windows/deployment/images/icons/powershell.svg b/windows/deployment/images/icons/powershell.svg new file mode 100644 index 0000000000..7ea68cb8b0 --- /dev/null +++ b/windows/deployment/images/icons/powershell.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 080b060656..42f137223d 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -53,25 +53,23 @@ Note about Windows Server 2012 R2 ## Step 1: Download and install ADK -- Download and install the **Windows Assessment and Deployment Kit (Windows ADK)** from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). +1. Download and install the **Windows Assessment and Deployment Kit (Windows ADK)** from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). -- Download and install the **Windows PE add-on for the Windows ADK** from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). Make sure to download and install both components. +1. Download and install the **Windows PE add-on for the Windows ADK** from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). Make sure to download and install both components. -- It's strongly recommended to download and install the latest version of the ADK. +It's strongly recommended to download and install the latest version of the ADK. When installing the Windows ADK, it's only necessary to install the **Deployment Tools**. -- When installing the Windows ADK, it's only necessary to install the **Deployment Tools**. - -- The paths in this article assume the Windows ADK was installed to the default location of `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit`. If the Windows ADK was installed to a different location, then adjust the paths accordingly. +The paths in this article assume the Windows ADK was installed to the default location of `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit`. If the Windows ADK was installed to a different location, then adjust the paths accordingly. ## Step 2: Download cumulative update (CU) -- Go to the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site and search for the latest cumulative update for the version of Windows that matches the version of Windows PE that was downloaded in [Step 1](#step-1-download-and-install-adk) or the version of the Windows PE boot image that will be updated. +1. Go to the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site and search for the latest cumulative update for the version of Windows that matches the version of Windows PE that was downloaded in [Step 1](#step-1-download-and-install-adk) or the version of the Windows PE boot image that will be updated. -- When searching the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site, use the search term `"- cumulative update for windows "` where `year` is the four digit current year, `` is the two digit current month, and `` is the version of Windows that Windows PE is based on. For example, to search for the latest cumulative update for Windows 11 in July 2023, use the search term `"2023-07 cumulative update for windows 11"`. If the cumulative update hasn't been released yet for the current month, then search on the previous month. +1. When searching the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site, use the search term `"- cumulative update for windows "` where `year` is the four digit current year, `` is the two digit current month, and `` is the version of Windows that Windows PE is based on. For example, to search for the latest cumulative update for Windows 11 in July 2023, use the search term `"2023-07 cumulative update for windows 11"`. If the cumulative update hasn't been released yet for the current month, then search on the previous month. -- Once the cumulative update has been found, download the appropriate version for the version and architecture of Windows that matches the Windows PE boot image. For example, if the version of the Windows PE boot image is Windows 11 22H2 64-bit, then download the **Cumulative Update for Windows 11 Version 22H2 for x64-based Systems" version of the update. +1. Once the cumulative update has been found, download the appropriate version for the version and architecture of Windows that matches the Windows PE boot image. For example, if the version of the Windows PE boot image is Windows 11 22H2 64-bit, then download the **Cumulative Update for Windows 11 Version 22H2 for x64-based Systems** version of the update. -- Store the downloaded cumulative update in a known location for later use. +1. Store the downloaded cumulative update in a known location for later use. > [!TIP] > @@ -81,25 +79,25 @@ Note about Windows Server 2012 R2 ## Step 3: Backup existing boot image -- Before modifying the desired boot image, make a backup copy of the boot image. For example, +Before modifying the desired boot image, make a backup copy of the boot image. For example: - - For the boot image included with the **Windows PE add-on for the Windows ADK**, the boot image is located at `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim`. +- For the boot image included with the **Windows PE add-on for the Windows ADK**, the boot image is located at `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim`. - - For the boot image included with Microsoft Configuration Manager, the boot image is located at `\OSD\boot\x64\boot.wim` +- For the boot image included with Microsoft Configuration Manager, the boot image is located at `\OSD\boot\x64\boot.wim` ## Step 4: Mount boot image to temporary mount folder -- Create a new empty empty folder to mount the boot image to. For example, `C:\Mount`. +Create a new empty empty folder to mount the boot image to. For example, `C:\Mount`. -### [**PowerShell**](#tab/powershell) +### [:::image type="icon" source="images/icons/powershell.svg"::: **PowerShell**](#tab/powershell) ```powershell Mount-WindowsImage -Path "" -ImagePath "\.wim" -Index 1 -Verbose ``` -For more information, see [Mount-WindowsImage](/powershell/module/dism/mount-windowsimage) +For more information, see [Mount-WindowsImage](/powershell/module/dism/mount-windowsimage). -### [**Command Line**](#tab/command-line) +### [:::image type="icon" source="images/icons/command-prompt.svg"::: **Command Line**](#tab/command-line) ```cmd DISM.exe /Mount-image /imagefile:"" /Index:1 /MountDir:"" @@ -111,19 +109,23 @@ For more information, see [Modify a Windows image using DISM: Mount an image](/w ## Step 5: Add drivers to boot image -- If needed, add any drivers to the boot image. +If needed, add any drivers to the boot image: -### [**PowerShell**](#tab/powershell) +### [:::image type="icon" source="images/icons/powershell-color-18.svg"::: **PowerShell**](#tab/powershell) ```powershell Command to be determined ``` -### [**Command Line**](#tab/command-line) +### [:::image type="icon" source="images/icons/command-prompt.svg"::: **Command Line**](#tab/command-line) ```cmd -DISM.exe/Image:"" /Add-Driver /Driver:"\.inf" +DISM.exe /Image:"" /Add-Driver /Driver:"\.inf" +``` +or + +```cmd DISM.exe /Image:"" /Add-Driver /Driver:".cab" -Path "" -Verbose -``` + ```powershell + Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" -Path "" -Verbose + ``` -For more information, see [Add-WindowsPackage](/powershell/module/dism/add-windowspackage). + This example assumes an x64 boot image. If a different architecture is being used, then adjust the commands accordingly. -### [**Command Line**](#tab/command-line) + For more information, see [Add-WindowsPackage](/powershell/module/dism/add-windowspackage). -```cmd -DISM.exe /Image:"" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" -``` + ### [:::image type="icon" source="images/icons/command-prompt-16.png"::: **Command Line**](#tab/command-line) ---- + ```cmd + DISM.exe /Image:"" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" + ``` -You can add as many desired optional components as needed on a single DISM.exe command line. + This example assumes an x64 boot image. If a different architecture is being used, then adjust the commands accordingly. -For more information, see [Add or Remove Packages Offline Using DISM](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism) and [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Add-Package](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#add-package). + You can add as many desired optional components as needed on a single **DISM.exe** command line. -- Make sure that after adding the optional component to also add the language specific component for that optional component. For example, for English United States (en-us), add the following: + For more information, see [Add or Remove Packages Offline Using DISM](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism) and [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Add-Package](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#add-package). -### [**PowerShell**](#tab/powershell) + --- -```powershell -Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" -Path "" -Verbose -``` +1. Make sure that after adding the optional component to also add the language specific component for that optional component. This needs to be done for every optional component that is added to the boot image. -### [**Command Line**](#tab/command-line) + For example, for English United States (en-us), add the following: -```cmd -DISM.exe /Image:"" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" -``` + ### [:::image type="icon" source="images/icons/powershell-24.png"::: **PowerShell**](#tab/powershell) -You can add as many desired optional components as needed on a single DISM.exe command line. + ```powershell + Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" -Path "" -Verbose + ``` ---- + This example assumes an x64 boot image. If a different architecture is being used, then adjust the commands accordingly. + + ### [:::image type="icon" source="images/icons/command-prompt-24.png"::: **Command Line**](#tab/command-line) + + ```cmd + DISM.exe /Image:"" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" + ``` + + This example assumes an x64 boot image. If a different architecture is being used, then adjust the commands accordingly. + + You can add as many desired optional components as needed on a single DISM.exe command line. + + --- > [!IMPORTANT] > @@ -195,9 +206,9 @@ You can add as many desired optional components as needed on a single DISM.exe c ## Step 7: Add cumulative update (CU) to boot image -- Apply the cumulative update (CU) downloaded earlier in the walkthrough to the boot image. +Apply the cumulative update (CU) downloaded earlier in the walkthrough to the boot image: -### [**PowerShell**](#tab/powershell) +### [:::image type="icon" source="images/icons/powershell-32.png"::: **PowerShell**](#tab/powershell) ```powershell Add-WindowsPackage -PackagePath "" -Path "" -Verbose @@ -205,7 +216,7 @@ Add-WindowsPackage -PackagePath "" -Path "" /Add-Package /PackagePath:"" @@ -221,8 +232,7 @@ For more information, see [Add or Remove Packages Offline Using DISM](/windows-h ## Step 8: Copy boot files from mounted image to ADK installation path -- Copy the updated bootmgr files from the updated boot image to the ADK installation path. -- This step doesn't update or change the boot image. However, it makes sure that the latest bootmgr files are available to the ADK when creating bootable media. In particular, this step is needed when addressing the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932). +Copy the updated bootmgr files from the updated boot image to the ADK installation path: ### [**PowerShell**](#tab/powershell) @@ -240,9 +250,11 @@ Command to be determined --- +This step doesn't update or change the boot image. However, it makes sure that the latest bootmgr files are available to the ADK when creating bootable media. In particular, this step is needed when addressing the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932). + ## Step 9: Perform component cleanup -- Run DISM.exe commands that will clean up the mounted image and help reduce its size +Run **DISM.exe** commands that will clean up the mounted image and help reduce its size: ### [**PowerShell**](#tab/powershell) @@ -266,7 +278,7 @@ For more information, see [Modify a Windows image using DISM: Reduce the size of ## Step 10: Verify all desired packages have been added to boot image -- After the optional components and the cumulative update (CU) have been applied to the boot image, verify that they are showing as installed. +After the optional components and the cumulative update (CU) have been applied to the boot image, verify that they are showing as installed: ### [**PowerShell**](#tab/powershell) @@ -310,27 +322,27 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag ## Step 12: Export boot image to reduce size -- Once the boot image has been unmounted and saved, its size can be further reduced by exporting it. +1. Once the boot image has been unmounted and saved, its size can be further reduced by exporting it: -### [**PowerShell**](#tab/powershell) + ### [**PowerShell**](#tab/powershell) -```powershell -Export-WindowsImage -SourceImagePath "\.wim" -SourceIndex 1 -DestinationImagePath "\-export.wim" -CompressionType max -Verbose -``` + ```powershell + Export-WindowsImage -SourceImagePath "\.wim" -SourceIndex 1 -DestinationImagePath "\-export.wim" -CompressionType max -Verbose + ``` -For more information, see [Export-WindowsImage](/powershell/module/dism/export-windowsimage). + For more information, see [Export-WindowsImage](/powershell/module/dism/export-windowsimage). -### [**Command Line**](#tab/command-line) + ### [**Command Line**](#tab/command-line) -```cmd -DISM.exe /Export-Image /SourceImageFile:"\.wim" /SourceIndex:1 /DestinationImageFile:"\-export.wim" -``` + ```cmd + DISM.exe /Export-Image /SourceImageFile:"\.wim" /SourceIndex:1 /DestinationImageFile:"\-export.wim" + ``` -For more information, see [Modify a Windows image using DISM: Reduce the size of an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#reduce-the-size-of-an-image) and [DISM Image Management Command-Line Options: /Export-Image](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14#export-image). + For more information, see [Modify a Windows image using DISM: Reduce the size of an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#reduce-the-size-of-an-image) and [DISM Image Management Command-Line Options: /Export-Image](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14#export-image). ---- + --- -- Once the export has completed, delete the original boot image and then rename the exported boot image with the name of the original boot image. +1. Once the export has completed, delete the original boot image and then rename the exported boot image with the name of the original boot image. ## Considerations for Microsoft Configuration Manager From f7815742f63df0bcf10c79ac2b30099167b76c7c Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Thu, 27 Jul 2023 12:00:24 -0400 Subject: [PATCH 021/110] Update Boot Image with CU Article 15 --- windows/deployment/update-boot-image.md | 64 ++++++++++++------------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 42f137223d..18a6350563 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -141,53 +141,53 @@ For more information, see [Add and Remove Driver packages to an offline Windows 1. Add any desired optional components to the boot image: - ### [:::image type="icon" source="images/icons/powershell-16.png"::: **PowerShell**](#tab/powershell) + ### [:::image type="icon" source="images/icons/powershell-16.png"::: **PowerShell**](#tab/powershell) - ```powershell - Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" -Path "" -Verbose - ``` + ```powershell + Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" -Path "" -Verbose + ``` - This example assumes an x64 boot image. If a different architecture is being used, then adjust the commands accordingly. + This example assumes an x64 boot image. If a different architecture is being used, then adjust the commands accordingly. - For more information, see [Add-WindowsPackage](/powershell/module/dism/add-windowspackage). + For more information, see [Add-WindowsPackage](/powershell/module/dism/add-windowspackage). - ### [:::image type="icon" source="images/icons/command-prompt-16.png"::: **Command Line**](#tab/command-line) + ### [:::image type="icon" source="images/icons/command-prompt-16.png"::: **Command Line**](#tab/command-line) - ```cmd - DISM.exe /Image:"" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" - ``` + ```cmd + DISM.exe /Image:"" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" + ``` - This example assumes an x64 boot image. If a different architecture is being used, then adjust the commands accordingly. + This example assumes an x64 boot image. If a different architecture is being used, then adjust the commands accordingly. - You can add as many desired optional components as needed on a single **DISM.exe** command line. + You can add as many desired optional components as needed on a single **DISM.exe** command line. - For more information, see [Add or Remove Packages Offline Using DISM](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism) and [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Add-Package](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#add-package). + For more information, see [Add or Remove Packages Offline Using DISM](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism) and [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Add-Package](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#add-package). - --- + --- 1. Make sure that after adding the optional component to also add the language specific component for that optional component. This needs to be done for every optional component that is added to the boot image. For example, for English United States (en-us), add the following: - ### [:::image type="icon" source="images/icons/powershell-24.png"::: **PowerShell**](#tab/powershell) + ### [:::image type="icon" source="images/icons/powershell-24.png"::: **PowerShell**](#tab/powershell) - ```powershell - Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" -Path "" -Verbose - ``` + ```powershell + Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" -Path "" -Verbose + ``` - This example assumes an x64 boot image. If a different architecture is being used, then adjust the commands accordingly. + This example assumes an x64 boot image. If a different architecture is being used, then adjust the commands accordingly. - ### [:::image type="icon" source="images/icons/command-prompt-24.png"::: **Command Line**](#tab/command-line) + ### [:::image type="icon" source="images/icons/command-prompt-24.png"::: **Command Line**](#tab/command-line) - ```cmd - DISM.exe /Image:"" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" - ``` + ```cmd + DISM.exe /Image:"" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" + ``` - This example assumes an x64 boot image. If a different architecture is being used, then adjust the commands accordingly. + This example assumes an x64 boot image. If a different architecture is being used, then adjust the commands accordingly. - You can add as many desired optional components as needed on a single DISM.exe command line. + You can add as many desired optional components as needed on a single DISM.exe command line. - --- + --- > [!IMPORTANT] > @@ -300,7 +300,7 @@ For more information, see [DISM Operating System Package (.cab or .msu) Servicin ## Step 11: Unmount boot image and save changes -- Once drivers, optional components, and the cumulative update (CU) have been applied to the boot image, unmount the boot image and save changes. +Once drivers, optional components, and the cumulative update (CU) have been applied to the boot image, unmount the boot image and save changes. ### [**PowerShell**](#tab/powershell) @@ -324,7 +324,7 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag 1. Once the boot image has been unmounted and saved, its size can be further reduced by exporting it: - ### [**PowerShell**](#tab/powershell) + # [**PowerShell**](#tab/powershell) ```powershell Export-WindowsImage -SourceImagePath "\.wim" -SourceIndex 1 -DestinationImagePath "\-export.wim" -CompressionType max -Verbose @@ -332,7 +332,7 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag For more information, see [Export-WindowsImage](/powershell/module/dism/export-windowsimage). - ### [**Command Line**](#tab/command-line) + # [**Command Line**](#tab/command-line) ```cmd DISM.exe /Export-Image /SourceImageFile:"\.wim" /SourceIndex:1 /DestinationImageFile:"\-export.wim" @@ -344,8 +344,8 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag 1. Once the export has completed, delete the original boot image and then rename the exported boot image with the name of the original boot image. -## Considerations for Microsoft Configuration Manager +## Microsoft Configuration Manager considerations -## Considerations for Microsoft Deployment Toolkit (MDT) +## Microsoft Deployment Toolkit (MDT) considerations -## Considerations for Windows Deployment Services (WDS) +## Windows Deployment Services (WDS) considerations From 59a9cb288eec470145d58f1950a72275ad7e06bf Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Thu, 27 Jul 2023 12:10:00 -0400 Subject: [PATCH 022/110] Update Boot Image with CU Article 16 --- windows/deployment/update-boot-image.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 18a6350563..9a195963e4 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -167,7 +167,7 @@ For more information, see [Add and Remove Driver packages to an offline Windows 1. Make sure that after adding the optional component to also add the language specific component for that optional component. This needs to be done for every optional component that is added to the boot image. - For example, for English United States (en-us), add the following: + For example, for English United States (en-us), add the following: ### [:::image type="icon" source="images/icons/powershell-24.png"::: **PowerShell**](#tab/powershell) @@ -324,23 +324,23 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag 1. Once the boot image has been unmounted and saved, its size can be further reduced by exporting it: - # [**PowerShell**](#tab/powershell) + ### [**PowerShell**](#tab/powershell) - ```powershell - Export-WindowsImage -SourceImagePath "\.wim" -SourceIndex 1 -DestinationImagePath "\-export.wim" -CompressionType max -Verbose - ``` + ```powershell + Export-WindowsImage -SourceImagePath "\.wim" -SourceIndex 1 -DestinationImagePath "\-export.wim" -CompressionType max -Verbose + ``` - For more information, see [Export-WindowsImage](/powershell/module/dism/export-windowsimage). + For more information, see [Export-WindowsImage](/powershell/module/dism/export-windowsimage). - # [**Command Line**](#tab/command-line) + ### [**Command Line**](#tab/command-line) - ```cmd - DISM.exe /Export-Image /SourceImageFile:"\.wim" /SourceIndex:1 /DestinationImageFile:"\-export.wim" - ``` + ```cmd + DISM.exe /Export-Image /SourceImageFile:"\.wim" /SourceIndex:1 /DestinationImageFile:"\-export.wim" + ``` - For more information, see [Modify a Windows image using DISM: Reduce the size of an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#reduce-the-size-of-an-image) and [DISM Image Management Command-Line Options: /Export-Image](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14#export-image). + For more information, see [Modify a Windows image using DISM: Reduce the size of an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#reduce-the-size-of-an-image) and [DISM Image Management Command-Line Options: /Export-Image](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14#export-image). - --- + --- 1. Once the export has completed, delete the original boot image and then rename the exported boot image with the name of the original boot image. From f676f9c5208583f416b09c1432e6d90c79c20ba1 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Thu, 27 Jul 2023 12:38:24 -0400 Subject: [PATCH 023/110] Update Boot Image with CU Article 17 --- windows/deployment/update-boot-image.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 9a195963e4..3c6d5fb765 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -89,7 +89,7 @@ Before modifying the desired boot image, make a backup copy of the boot image. F Create a new empty empty folder to mount the boot image to. For example, `C:\Mount`. -### [:::image type="icon" source="images/icons/powershell.svg"::: **PowerShell**](#tab/powershell) +### [:::image type="icon" source="images/icons/powershell.svg"{width=50%,height:50%}::: **PowerShell**](#tab/powershell) ```powershell Mount-WindowsImage -Path "" -ImagePath "\.wim" -Index 1 -Verbose @@ -97,7 +97,7 @@ Mount-WindowsImage -Path "" -ImagePath "\" /Index:1 /MountDir:"" @@ -117,7 +117,7 @@ If needed, add any drivers to the boot image: Command to be determined ``` -### [:::image type="icon" source="images/icons/command-prompt.svg"::: **Command Line**](#tab/command-line) +### [:::image type="icon" source="images/icons/command-prompt.svg"{width=18px,height:18px}::: **Command Line**](#tab/command-line) ```cmd DISM.exe /Image:"" /Add-Driver /Driver:"\.inf" @@ -342,7 +342,7 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag --- -1. Once the export has completed, delete the original boot image and then rename the exported boot image with the name of the original boot image. +1. Once the export has completed, delete the original updated boot image and then rename the exported boot image with the name of the original updated boot image. ## Microsoft Configuration Manager considerations From 2c6dccfca7f1a17913b498503c91e3b09a26b843 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Thu, 27 Jul 2023 12:45:17 -0400 Subject: [PATCH 024/110] Update Boot Image with CU Article 18 --- windows/deployment/update-boot-image.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 3c6d5fb765..0452454f38 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -89,7 +89,7 @@ Before modifying the desired boot image, make a backup copy of the boot image. F Create a new empty empty folder to mount the boot image to. For example, `C:\Mount`. -### [:::image type="icon" source="images/icons/powershell.svg"{width=50%,height:50%}::: **PowerShell**](#tab/powershell) +### [:::image type="icon" source="images/icons/powershell.svg"{ width=50%,height:50% }::: **PowerShell**](#tab/powershell) ```powershell Mount-WindowsImage -Path "" -ImagePath "\.wim" -Index 1 -Verbose @@ -97,7 +97,7 @@ Mount-WindowsImage -Path "" -ImagePath "\" /Index:1 /MountDir:"" @@ -117,16 +117,16 @@ If needed, add any drivers to the boot image: Command to be determined ``` -### [:::image type="icon" source="images/icons/command-prompt.svg"{width=18px,height:18px}::: **Command Line**](#tab/command-line) +### [:::image type="icon" source="images/icons/command-prompt.svg"{ width=18px,height:18px }::: **Command Line**](#tab/command-line) ```cmd -DISM.exe /Image:"" /Add-Driver /Driver:"\.inf" +DISM.exe /Image:"" /Add-Driver /Driver:"\.inf" ``` or ```cmd -DISM.exe /Image:"" /Add-Driver /Driver:"" /Add-Driver /Driver:" Date: Thu, 27 Jul 2023 13:09:13 -0400 Subject: [PATCH 025/110] Update Boot Image with CU Article 19 --- windows/deployment/update-boot-image.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 0452454f38..83ebea68d7 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -89,7 +89,7 @@ Before modifying the desired boot image, make a backup copy of the boot image. F Create a new empty empty folder to mount the boot image to. For example, `C:\Mount`. -### [:::image type="icon" source="images/icons/powershell.svg"{ width=50%,height:50% }::: **PowerShell**](#tab/powershell) +### [:::image type="icon" source="images/icons/powershell.svg"{: width=50% height:50%}::: **PowerShell**](#tab/powershell) ```powershell Mount-WindowsImage -Path "" -ImagePath "\.wim" -Index 1 -Verbose @@ -97,7 +97,7 @@ Mount-WindowsImage -Path "" -ImagePath "\" /Index:1 /MountDir:"" From 35aca47a28cf4404ab5161e0384c6b172e99072b Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Thu, 27 Jul 2023 13:13:26 -0400 Subject: [PATCH 026/110] Update Boot Image with CU Article 20 --- windows/deployment/update-boot-image.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 83ebea68d7..e69d5565d1 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -89,7 +89,7 @@ Before modifying the desired boot image, make a backup copy of the boot image. F Create a new empty empty folder to mount the boot image to. For example, `C:\Mount`. -### [:::image type="icon" source="images/icons/powershell.svg"{: width=50% height:50%}::: **PowerShell**](#tab/powershell) +### [:::image type="icon" source="images/icons/powershell.svg"::: **PowerShell**](#tab/powershell) ```powershell Mount-WindowsImage -Path "" -ImagePath "\.wim" -Index 1 -Verbose @@ -97,7 +97,7 @@ Mount-WindowsImage -Path "" -ImagePath "\" /Index:1 /MountDir:"" @@ -117,7 +117,7 @@ If needed, add any drivers to the boot image: Command to be determined ``` -### [:::image type="icon" source="images/icons/command-prompt.svg"{ width=18px,height:18px }::: **Command Line**](#tab/command-line) +### [:::image type="icon" source="images/icons/command-prompt.svg"::: **Command Line**](#tab/command-line) ```cmd DISM.exe /Image:"" /Add-Driver /Driver:"\.inf" From 05b0bf48ca7fad2fa76f19da5fbde342771c0a42 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Thu, 27 Jul 2023 13:27:34 -0400 Subject: [PATCH 027/110] Update Boot Image with CU Article 21 --- windows/deployment/images/icons/command-prompt-18.svg | 3 +++ .../icons/{command-prompt.svg => command-prompt-org.svg} | 0 windows/deployment/images/icons/powershell-18.svg | 3 +++ windows/deployment/images/icons/powershell-org.svg | 3 +++ windows/deployment/update-boot-image.md | 6 +++--- 5 files changed, 12 insertions(+), 3 deletions(-) create mode 100644 windows/deployment/images/icons/command-prompt-18.svg rename windows/deployment/images/icons/{command-prompt.svg => command-prompt-org.svg} (100%) create mode 100644 windows/deployment/images/icons/powershell-18.svg create mode 100644 windows/deployment/images/icons/powershell-org.svg diff --git a/windows/deployment/images/icons/command-prompt-18.svg b/windows/deployment/images/icons/command-prompt-18.svg new file mode 100644 index 0000000000..8a0a716d98 --- /dev/null +++ b/windows/deployment/images/icons/command-prompt-18.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/windows/deployment/images/icons/command-prompt.svg b/windows/deployment/images/icons/command-prompt-org.svg similarity index 100% rename from windows/deployment/images/icons/command-prompt.svg rename to windows/deployment/images/icons/command-prompt-org.svg diff --git a/windows/deployment/images/icons/powershell-18.svg b/windows/deployment/images/icons/powershell-18.svg new file mode 100644 index 0000000000..ce645d001f --- /dev/null +++ b/windows/deployment/images/icons/powershell-18.svg @@ -0,0 +1,3 @@ + + \ No newline at end of file diff --git a/windows/deployment/images/icons/powershell-org.svg b/windows/deployment/images/icons/powershell-org.svg new file mode 100644 index 0000000000..7ea68cb8b0 --- /dev/null +++ b/windows/deployment/images/icons/powershell-org.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index e69d5565d1..5356ec74a5 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -89,7 +89,7 @@ Before modifying the desired boot image, make a backup copy of the boot image. F Create a new empty empty folder to mount the boot image to. For example, `C:\Mount`. -### [:::image type="icon" source="images/icons/powershell.svg"::: **PowerShell**](#tab/powershell) +### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) ```powershell Mount-WindowsImage -Path "" -ImagePath "\.wim" -Index 1 -Verbose @@ -97,7 +97,7 @@ Mount-WindowsImage -Path "" -ImagePath "\" /Index:1 /MountDir:"" @@ -117,7 +117,7 @@ If needed, add any drivers to the boot image: Command to be determined ``` -### [:::image type="icon" source="images/icons/command-prompt.svg"::: **Command Line**](#tab/command-line) +### [:::image type="icon" source="images/icons/command-prompt-18.svg"::: **Command Line**](#tab/command-line) ```cmd DISM.exe /Image:"" /Add-Driver /Driver:"\.inf" From 4e51e5f73edbb9268daef9effd7c157255707be9 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Thu, 27 Jul 2023 13:40:44 -0400 Subject: [PATCH 028/110] Update Boot Image with CU Article 22 --- windows/deployment/images/icons/powershell-18.svg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/images/icons/powershell-18.svg b/windows/deployment/images/icons/powershell-18.svg index ce645d001f..d1342f36f3 100644 --- a/windows/deployment/images/icons/powershell-18.svg +++ b/windows/deployment/images/icons/powershell-18.svg @@ -1,3 +1,3 @@ - \ No newline at end of file From 8b19e17bb2ac814a02182d06c2f0120c15243558 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Thu, 27 Jul 2023 13:53:25 -0400 Subject: [PATCH 029/110] Update Boot Image with CU Article 23 --- windows/deployment/images/icons/command-prompt-18.svg | 2 +- windows/deployment/images/icons/powershell-color-18.svg | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/images/icons/command-prompt-18.svg b/windows/deployment/images/icons/command-prompt-18.svg index 8a0a716d98..5f434b70ba 100644 --- a/windows/deployment/images/icons/command-prompt-18.svg +++ b/windows/deployment/images/icons/command-prompt-18.svg @@ -1,3 +1,3 @@ - + \ No newline at end of file diff --git a/windows/deployment/images/icons/powershell-color-18.svg b/windows/deployment/images/icons/powershell-color-18.svg index ab2d5152ca..4e8ad86674 100644 --- a/windows/deployment/images/icons/powershell-color-18.svg +++ b/windows/deployment/images/icons/powershell-color-18.svg @@ -1,4 +1,4 @@ - + From 6ebd80f097f801ef0f0ee3bb52e6101b92895e5d Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Thu, 27 Jul 2023 14:12:16 -0400 Subject: [PATCH 030/110] Update Boot Image with CU Article 24 --- windows/deployment/images/icons/powershell-18.svg | 2 +- windows/deployment/images/icons/powershell-color-18.svg | 2 +- windows/deployment/update-boot-image.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/images/icons/powershell-18.svg b/windows/deployment/images/icons/powershell-18.svg index d1342f36f3..734d3930b1 100644 --- a/windows/deployment/images/icons/powershell-18.svg +++ b/windows/deployment/images/icons/powershell-18.svg @@ -1,3 +1,3 @@ - + \ No newline at end of file diff --git a/windows/deployment/images/icons/powershell-color-18.svg b/windows/deployment/images/icons/powershell-color-18.svg index 4e8ad86674..ab2d5152ca 100644 --- a/windows/deployment/images/icons/powershell-color-18.svg +++ b/windows/deployment/images/icons/powershell-color-18.svg @@ -1,4 +1,4 @@ - + diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 5356ec74a5..777aa721ea 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -111,7 +111,7 @@ For more information, see [Modify a Windows image using DISM: Mount an image](/w If needed, add any drivers to the boot image: -### [:::image type="icon" source="images/icons/powershell-color-18.svg"::: **PowerShell**](#tab/powershell) +### [:::image type="icon" source="images/icons/powershell-color-18.svg"(#tab/powershell) ```powershell Command to be determined From b57185dc2ef57cbe148dbc08f7562308b8c37bff Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Thu, 27 Jul 2023 14:17:44 -0400 Subject: [PATCH 031/110] Update Boot Image with CU Article 25 --- windows/deployment/update-boot-image.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 777aa721ea..5356ec74a5 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -111,7 +111,7 @@ For more information, see [Modify a Windows image using DISM: Mount an image](/w If needed, add any drivers to the boot image: -### [:::image type="icon" source="images/icons/powershell-color-18.svg"(#tab/powershell) +### [:::image type="icon" source="images/icons/powershell-color-18.svg"::: **PowerShell**](#tab/powershell) ```powershell Command to be determined From c3f8de7ae49d3a46b1ac539436f3fb24965a9684 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Thu, 27 Jul 2023 14:29:27 -0400 Subject: [PATCH 032/110] Update Boot Image with CU Article 26 --- ...mand-prompt-18.svg => command-line-18.svg} | 0 .../images/icons/command-prompt-16.png | Bin 343 -> 0 bytes .../images/icons/command-prompt-24.png | Bin 455 -> 0 bytes .../images/icons/command-prompt-32.png | Bin 510 -> 0 bytes .../images/icons/command-prompt-org.svg | 3 -- .../deployment/images/icons/powershell-16.png | Bin 317 -> 0 bytes .../deployment/images/icons/powershell-24.png | Bin 425 -> 0 bytes .../deployment/images/icons/powershell-32.png | Bin 437 -> 0 bytes .../images/icons/powershell-org.svg | 3 -- .../deployment/images/icons/powershell.svg | 3 -- windows/deployment/update-boot-image.md | 38 +++++++++--------- 11 files changed, 19 insertions(+), 28 deletions(-) rename windows/deployment/images/icons/{command-prompt-18.svg => command-line-18.svg} (100%) delete mode 100644 windows/deployment/images/icons/command-prompt-16.png delete mode 100644 windows/deployment/images/icons/command-prompt-24.png delete mode 100644 windows/deployment/images/icons/command-prompt-32.png delete mode 100644 windows/deployment/images/icons/command-prompt-org.svg delete mode 100644 windows/deployment/images/icons/powershell-16.png delete mode 100644 windows/deployment/images/icons/powershell-24.png delete mode 100644 windows/deployment/images/icons/powershell-32.png delete mode 100644 windows/deployment/images/icons/powershell-org.svg delete mode 100644 windows/deployment/images/icons/powershell.svg diff --git a/windows/deployment/images/icons/command-prompt-18.svg b/windows/deployment/images/icons/command-line-18.svg similarity index 100% rename from windows/deployment/images/icons/command-prompt-18.svg rename to windows/deployment/images/icons/command-line-18.svg diff --git a/windows/deployment/images/icons/command-prompt-16.png b/windows/deployment/images/icons/command-prompt-16.png deleted file mode 100644 index d3a5d0257cbb088e7d90f0751012d1bd70aa5f73..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 343 zcmeAS@N?(olHy`uVBq!ia0vp^0wB!61|;P_|4#%`jKx9jP7LeL$-D$|SkfJR9T^xl z_H+M9WCij$3p^r=85sBugD~Uq{1quc!8e{Rjv*HQYcK81VsaE|dw7vMz%eKyGID9} zTziFx3~?SaM%SDoW=$5(s4UHY3Brcv0{PCmTRo;*l~4SBCQ`gqT#VhmVp=}?Go9Vm z&*WAncKNdl&(MGK@!bRVZ!fKTWMmTAbN04I%O+ft@F+atq^I4pw8C>?vw2F&!PCO4 zqW+$^*UiYO^RdU~(u+r|ku}PF!A#64$^NV5f1Xuco7UD9Hv2#W+pnmLNodyved|HtB6=6={ jc(cTH=f4NrkIkspY!587t}w^}`kTSi)z4*}Q$iB}Xexfn diff --git a/windows/deployment/images/icons/command-prompt-24.png b/windows/deployment/images/icons/command-prompt-24.png deleted file mode 100644 index f5729faa7f8a423fbb8d5b494cb67b9adb34d0b4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 455 zcmV;&0XY7NP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!vFvd!vV){sAK>D0bEH$K~zXf)zmvL z1wk0b@gam$NC=hCxP1c=iG)h6qf#m)isM#DC?pb5C`b^6hEgL6t;T2I14tA)4Wi)x z%!PAyWmaNV;z@qlclPYgn=`Y!<}cEYUi6ee^O|iuPx#1ZP1_K>z@;j|==^1poj532;bRa{vGi!vFvd!vV){sAK>D0h38YK~z{r?Uy-A z#6SQ><57qfUX@mYrC17rpddDar3xaVwH6+Tl~$J8c!Hg+cz}(Kje-gmTG*+LHvR(z zZS;MU9d@%$Ocs`8g?;eId=o;x>`sPVuMCXf4sNBO?(6O2cZz!3nZW_hB7Nuif4F(jp(8V-|@(#aAFnEQ|R0ZR%#-Lip+5ocd^$bpLx`EO(waCRp1=; zy8Oi<>iT7qd~{>Y&6(sTvOpbv;6d8&G(yBI6bKAb#xI~ zpccPy!lZCqYryh~C;spkkp;vRUi-sPTx-BGi#peAQjk~$x=`mfut5_UG`4Sro?O@F zuK{5f - - \ No newline at end of file diff --git a/windows/deployment/images/icons/powershell-16.png b/windows/deployment/images/icons/powershell-16.png deleted file mode 100644 index 4ecfea848644068ea9bcb4506dabd981e216ef49..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 317 zcmeAS@N?(olHy`uVBq!ia0vp^0wB!61|;P_|4#%`jKx9jP7LeL$-D$|SkfJR9T^xl z_H+M9WCij$3p^r=85sBugD~Uq{1quc!AqVljv*HQYcJXJF*=GI|JZp>Fy-2v zBfctDf>IyVrRo;{FZg;r+;vs$-_@Xb7Z_^?Blf^*4VBhyXa7dr~3=S-a3 z+7cl>qvwN*@BW*@w-vfs^E6I7`K;kh+3@a$f-*PfMza?S-c4V{^)pY+Kg;rfi}{4? zDZbl81m^Cu@ws=s!nNX9FXy7e#?3$fHE1ntebIkEPx#1ZP1_K>z@;j|==^1poj532;bRa{vGi!vFvd!vV){sAK>D0X|7YK~zXf)z!O7 z13?tV@$mwhLI`MOOcjNISX!sDu=OE?6oLt8AqW-}&iYON5 z{|&P+#Jx=7uHXkhvKh{v!(K8me~~h(*eZbfnp=$VT>$kp_wGv@Cpo%=`kEd-pj)+q z)f}i#4R%1s9Tdgf;R_cy&(RI+fCt!zk#kD01EOc31wYH~bKdARO&qX*C%mAdg*lQr z;1ntt;Rv%PbwHFo44}d;;%br-G(cIx6;wRL0YVZyK&j&$I^i0+g;@z6a0V5=;ZO^K z$sDkQXQ-%;b T;xcYW00000NkvXXu0mjflQymO diff --git a/windows/deployment/images/icons/powershell-32.png b/windows/deployment/images/icons/powershell-32.png deleted file mode 100644 index c28fd8f833588b38eddc94d0acdfcaa0e30a8361..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 437 zcmV;m0ZRUfP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!vFvd!vV){sAK>D0ZK_kK~z{r?bp38 z1VJ3e@exGg6rvTCmMA3(|AGcBJ)KIT)1kO{38hvP3ZjrmC>0tSe}P1+(Mb3{VG_&A z{$_W~DDFu<$-c~Hp1a-K%(+g;9QLr2f#!9Gc+1G`er_CLDWPi=3e0LJVb)P7aD{D@ z-K*F%&m9T{a``{cz=C!XW)p=1YLzm6-pT@l82#9c8dHH@oZ}huIuJ3Y0{u9J&dWYp zh!Il(pJlv2 zzQnSY)cI+Y#Z*A)fo{Y197EStSwmUO1%8V@nXaiaj - - \ No newline at end of file diff --git a/windows/deployment/images/icons/powershell.svg b/windows/deployment/images/icons/powershell.svg deleted file mode 100644 index 7ea68cb8b0..0000000000 --- a/windows/deployment/images/icons/powershell.svg +++ /dev/null @@ -1,3 +0,0 @@ - - - \ No newline at end of file diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 5356ec74a5..b621a07b4d 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -89,7 +89,7 @@ Before modifying the desired boot image, make a backup copy of the boot image. F Create a new empty empty folder to mount the boot image to. For example, `C:\Mount`. -### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) +### [:::image type="icon" source="images/icons/powershell-color-18.svg"::: **PowerShell**](#tab/powershell) ```powershell Mount-WindowsImage -Path "" -ImagePath "\.wim" -Index 1 -Verbose @@ -97,7 +97,7 @@ Mount-WindowsImage -Path "" -ImagePath "\" /Index:1 /MountDir:"" @@ -117,7 +117,7 @@ If needed, add any drivers to the boot image: Command to be determined ``` -### [:::image type="icon" source="images/icons/command-prompt-18.svg"::: **Command Line**](#tab/command-line) +### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) ```cmd DISM.exe /Image:"" /Add-Driver /Driver:"\.inf" @@ -141,7 +141,7 @@ For more information, see [Add and Remove Driver packages to an offline Windows 1. Add any desired optional components to the boot image: - ### [:::image type="icon" source="images/icons/powershell-16.png"::: **PowerShell**](#tab/powershell) + ### [:::image type="icon" source="images/icons/powershell-color-18.svg"::: **PowerShell**](#tab/powershell) ```powershell Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" -Path "" -Verbose @@ -151,7 +151,7 @@ For more information, see [Add and Remove Driver packages to an offline Windows For more information, see [Add-WindowsPackage](/powershell/module/dism/add-windowspackage). - ### [:::image type="icon" source="images/icons/command-prompt-16.png"::: **Command Line**](#tab/command-line) + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) ```cmd DISM.exe /Image:"" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" @@ -169,7 +169,7 @@ For more information, see [Add and Remove Driver packages to an offline Windows For example, for English United States (en-us), add the following: - ### [:::image type="icon" source="images/icons/powershell-24.png"::: **PowerShell**](#tab/powershell) + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **PowerShell**](#tab/powershell) ```powershell Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" -Path "" -Verbose @@ -177,7 +177,7 @@ For more information, see [Add and Remove Driver packages to an offline Windows This example assumes an x64 boot image. If a different architecture is being used, then adjust the commands accordingly. - ### [:::image type="icon" source="images/icons/command-prompt-24.png"::: **Command Line**](#tab/command-line) + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) ```cmd DISM.exe /Image:"" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" @@ -208,7 +208,7 @@ For more information, see [Add and Remove Driver packages to an offline Windows Apply the cumulative update (CU) downloaded earlier in the walkthrough to the boot image: -### [:::image type="icon" source="images/icons/powershell-32.png"::: **PowerShell**](#tab/powershell) +### [:::image type="icon" source="images/icons/powershell-color-18.svg"::: **PowerShell**](#tab/powershell) ```powershell Add-WindowsPackage -PackagePath "" -Path "" -Verbose @@ -216,7 +216,7 @@ Add-WindowsPackage -PackagePath "" -Path "" /Add-Package /PackagePath:"" @@ -234,7 +234,7 @@ For more information, see [Add or Remove Packages Offline Using DISM](/windows-h Copy the updated bootmgr files from the updated boot image to the ADK installation path: -### [**PowerShell**](#tab/powershell) +### [:::image type="icon" source="images/icons/powershell-color-18.svg"::: **PowerShell**](#tab/powershell) ```powershell Copy-Item "\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" -Force @@ -242,7 +242,7 @@ Copy-Item "\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files ( Copy-Item "\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" -Force ``` -### [**Command Line**](#tab/command-line) +### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) ```cmd Command to be determined @@ -256,7 +256,7 @@ This step doesn't update or change the boot image. However, it makes sure that t Run **DISM.exe** commands that will clean up the mounted image and help reduce its size: -### [**PowerShell**](#tab/powershell) +### [:::image type="icon" source="images/icons/powershell-color-18.svg"::: **PowerShell**](#tab/powershell) ```powershell Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:"" /Cleanup-image /StartComponentCleanup /Resetbase /Defer" -Wait -LoadUserProfile @@ -264,7 +264,7 @@ Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:"" /Cleanup-image /StartComponentCleanup /Resetbase" -Wait -LoadUserProfile ``` -### [**Command Line**](#tab/command-line) +### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) ```cmd DISM.exe /Image:"" /Cleanup-image /StartComponentCleanup /Resetbase /Defer @@ -280,7 +280,7 @@ For more information, see [Modify a Windows image using DISM: Reduce the size of After the optional components and the cumulative update (CU) have been applied to the boot image, verify that they are showing as installed: -### [**PowerShell**](#tab/powershell) +### [:::image type="icon" source="images/icons/powershell-color-18.svg"::: **PowerShell**](#tab/powershell) ```powershell Get-WindowsPackage -Path "" @@ -288,7 +288,7 @@ Get-WindowsPackage -Path "" For more information, see [Get-WindowsPackage](/powershell/module/dism/get-windowspackage). -### [**Command Line**](#tab/command-line) +### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) ```cmd DISM.exe /Image:"" /Get-Packages @@ -302,7 +302,7 @@ For more information, see [DISM Operating System Package (.cab or .msu) Servicin Once drivers, optional components, and the cumulative update (CU) have been applied to the boot image, unmount the boot image and save changes. -### [**PowerShell**](#tab/powershell) +### [:::image type="icon" source="images/icons/powershell-color-18.svg"::: **PowerShell**](#tab/powershell) ```powershell Dismount-WindowsImage -Path "" -Save -Verbose @@ -310,7 +310,7 @@ Dismount-WindowsImage -Path "" -Save -Verbose For more information, see [Dismount-WindowsImage](/powershell/module/dism/dismount-windowsimage). -### [**Command Line**](#tab/command-line) +### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) ```cmd DISM.exe /Unmount-Image /MountDir:"" /Commit @@ -324,7 +324,7 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag 1. Once the boot image has been unmounted and saved, its size can be further reduced by exporting it: - ### [**PowerShell**](#tab/powershell) + ### [:::image type="icon" source="images/icons/powershell-color-18.svg"::: **PowerShell**](#tab/powershell) ```powershell Export-WindowsImage -SourceImagePath "\.wim" -SourceIndex 1 -DestinationImagePath "\-export.wim" -CompressionType max -Verbose @@ -332,7 +332,7 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag For more information, see [Export-WindowsImage](/powershell/module/dism/export-windowsimage). - ### [**Command Line**](#tab/command-line) + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) ```cmd DISM.exe /Export-Image /SourceImageFile:"\.wim" /SourceIndex:1 /DestinationImageFile:"\-export.wim" From 14bbe96d93b96547e62505bd2f2c89d856a0234f Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Thu, 27 Jul 2023 14:38:18 -0400 Subject: [PATCH 033/110] Update Boot Image with CU Article 27 --- .../deployment/images/icons/terminal-18.svg | 90 +++++++++++++++++++ windows/deployment/update-boot-image.md | 4 +- 2 files changed, 92 insertions(+), 2 deletions(-) create mode 100644 windows/deployment/images/icons/terminal-18.svg diff --git a/windows/deployment/images/icons/terminal-18.svg b/windows/deployment/images/icons/terminal-18.svg new file mode 100644 index 0000000000..7e1f7de9c2 --- /dev/null +++ b/windows/deployment/images/icons/terminal-18.svg @@ -0,0 +1,90 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index b621a07b4d..35877dc61e 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -97,7 +97,7 @@ Mount-WindowsImage -Path "" -ImagePath "\" /Index:1 /MountDir:"" @@ -169,7 +169,7 @@ For more information, see [Add and Remove Driver packages to an offline Windows For example, for English United States (en-us), add the following: - ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **PowerShell**](#tab/powershell) + ### [:::image type="icon" source="images/icons/powershell-color-18.svg"::: **PowerShell**](#tab/powershell) ```powershell Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" -Path "" -Verbose From a85cadf4710e3fa7988a11504c05eb7c0e695e4e Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Thu, 27 Jul 2023 14:49:29 -0400 Subject: [PATCH 034/110] Update Boot Image with CU Article 28 --- .../images/icons/command-line-18.svg | 93 ++++++++++++++++++- .../deployment/images/icons/powershell-18.svg | 21 ++++- .../images/icons/powershell-color-18.svg | 20 ---- .../deployment/images/icons/terminal-18.svg | 90 ------------------ windows/deployment/update-boot-image.md | 22 ++--- 5 files changed, 120 insertions(+), 126 deletions(-) delete mode 100644 windows/deployment/images/icons/powershell-color-18.svg delete mode 100644 windows/deployment/images/icons/terminal-18.svg diff --git a/windows/deployment/images/icons/command-line-18.svg b/windows/deployment/images/icons/command-line-18.svg index 5f434b70ba..7e1f7de9c2 100644 --- a/windows/deployment/images/icons/command-line-18.svg +++ b/windows/deployment/images/icons/command-line-18.svg @@ -1,3 +1,90 @@ - - - \ No newline at end of file + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/deployment/images/icons/powershell-18.svg b/windows/deployment/images/icons/powershell-18.svg index 734d3930b1..ab2d5152ca 100644 --- a/windows/deployment/images/icons/powershell-18.svg +++ b/windows/deployment/images/icons/powershell-18.svg @@ -1,3 +1,20 @@ - - + + + + + + + + + + MsPortalFx.base.images-10 + + + + + + + + + \ No newline at end of file diff --git a/windows/deployment/images/icons/powershell-color-18.svg b/windows/deployment/images/icons/powershell-color-18.svg deleted file mode 100644 index ab2d5152ca..0000000000 --- a/windows/deployment/images/icons/powershell-color-18.svg +++ /dev/null @@ -1,20 +0,0 @@ - - - - - - - - - - MsPortalFx.base.images-10 - - - - - - - - - - \ No newline at end of file diff --git a/windows/deployment/images/icons/terminal-18.svg b/windows/deployment/images/icons/terminal-18.svg deleted file mode 100644 index 7e1f7de9c2..0000000000 --- a/windows/deployment/images/icons/terminal-18.svg +++ /dev/null @@ -1,90 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 35877dc61e..78948fb9ee 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -89,7 +89,7 @@ Before modifying the desired boot image, make a backup copy of the boot image. F Create a new empty empty folder to mount the boot image to. For example, `C:\Mount`. -### [:::image type="icon" source="images/icons/powershell-color-18.svg"::: **PowerShell**](#tab/powershell) +### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) ```powershell Mount-WindowsImage -Path "" -ImagePath "\.wim" -Index 1 -Verbose @@ -97,7 +97,7 @@ Mount-WindowsImage -Path "" -ImagePath "\" /Index:1 /MountDir:"" @@ -111,7 +111,7 @@ For more information, see [Modify a Windows image using DISM: Mount an image](/w If needed, add any drivers to the boot image: -### [:::image type="icon" source="images/icons/powershell-color-18.svg"::: **PowerShell**](#tab/powershell) +### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) ```powershell Command to be determined @@ -141,7 +141,7 @@ For more information, see [Add and Remove Driver packages to an offline Windows 1. Add any desired optional components to the boot image: - ### [:::image type="icon" source="images/icons/powershell-color-18.svg"::: **PowerShell**](#tab/powershell) + ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) ```powershell Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" -Path "" -Verbose @@ -169,7 +169,7 @@ For more information, see [Add and Remove Driver packages to an offline Windows For example, for English United States (en-us), add the following: - ### [:::image type="icon" source="images/icons/powershell-color-18.svg"::: **PowerShell**](#tab/powershell) + ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) ```powershell Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" -Path "" -Verbose @@ -208,7 +208,7 @@ For more information, see [Add and Remove Driver packages to an offline Windows Apply the cumulative update (CU) downloaded earlier in the walkthrough to the boot image: -### [:::image type="icon" source="images/icons/powershell-color-18.svg"::: **PowerShell**](#tab/powershell) +### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) ```powershell Add-WindowsPackage -PackagePath "" -Path "" -Verbose @@ -234,7 +234,7 @@ For more information, see [Add or Remove Packages Offline Using DISM](/windows-h Copy the updated bootmgr files from the updated boot image to the ADK installation path: -### [:::image type="icon" source="images/icons/powershell-color-18.svg"::: **PowerShell**](#tab/powershell) +### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) ```powershell Copy-Item "\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" -Force @@ -256,7 +256,7 @@ This step doesn't update or change the boot image. However, it makes sure that t Run **DISM.exe** commands that will clean up the mounted image and help reduce its size: -### [:::image type="icon" source="images/icons/powershell-color-18.svg"::: **PowerShell**](#tab/powershell) +### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) ```powershell Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:"" /Cleanup-image /StartComponentCleanup /Resetbase /Defer" -Wait -LoadUserProfile @@ -280,7 +280,7 @@ For more information, see [Modify a Windows image using DISM: Reduce the size of After the optional components and the cumulative update (CU) have been applied to the boot image, verify that they are showing as installed: -### [:::image type="icon" source="images/icons/powershell-color-18.svg"::: **PowerShell**](#tab/powershell) +### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) ```powershell Get-WindowsPackage -Path "" @@ -302,7 +302,7 @@ For more information, see [DISM Operating System Package (.cab or .msu) Servicin Once drivers, optional components, and the cumulative update (CU) have been applied to the boot image, unmount the boot image and save changes. -### [:::image type="icon" source="images/icons/powershell-color-18.svg"::: **PowerShell**](#tab/powershell) +### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) ```powershell Dismount-WindowsImage -Path "" -Save -Verbose @@ -324,7 +324,7 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag 1. Once the boot image has been unmounted and saved, its size can be further reduced by exporting it: - ### [:::image type="icon" source="images/icons/powershell-color-18.svg"::: **PowerShell**](#tab/powershell) + ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) ```powershell Export-WindowsImage -SourceImagePath "\.wim" -SourceIndex 1 -DestinationImagePath "\-export.wim" -CompressionType max -Verbose From 37d730e3faa745f100332eb43e95ee28b76ddf47 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 28 Jul 2023 13:08:55 -0400 Subject: [PATCH 035/110] Update Boot Image with CU Article 29 --- windows/deployment/update-boot-image.md | 111 +++++++++++++++++------- 1 file changed, 80 insertions(+), 31 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 78948fb9ee..c9dbd31a63 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -21,21 +21,15 @@ appliesto: -This walkthrough describes how to update a Windows PE (WinPE) boot image with the latest cumulative update. +Microsoft recommends updating Windows PE (WinPE) boot images with the latest cumulative update for maximum security and protection. The latest cumulative updates may also resolve known issues. This walkthrough describes how to update a WinPE boot image with the latest cumulative update. ## Prerequisites - [Windows Assessment and Deployment Kit (Windows ADK)](/windows-hardware/get-started/adk-install) - It's recommended to use the latest version of the ADK. - [Windows PE add-on for the Windows ADK](/windows-hardware/get-started/adk-install). Make sure the version of Windows PE matches the version of Windows ADK that is being used. -- Boot image - This can be `winpe.wim` included with the Windows ADK. +- Windows PE boot image - Latest cumulative update downloaded from the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site. -## Overview - -Note about boot.wim from installation media -Note about Win11 ADK only having x64 boot images -Note about Windows Server 2012 R2 - ## Steps - [Step 1: Download and install ADK](#step-1-download-and-install-adk) @@ -45,7 +39,7 @@ Note about Windows Server 2012 R2 - [Step 5: Add drivers to boot image](#step-5-add-drivers-to-boot-image) - [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) - [Step 7: Add cumulative update (CU) to boot image](#step-7-add-cumulative-update-cu-to-boot-image) -- [Step 8: Copy boot files from mounted image to ADK installation path](#step-8-copy-boot-files-from-mounted-image-to-adk-installation-path) +- [Step 8: Copy boot files from mounted boot image to ADK installation path](#step-8-copy-boot-files-from-mounted-boot-image-to-adk-installation-path) - [Step 9: Perform component cleanup](#step-9-perform-component-cleanup) - [Step 10: Verify all desired packages have been added to boot image](#step-10-verify-all-desired-packages-have-been-added-to-boot-image) - [Step 11: Unmount boot image and save changes](#step-11-unmount-boot-image-and-save-changes) @@ -55,11 +49,15 @@ Note about Windows Server 2012 R2 1. Download and install the **Windows Assessment and Deployment Kit (Windows ADK)** from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). -1. Download and install the **Windows PE add-on for the Windows ADK** from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). Make sure to download and install both components. +1. Download and install the **Windows PE add-on for the Windows ADK** from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). The **Windows PE add-on for the Windows ADK** is a separate download and install from the **Windows Assessment and Deployment Kit (Windows ADK)**. Make sure to individually download and install both. -It's strongly recommended to download and install the latest version of the ADK. When installing the Windows ADK, it's only necessary to install the **Deployment Tools**. +> [!IMPORTANT] +> +> It's strongly recommended to download and install the latest version of the Windows ADK and the Windows PE add-on for the Windows ADK. The latest versions of the Windows PE add-on for the Windows ADK only include 64-bit boot images. -The paths in this article assume the Windows ADK was installed to the default location of `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit`. If the Windows ADK was installed to a different location, then adjust the paths accordingly. +When installing the Windows ADK, for the purpose of this walk-through, it's only necessary to install the **Deployment Tools**. One of the tools installed will be the **Deployment and Imaging Tools Environment** command prompt. When using the **Command Line** option instead of the **PowerShell** option to run commands, make sure to run the commands from this **Deployment and Imaging Tools Environment** command prompt. The **Deployment and Imaging Tools Environment** command prompt can be found in the Start Menu under **Windows Kits** > **Deployment and Imaging Tools Environment**. + +The paths in this article assume the Windows ADK was installed to the default location of `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit`. If the Windows ADK was installed to a different location, then adjust the paths during the walk-through accordingly. ## Step 2: Download cumulative update (CU) @@ -79,33 +77,39 @@ The paths in this article assume the Windows ADK was installed to the default lo ## Step 3: Backup existing boot image -Before modifying the desired boot image, make a backup copy of the boot image. For example: +Before modifying the desired boot image, make a backup copy of the boot image that needs to be updated. For example: - For the boot image included with the **Windows PE add-on for the Windows ADK**, the boot image is located at `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim`. - For the boot image included with Microsoft Configuration Manager, the boot image is located at `\OSD\boot\x64\boot.wim` -## Step 4: Mount boot image to temporary mount folder +## Step 4: Mount boot image to mount folder -Create a new empty empty folder to mount the boot image to. For example, `C:\Mount`. +1. Create a new empty empty folder to mount the boot image to. For example, `C:\Mount`. -### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) +1. Mount the boot image to the mount folder using one of the following methods: -```powershell -Mount-WindowsImage -Path "" -ImagePath "\.wim" -Index 1 -Verbose -``` + ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) -For more information, see [Mount-WindowsImage](/powershell/module/dism/mount-windowsimage). + From an elevated **PowerShell** command prompt, run the following command to mount the boot image to the mount folder: -### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) + ```powershell + Mount-WindowsImage -Path "" -ImagePath "\.wim" -Index 1 -Verbose + ``` -```cmd -DISM.exe /Mount-image /imagefile:"" /Index:1 /MountDir:"" -``` + For more information, see [Mount-WindowsImage](/powershell/module/dism/mount-windowsimage). -For more information, see [Modify a Windows image using DISM: Mount an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism) and [DISM Image Management Command-Line Options: /Mount-Image](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14#mount-image). + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) ---- + From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to mount the boot image to the mount folder: + + ```cmd + DISM.exe /Mount-image /imagefile:"" /Index:1 /MountDir:"" + ``` + + For more information, see [Modify a Windows image using DISM: Mount an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism) and [DISM Image Management Command-Line Options: /Mount-Image](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14#mount-image). + + --- ## Step 5: Add drivers to boot image @@ -113,12 +117,16 @@ If needed, add any drivers to the boot image: ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) +From an elevated **PowerShell** command prompt, run the following command to add drivers to the boot image: + ```powershell Command to be determined ``` ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) +From an elevated **Deployment and Imaging Tools Environment** command prompt, run one of the following command to add drivers to the boot image: + ```cmd DISM.exe /Image:"" /Add-Driver /Driver:"\.inf" ``` @@ -143,6 +151,8 @@ For more information, see [Add and Remove Driver packages to an offline Windows ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) + From an elevated **PowerShell** command prompt, run the following command to add optional components to the boot image: + ```powershell Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" -Path "" -Verbose ``` @@ -153,6 +163,8 @@ For more information, see [Add and Remove Driver packages to an offline Windows ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) + From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to add optional components to the boot image: + ```cmd DISM.exe /Image:"" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" ``` @@ -171,19 +183,23 @@ For more information, see [Add and Remove Driver packages to an offline Windows ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) + From an elevated **PowerShell** command prompt, run the following command to add the language components for the optional components to the boot image: + ```powershell Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" -Path "" -Verbose ``` - This example assumes an x64 boot image. If a different architecture is being used, then adjust the commands accordingly. + This example assumes a 64-bit boot image. If a different architecture is being used, then adjust the paths accordingly. ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) + From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to add the language components for the optional components to the boot image: + ```cmd DISM.exe /Image:"" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" ``` - This example assumes an x64 boot image. If a different architecture is being used, then adjust the commands accordingly. + This example assumes a 64-bit boot image. If a different architecture is being used, then adjust the paths accordingly. You can add as many desired optional components as needed on a single DISM.exe command line. @@ -210,6 +226,8 @@ Apply the cumulative update (CU) downloaded earlier in the walkthrough to the bo ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) +From an elevated **PowerShell** command prompt, run the following command to add the cumulative update (CU) to the boot image: + ```powershell Add-WindowsPackage -PackagePath "" -Path "" -Verbose ``` @@ -218,6 +236,8 @@ For more information, see [Add-WindowsPackage](/powershell/module/dism/add-windo ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) +From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to add the cumulative update (CU) to the boot image: + ```cmd DISM.exe /Image:"" /Add-Package /PackagePath:"" ``` @@ -230,12 +250,14 @@ For more information, see [Add or Remove Packages Offline Using DISM](/windows-h > > Make sure not to apply the cumulative update (CU) until all desired optional components have been installed. This will make sure that the optional components are also properly updated by the cumulative update. If in the future any additional optional components need to be added to the boot image, make sure to reapply the cumulative update. -## Step 8: Copy boot files from mounted image to ADK installation path +## Step 8: Copy boot files from mounted boot image to ADK installation path Copy the updated bootmgr files from the updated boot image to the ADK installation path: ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) +From an elevated **PowerShell** command prompt, run the following command to copy the boot files from the mounted boot image to the ADK installation path: + ```powershell Copy-Item "\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" -Force @@ -244,6 +266,8 @@ Copy-Item "\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) +From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to copy the boot files from the mounted boot image to the ADK installation path: + ```cmd Command to be determined ``` @@ -254,10 +278,12 @@ This step doesn't update or change the boot image. However, it makes sure that t ## Step 9: Perform component cleanup -Run **DISM.exe** commands that will clean up the mounted image and help reduce its size: +Run **DISM.exe** commands that will clean up the mounted boot image and help reduce its size: ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) +From an elevated **PowerShell** command prompt, run the following command to clean up the mounted boot image and help reduce its size: + ```powershell Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:"" /Cleanup-image /StartComponentCleanup /Resetbase /Defer" -Wait -LoadUserProfile @@ -266,6 +292,8 @@ Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) +From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to clean up the mounted boot image and help reduce its size: + ```cmd DISM.exe /Image:"" /Cleanup-image /StartComponentCleanup /Resetbase /Defer @@ -282,6 +310,8 @@ After the optional components and the cumulative update (CU) have been applied t ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) +From an elevated **PowerShell** command prompt, run the following command to verify that all optional components and the cumulative update (CU) have been applied to the boot image: + ```powershell Get-WindowsPackage -Path "" ``` @@ -290,6 +320,8 @@ For more information, see [Get-WindowsPackage](/powershell/module/dism/get-windo ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) +From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to verify that all optional components and the cumulative update (CU) have been applied to the boot image: + ```cmd DISM.exe /Image:"" /Get-Packages ``` @@ -302,6 +334,8 @@ For more information, see [DISM Operating System Package (.cab or .msu) Servicin Once drivers, optional components, and the cumulative update (CU) have been applied to the boot image, unmount the boot image and save changes. +From an elevated **PowerShell** command prompt, run the following command to unmount the boot image and save changes: + ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) ```powershell @@ -312,6 +346,8 @@ For more information, see [Dismount-WindowsImage](/powershell/module/dism/dismou ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) +From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to unmount the boot image and save changes: + ```cmd DISM.exe /Unmount-Image /MountDir:"" /Commit ``` @@ -326,6 +362,8 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) + From an elevated **PowerShell** command prompt, run the following command to further reduce the size of the boot image by exporting it: + ```powershell Export-WindowsImage -SourceImagePath "\.wim" -SourceIndex 1 -DestinationImagePath "\-export.wim" -CompressionType max -Verbose ``` @@ -334,6 +372,8 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) + From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to further reduce the size of the boot image by exporting it: + ```cmd DISM.exe /Export-Image /SourceImageFile:"\.wim" /SourceIndex:1 /DestinationImageFile:"\-export.wim" ``` @@ -342,10 +382,19 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag --- -1. Once the export has completed, delete the original updated boot image and then rename the exported boot image with the name of the original updated boot image. +1. Once the export has completed: + + 1. Delete the original updated boot image. + 1. Rename the exported boot image with the name of the original updated boot image. ## Microsoft Configuration Manager considerations ## Microsoft Deployment Toolkit (MDT) considerations ## Windows Deployment Services (WDS) considerations + +The **boot.wim** that is part of Windows installation media isn't supported for use for deploying Windows 11 with Windows Deployment Services (WDS). For more information, see [Windows Deployment Services (WDS) boot.wim support](wds-boot-support.md) + +## Windows Server 2012 R2 + +This walk-through isn't intended for use with Windows Server 2012 R2. There may be additional steps necessary when using Windows Server 2012 R2, such as also having to apply the latest servicing stack update (SSU) to the WinPE boot image. For server OSes, it's strongly recommended to use Windows Server 2016 or later for this walk-through. For more information see, [Windows Server 2012 R2 Lifecycle](/lifecycle/products/windows-server-2012-r2). From 0fa0de81c6138cba00e415e59c351a96bd499480 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 28 Jul 2023 18:45:10 -0400 Subject: [PATCH 036/110] Update Boot Image with CU Article 30 --- windows/deployment/update-boot-image.md | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index c9dbd31a63..a4e59d9fb8 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -49,13 +49,17 @@ Microsoft recommends updating Windows PE (WinPE) boot images with the latest cum 1. Download and install the **Windows Assessment and Deployment Kit (Windows ADK)** from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). + When installing the Windows ADK, for the purpose of this walk-through, it's only necessary to install the **Deployment Tools**. One of the tools installed will be the **Deployment and Imaging Tools Environment** command prompt. When using the **Command Line** option instead of the **PowerShell** option to run the commands in this walk-through, make sure to run the commands from the **Deployment and Imaging Tools Environment** command prompt. The **Deployment and Imaging Tools Environment** command prompt can be found in the Start Menu under **Windows Kits** > **Deployment and Imaging Tools Environment**. + 1. Download and install the **Windows PE add-on for the Windows ADK** from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). The **Windows PE add-on for the Windows ADK** is a separate download and install from the **Windows Assessment and Deployment Kit (Windows ADK)**. Make sure to individually download and install both. > [!IMPORTANT] > -> It's strongly recommended to download and install the latest version of the Windows ADK and the Windows PE add-on for the Windows ADK. The latest versions of the Windows PE add-on for the Windows ADK only include 64-bit boot images. - -When installing the Windows ADK, for the purpose of this walk-through, it's only necessary to install the **Deployment Tools**. One of the tools installed will be the **Deployment and Imaging Tools Environment** command prompt. When using the **Command Line** option instead of the **PowerShell** option to run commands, make sure to run the commands from this **Deployment and Imaging Tools Environment** command prompt. The **Deployment and Imaging Tools Environment** command prompt can be found in the Start Menu under **Windows Kits** > **Deployment and Imaging Tools Environment**. +> It's strongly recommended to download and install the latest version of the Windows ADK and the Windows PE add-on for the Windows ADK. +> +> However, since the Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Windows ADK beyond Windows 10, the recommendation is to instead use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version was the last version of the Windows ADK supported by MDT. +> +> Additionally, the latest versions of the **Windows PE add-on for the Windows ADK** only includes 64-bit boot images. If a 32-bit boot image is required, then the recommendation in this scenario is to also use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version was the last version of the Windows ADK to include both 32-bit and 64-bit boot images. The paths in this article assume the Windows ADK was installed to the default location of `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit`. If the Windows ADK was installed to a different location, then adjust the paths during the walk-through accordingly. @@ -79,9 +83,15 @@ The paths in this article assume the Windows ADK was installed to the default lo Before modifying the desired boot image, make a backup copy of the boot image that needs to be updated. For example: -- For the boot image included with the **Windows PE add-on for the Windows ADK**, the boot image is located at `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim`. +- For the 64-bit boot image included with the **Windows PE add-on for the Windows ADK**, the boot image is located at `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim`. -- For the boot image included with Microsoft Configuration Manager, the boot image is located at `\OSD\boot\x64\boot.wim` +- For the default 64-bit boot image that is generated by **Microsoft Configuration Manager**, the boot image is located at `\OSD\boot\x64\boot.wim`. However, for **Microsoft Configuration Manager** it's recommended to modify the boot image included with the **Windows PE add-on for the Windows ADK**. For more information, see [Microsoft Configuration Manager considerations](#microsoft-configuration-manager-considerations). + +- For the default 64-bit boot image that is generated by the **Microsoft Deployment Toolkit (MDT)**, the boot image is located at `\Boot\LiteTouchPE_x64.wim`. However, for **Microsoft Deployment Toolkit (MDT)** it's recommended to modify the boot image included with the **Windows PE add-on for the Windows ADK**. For more information, see [Microsoft Deployment Toolkit (MDT) considerations](#microsoft-deployment-toolkit-mdt-considerations). + +- For 64-bit boot images in **Windows Deployment Services (WDS)**, the boot images are located at `\Boot\x64\Images`. + +Adjust the above paths for 32-bit boot images (only available in Windows 10 ADKs). ## Step 4: Mount boot image to mount folder From c6b5a101dd095b830f3cec394ff7d5ee3fc1c3ea Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 28 Jul 2023 20:09:53 -0400 Subject: [PATCH 037/110] Update Boot Image with CU Article 31 --- windows/deployment/update-boot-image.md | 28 ++++++++++++------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index a4e59d9fb8..49f79a5cfe 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -35,7 +35,7 @@ Microsoft recommends updating Windows PE (WinPE) boot images with the latest cum - [Step 1: Download and install ADK](#step-1-download-and-install-adk) - [Step 2: Download cumulative update (CU)](#step-2-download-cumulative-update-cu) - [Step 3: Backup existing boot image](#step-3-backup-existing-boot-image) -- [Step 4: Mount boot image to temporary mount folder](#step-4-mount-boot-image-to-temporary-mount-folder) +- [Step 4: Mount boot image to mount folder](#step-4-mount-boot-image-to-mount-folder) - [Step 5: Add drivers to boot image](#step-5-add-drivers-to-boot-image) - [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) - [Step 7: Add cumulative update (CU) to boot image](#step-7-add-cumulative-update-cu-to-boot-image) @@ -49,7 +49,7 @@ Microsoft recommends updating Windows PE (WinPE) boot images with the latest cum 1. Download and install the **Windows Assessment and Deployment Kit (Windows ADK)** from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). - When installing the Windows ADK, for the purpose of this walk-through, it's only necessary to install the **Deployment Tools**. One of the tools installed will be the **Deployment and Imaging Tools Environment** command prompt. When using the **Command Line** option instead of the **PowerShell** option to run the commands in this walk-through, make sure to run the commands from the **Deployment and Imaging Tools Environment** command prompt. The **Deployment and Imaging Tools Environment** command prompt can be found in the Start Menu under **Windows Kits** > **Deployment and Imaging Tools Environment**. + When installing the Windows ADK, for the purpose of this walk-through, it's only necessary to install the **Deployment Tools**. One of the tools installed will be the **Deployment and Imaging Tools Environment** command prompt. When using the **Command Line** option instead of the **PowerShell** option to run the commands in this walk-through, make sure to run the commands from the **Deployment and Imaging Tools Environment** command prompt. The **Deployment and Imaging Tools Environment** command prompt can be found in the Start Menu under **Windows Kits** > **Deployment and Imaging Tools Environment**. 1. Download and install the **Windows PE add-on for the Windows ADK** from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). The **Windows PE add-on for the Windows ADK** is a separate download and install from the **Windows Assessment and Deployment Kit (Windows ADK)**. Make sure to individually download and install both. @@ -99,25 +99,25 @@ Adjust the above paths for 32-bit boot images (only available in Windows 10 ADKs 1. Mount the boot image to the mount folder using one of the following methods: - ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) + ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) - From an elevated **PowerShell** command prompt, run the following command to mount the boot image to the mount folder: + From an elevated **PowerShell** command prompt, run the following command to mount the boot image to the mount folder: - ```powershell - Mount-WindowsImage -Path "" -ImagePath "\.wim" -Index 1 -Verbose - ``` + ```powershell + Mount-WindowsImage -Path "" -ImagePath "\.wim" -Index 1 -Verbose + ``` - For more information, see [Mount-WindowsImage](/powershell/module/dism/mount-windowsimage). + For more information, see [Mount-WindowsImage](/powershell/module/dism/mount-windowsimage). - ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) - From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to mount the boot image to the mount folder: + From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to mount the boot image to the mount folder: - ```cmd - DISM.exe /Mount-image /imagefile:"" /Index:1 /MountDir:"" - ``` + ```cmd + DISM.exe /Mount-image /imagefile:"" /Index:1 /MountDir:"" + ``` - For more information, see [Modify a Windows image using DISM: Mount an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism) and [DISM Image Management Command-Line Options: /Mount-Image](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14#mount-image). + For more information, see [Modify a Windows image using DISM: Mount an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism) and [DISM Image Management Command-Line Options: /Mount-Image](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14#mount-image). --- From cfebff1546ed0a0f675fb42778cfadf3766d7b9f Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Sat, 29 Jul 2023 09:13:18 -0400 Subject: [PATCH 038/110] Update Boot Image with CU Article 32 --- windows/deployment/update-boot-image.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 49f79a5cfe..ad8dd9af53 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -51,6 +51,8 @@ Microsoft recommends updating Windows PE (WinPE) boot images with the latest cum When installing the Windows ADK, for the purpose of this walk-through, it's only necessary to install the **Deployment Tools**. One of the tools installed will be the **Deployment and Imaging Tools Environment** command prompt. When using the **Command Line** option instead of the **PowerShell** option to run the commands in this walk-through, make sure to run the commands from the **Deployment and Imaging Tools Environment** command prompt. The **Deployment and Imaging Tools Environment** command prompt can be found in the Start Menu under **Windows Kits** > **Deployment and Imaging Tools Environment**. + The paths in this article assume the Windows ADK was installed to the default location of `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit`. If the Windows ADK was installed to a different location, then adjust the paths during the walk-through accordingly. + 1. Download and install the **Windows PE add-on for the Windows ADK** from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). The **Windows PE add-on for the Windows ADK** is a separate download and install from the **Windows Assessment and Deployment Kit (Windows ADK)**. Make sure to individually download and install both. > [!IMPORTANT] @@ -59,9 +61,7 @@ Microsoft recommends updating Windows PE (WinPE) boot images with the latest cum > > However, since the Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Windows ADK beyond Windows 10, the recommendation is to instead use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version was the last version of the Windows ADK supported by MDT. > -> Additionally, the latest versions of the **Windows PE add-on for the Windows ADK** only includes 64-bit boot images. If a 32-bit boot image is required, then the recommendation in this scenario is to also use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version was the last version of the Windows ADK to include both 32-bit and 64-bit boot images. - -The paths in this article assume the Windows ADK was installed to the default location of `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit`. If the Windows ADK was installed to a different location, then adjust the paths during the walk-through accordingly. +> Additionally, the latest versions of the **Windows PE add-on for the Windows ADK** only includes 64-bit boot images. If a 32-bit boot image is required, then the recommendation in this scenario is to also use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version of the Windows ADK was the last version to include both 32-bit and 64-bit boot images. ## Step 2: Download cumulative update (CU) @@ -344,10 +344,10 @@ For more information, see [DISM Operating System Package (.cab or .msu) Servicin Once drivers, optional components, and the cumulative update (CU) have been applied to the boot image, unmount the boot image and save changes. -From an elevated **PowerShell** command prompt, run the following command to unmount the boot image and save changes: - ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) +From an elevated **PowerShell** command prompt, run the following command to unmount the boot image and save changes: + ```powershell Dismount-WindowsImage -Path "" -Save -Verbose ``` @@ -403,7 +403,7 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag ## Windows Deployment Services (WDS) considerations -The **boot.wim** that is part of Windows installation media isn't supported for use for deploying Windows 11 with Windows Deployment Services (WDS). For more information, see [Windows Deployment Services (WDS) boot.wim support](wds-boot-support.md) +The **boot.wim** that is part of Windows installation media isn't supported for deploying Windows 11 with Windows Deployment Services (WDS). Additionally, the **boot.wim** from Windows 11 installation media isn't supported for deploying any version of Windows with Windows Deployment Services (WDS). For more information, see [Windows Deployment Services (WDS) boot.wim support](wds-boot-support.md) ## Windows Server 2012 R2 From 7cb2145bd47cfb23f08cff7889b7f36f64528456 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 1 Aug 2023 13:43:27 -0400 Subject: [PATCH 039/110] Update Boot Image with CU Article 33 --- windows/deployment/update-boot-image.md | 62 +++++++++++++++++++------ 1 file changed, 49 insertions(+), 13 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index ad8dd9af53..29da128f3c 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -85,9 +85,9 @@ Before modifying the desired boot image, make a backup copy of the boot image th - For the 64-bit boot image included with the **Windows PE add-on for the Windows ADK**, the boot image is located at `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim`. -- For the default 64-bit boot image that is generated by **Microsoft Configuration Manager**, the boot image is located at `\OSD\boot\x64\boot.wim`. However, for **Microsoft Configuration Manager** it's recommended to modify the boot image included with the **Windows PE add-on for the Windows ADK**. For more information, see [Microsoft Configuration Manager considerations](#microsoft-configuration-manager-considerations). +- For the default 64-bit boot image that is generated by **Microsoft Configuration Manager**, the boot image is located at `\OSD\boot\x64\boot.wim`. However, for **Microsoft Configuration Manager** it's recommended to modify the `winpe.wim` boot image included with the **Windows PE add-on for the Windows ADK**. For more information, see [Microsoft Configuration Manager considerations](#microsoft-configuration-manager-considerations). -- For the default 64-bit boot image that is generated by the **Microsoft Deployment Toolkit (MDT)**, the boot image is located at `\Boot\LiteTouchPE_x64.wim`. However, for **Microsoft Deployment Toolkit (MDT)** it's recommended to modify the boot image included with the **Windows PE add-on for the Windows ADK**. For more information, see [Microsoft Deployment Toolkit (MDT) considerations](#microsoft-deployment-toolkit-mdt-considerations). +- For the default 64-bit boot image that is generated by the **Microsoft Deployment Toolkit (MDT)**, the boot image is located at `\Boot\LiteTouchPE_x64.wim`. However, for **Microsoft Deployment Toolkit (MDT)** it's recommended to modify the `winpe.wim` boot image included with the **Windows PE add-on for the Windows ADK**. For more information, see [Microsoft Deployment Toolkit (MDT) considerations](#microsoft-deployment-toolkit-mdt-considerations). - For 64-bit boot images in **Windows Deployment Services (WDS)**, the boot images are located at `\Boot\x64\Images`. @@ -215,20 +215,17 @@ For more information, see [Add and Remove Driver packages to an offline Windows --- +For a list of all available WinPE optional components including descriptions for each component, see [WinPE Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference?view=windows-11#winpe-optional-components). + > [!IMPORTANT] > -> For Microsoft Configuration Manager boot images, make sure to add any desired optional components manually using the above command lines instead of adding them through Configuration Manager via the **Optional Components** tab in the **Properties** of the boot image. This is because the cumulative update being applied at the next step will also update any optional components as needed. If the optional components are instead added through Configuration Manager, then the optional components will not be updated with the cumulative update. This could lead to unexpected behaviors and problems. -> -> For this reason, make sure to add the following required optional components need by Configuration Manager: -> -> - Scripting (WinPE-Scripting) -> - Startup (WinPE-SecureStartup) -> - Network (WinPE-WDS-Tools) -> - WMI (WinPE-WMI) -> -> Once any optional components has been manually added to a boot image, Configuration Manager will detect that the optional component has already been added. It will not try to add the optional component again whenever it is updating the boot image. +> When adding optional components, make sure to install optional components that are prerequisites of other optional components. Additionally, make sure that the prerequisite is installed firts. For more information on adding optional components, see [WinPE Optional Components (OC) Reference: How to add Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference?view=windows-11#how-to-add-optional-components). -### List of optional components +> [!IMPORTANT] +> +> Both **Microsoft Configuration Manager** and **Microsoft Deployment Toolkit (MDT)** boot images require certain optional components to work properly. Make sure to add these required components when using either **Microsoft Configuration Manager** and **Microsoft Deployment Toolkit (MDT)** +> +> Additionally, when adding any optional component for either **Microsoft Configuration Manager** or **Microsoft Deployment Toolkit (MDT)** boot images, make sure to add the components manually using the above command lines instead of adding them through **Configuration Manager** or **MDT**. For more information, see [Microsoft Configuration Manager considerations](#microsoft-configuration-manager-considerations) or [Microsoft Deployment Toolkit (MDT) considerations](#microsoft-deployment-toolkit-mdt-considerations). ## Step 7: Add cumulative update (CU) to boot image @@ -399,8 +396,47 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag ## Microsoft Configuration Manager considerations +Microsoft Configuration Manager creates its own boot images by taking the `winpe.wim` from the Windows ADK, adding some optional components it requires to function correctly, and then saving the boot image as `boot.wim` in the directory `\OSD\boot\\boot.wim`. This `boot.wim` boot image is considered the pristine authoritative copy of the boot image by Configuration Manager and is almost never touched, modified, or updated by Configuration Manager. Instead, when changes such as: + +- Adding drivers +- Adding additional optional components +- Enabling the command prompt + +are done in the properties of the boot image in Configuration Manager, Configuration Manager makes a copy of `boot.wim`, applies the changes to the copy, and then saves the new boot image as `boot..wim`. If any additional changes are done to the boot image, Configuration Manager discards the previously created `boot..wim` boot image, makes a copy of `boot.wim`, applies the changes to the copy, and then saves the new boot image as `boot..wim`. In other words, `boot.wim` is never touched. Any time any changes are made to a boot image, both the new changes and any changes done in the past are reapplied to a new copy of `boot.wim`. The new changes are not applyed the existing copy of `boot..wim`. + +This process makes has the following advantages: + +1. Keeps `boot.wim` pristine. +1. Makes sure that when changes are made to a boot image, they are being done to a copy of a pristine version of the boot image that hasn't had been modified in the past. This helps avoid corruption and/or corrects issues with existing boot images. +1. Helps manage components in the boot image. The process doesn't need to know what components it might need to remove from the boot image each time the boot image is rebuilt. Instead, it just needs to know what components to add to the boot image. +1. Reduces the size of the boot image that can occur when components are removed from the boot image. + +There are two scenarios when the `boot.wim` boot image is updated by Configuration Manager: + +1. When updating between versions of Configuration Manager or when applying hotfix roll ups (HFRUs) to Configuration Manager, `boot.wim` may be updated as part of the update process. +1. When selecting the option **Reload this boot image with the current Windows PE version from the Windows ADK** in the **Update Distribution Points Wizard**. + +In theses scenarios, the `boot.wim` boot image is updated using the `winpe.wim` boot image from the Windows ADK as described earlier in this section. This process creates a new pristine copy of the `boot.wim` boot image using the current version of the `winpe.wim` boot image that is part of the Windows ADK. + +### Microsoft Configuration Manager boot image required components + +The following components are required by Microsoft Configuration Manager in the boot image for Configuration Manager to function correctly: + +- Scripting/WinPE-Scripting (WinPE-Scripting) +- Startup/WinPE-SecureStartup (WinPE-SecureStartup) +- Network/WinPE-WDS-Tools (WinPE-WDS-Tools) +- Scripting/WinPE-WMI (WinPE-WMI) + +Once any optional components has been manually added to a boot image, Configuration Manager will detect that the optional component has already been added. It will not try to add the optional component again whenever it is updating the boot image. + +### Adding optional components manually vs. adding optional components through Configuration Manager + +For Microsoft Configuration Manager boot images, make sure to add any desired optional components manually using the above command lines instead of adding them through Configuration Manager via the **Optional Components** tab in the **Properties** of the boot image. This is because the cumulative update being applied at the next step will also update any optional components as needed. If the optional components are instead added through Configuration Manager, then the optional components will not be updated with the cumulative update. This could lead to unexpected behaviors and problems. + ## Microsoft Deployment Toolkit (MDT) considerations +Copy boot files + ## Windows Deployment Services (WDS) considerations The **boot.wim** that is part of Windows installation media isn't supported for deploying Windows 11 with Windows Deployment Services (WDS). Additionally, the **boot.wim** from Windows 11 installation media isn't supported for deploying any version of Windows with Windows Deployment Services (WDS). For more information, see [Windows Deployment Services (WDS) boot.wim support](wds-boot-support.md) From 5afd79339a843083b91c6fd11335a3cc95519cc6 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 1 Aug 2023 15:36:46 -0400 Subject: [PATCH 040/110] Update Boot Image with CU Article 34 --- windows/deployment/update-boot-image.md | 82 ++++++++++++++++++++----- 1 file changed, 65 insertions(+), 17 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 29da128f3c..0435789f25 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -107,6 +107,10 @@ Adjust the above paths for 32-bit boot images (only available in Windows 10 ADKs Mount-WindowsImage -Path "" -ImagePath "\.wim" -Index 1 -Verbose ``` + **Example**: + + `Mount-WindowsImage -Path "C:\Mount" -ImagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" -Index 1 -Verbose` + For more information, see [Mount-WindowsImage](/powershell/module/dism/mount-windowsimage). ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) @@ -117,6 +121,10 @@ Adjust the above paths for 32-bit boot images (only available in Windows 10 ADKs DISM.exe /Mount-image /imagefile:"" /Index:1 /MountDir:"" ``` + **Example**: + + `MDISM.exe /Mount-image /imagefile:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" /Index:1 /MountDir:"C:\Mount"` + For more information, see [Modify a Windows image using DISM: Mount an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism) and [DISM Image Management Command-Line Options: /Mount-Image](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14#mount-image). --- @@ -130,7 +138,13 @@ If needed, add any drivers to the boot image: From an elevated **PowerShell** command prompt, run the following command to add drivers to the boot image: ```powershell -Command to be determined +Add-WindowsDriver -Path "" -Driver "\.inf" +``` + +or + +```powershell +Add-WindowsDriver -Path "" -Driver "" -Recurse ``` ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) @@ -144,16 +158,27 @@ DISM.exe /Image:"" /Add-Driver /Driver:"" /Add-Driver /Driver:"" /Add-Driver /Driver:"" /Recurse ``` For more information, see [Add and Remove Driver packages to an offline Windows Image](/windows-hardware/manufacture/desktop/add-and-remove-drivers-to-an-offline-windows-image) --- +Drivers are not affected by the cumulative update installed later in this walkthrough. Once a driver is added to a boot image, it does not need to be added again if a newer cumulative update is installed at a later point in time. + +> [!TIP] +> +> A full set of drivers is not needed in Windows PE boot images. Only a small subset of drivers is needed that provide basic functionality while in WinPE. In most cases, no drivers need to be added to an out of box Windows ADK boot image since it already has many drivers built in. Don't add drivers to a boot image until it is verifed that they are needed. When drivers do need to be added, generally only network (NIC) drivers are needed. Occasionally, mass storage (disk) may also be needed. Some Surface devices may also need keyboard and mouse drivers. + > [!IMPORTANT] > -> For Microsoft Configuration Manager boot images, don't manually add drivers to the boot image using the above steps. Instead, add drivers through Configuration Manager via the **Drivers** tab in the **Properties** of the boot image. This will ensure that the drivers in the boot image can be properly managed through Configuration Manager. Drivers are not affected by the cumulative update installed later in this walkthrough. +> For Microsoft Configuration Manager and Microsoft Deployment Toolkit (MDT) boot images, don't manually add drivers to the boot image using the above steps. Instead, add drivers to the boot images via Microsoft Configuration Manager or Microsoft Deployment Toolkit (MDT): +> +> - In Configuration Manager, via the **Drivers** tab in the **Properties** of the boot image. +> - In Microsoft Deployment Toolkit (MDT), via the **Out-of-Box Drivers** tab in the **Properties** of the boot image. +> +> This will ensure that the drivers in the boot image can be properly managed through Configuration Manager or Microsoft Deployment Toolkit (MDT). ## Step 6: Add optional components to boot image @@ -215,11 +240,11 @@ For more information, see [Add and Remove Driver packages to an offline Windows --- -For a list of all available WinPE optional components including descriptions for each component, see [WinPE Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference?view=windows-11#winpe-optional-components). +For a list of all available WinPE optional components including descriptions for each component, see [WinPE Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#winpe-optional-components). > [!IMPORTANT] > -> When adding optional components, make sure to install optional components that are prerequisites of other optional components. Additionally, make sure that the prerequisite is installed firts. For more information on adding optional components, see [WinPE Optional Components (OC) Reference: How to add Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference?view=windows-11#how-to-add-optional-components). +> When adding optional components, make sure to install optional components that are prerequisites of other optional components. Additionally, make sure that the prerequisite is installed first. For more information on adding optional components, see [WinPE Optional Components (OC) Reference: How to add Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#how-to-add-optional-components). > [!IMPORTANT] > @@ -396,13 +421,15 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag ## Microsoft Configuration Manager considerations -Microsoft Configuration Manager creates its own boot images by taking the `winpe.wim` from the Windows ADK, adding some optional components it requires to function correctly, and then saving the boot image as `boot.wim` in the directory `\OSD\boot\\boot.wim`. This `boot.wim` boot image is considered the pristine authoritative copy of the boot image by Configuration Manager and is almost never touched, modified, or updated by Configuration Manager. Instead, when changes such as: +### How Microsoft Configuration Manager creates boot images + +Microsoft Configuration Manager creates its own boot images by taking the `winpe.wim` from the Windows ADK, adding some [optional components it requires](#microsoft-configuration-manager-boot-image-required-components) to function correctly, and then saving the boot image as `boot.wim` in the directory `\OSD\boot\\boot.wim`. This `boot.wim` boot image is considered the pristine authoritative copy of the boot image by Configuration Manager and is never touched, modified, or updated by Configuration Manager except in some very specific scenarios. Instead, when changes such as: - Adding drivers - Adding additional optional components - Enabling the command prompt -are done in the properties of the boot image in Configuration Manager, Configuration Manager makes a copy of `boot.wim`, applies the changes to the copy, and then saves the new boot image as `boot..wim`. If any additional changes are done to the boot image, Configuration Manager discards the previously created `boot..wim` boot image, makes a copy of `boot.wim`, applies the changes to the copy, and then saves the new boot image as `boot..wim`. In other words, `boot.wim` is never touched. Any time any changes are made to a boot image, both the new changes and any changes done in the past are reapplied to a new copy of `boot.wim`. The new changes are not applyed the existing copy of `boot..wim`. +are done in the properties of the boot image in Configuration Manager, Configuration Manager makes a copy of `boot.wim`, applies the changes to the copy, and then saves the new boot image as `boot..wim`. If any additional changes are done to the boot image, Configuration Manager discards the previously created `boot..wim` boot image, makes a copy of `boot.wim`, applies the changes to the copy, and then saves the new boot image as `boot..wim`. In other words, `boot.wim` is never touched. Any time any changes are made to a boot image, both the new changes and any changes done in the past are reapplied to a new copy of `boot.wim`. The new changes are not applied the existing copy of `boot..wim`. This process makes has the following advantages: @@ -413,33 +440,54 @@ This process makes has the following advantages: There are two scenarios when the `boot.wim` boot image is updated by Configuration Manager: -1. When updating between versions of Configuration Manager or when applying hotfix roll ups (HFRUs) to Configuration Manager, `boot.wim` may be updated as part of the update process. +1. When upgrading between versions of Configuration Manager or when applying hotfix roll ups (HFRUs) to Configuration Manager, `boot.wim` may be updated as part of the upgrade process. 1. When selecting the option **Reload this boot image with the current Windows PE version from the Windows ADK** in the **Update Distribution Points Wizard**. In theses scenarios, the `boot.wim` boot image is updated using the `winpe.wim` boot image from the Windows ADK as described earlier in this section. This process creates a new pristine copy of the `boot.wim` boot image using the current version of the `winpe.wim` boot image that is part of the Windows ADK. +### Which boot image should be updated? + +When adding a cumulative update to a Configuration Manager boot image, it's recommended to update the `winpe.wim` boot image from the Windows ADK. After updating the `winpe.wim` boot image from the Windows ADK, generate a new `boot.wim` boot image for Configuration Manager by using the **Reload this boot image with the current Windows PE version from the Windows ADK** option in the **Update Distribution Points Wizard**. + +The `winpe.wim` boot image from the Windows ADK should be updated when using Configuration Manager because: + +1. If `boot.wim` is updated, then the next time `boot.wim` is updated via a Configuration Manager upgrade or the **Reload this boot image with the current Windows PE version from the Windows ADK** option, the changes made to `boot.wim` including the cumulative updates applied will be lost. If the `winpe.wim` boot image from the Windows ADK is updated instead, the the changes to the boot image including the cumulative updates applied will be preserved. + +1. If `boot..wim` is updated, then it will not only face the issues when `boot.wim` is updated, but it will also lose any changes, including the cumulative update, when any changes are done to the boot image (e.g. adding drivers, enabling the command prompt, etc.). Additionally, it will change the hash value of the boot image which can lead to download failures when downloading the boot image from a distribution point. + +By updating `winpe.wim` from the Windows ADK, this will ensure that the cumulative update will stay applied regardless of what changes are made to the boot image via Configuration Manager. + ### Microsoft Configuration Manager boot image required components -The following components are required by Microsoft Configuration Manager in the boot image for Configuration Manager to function correctly: +The following components are required by Microsoft Configuration Manager boot images for Configuration Manager to function correctly: -- Scripting/WinPE-Scripting (WinPE-Scripting) -- Startup/WinPE-SecureStartup (WinPE-SecureStartup) -- Network/WinPE-WDS-Tools (WinPE-WDS-Tools) -- Scripting/WinPE-WMI (WinPE-WMI) +| Feature | File Name | Dependance | +|---------|-----------|------------| +| Scripting/WinPE-Scripting | `WinPE-Scripting.cab` | NA | +| Network/WinPE-WDS-Tools | `WinPE-WDS-Tools.cab` | NA | +| Scripting/WinPE-WMI | `WinPE-WMI.cab` | NA | +| Startup/WinPE-SecureStartup | `WinPE-SecureStartup.cab` | Scripting/WinPE-WMI (`WinPE-WMI.cab`) | -Once any optional components has been manually added to a boot image, Configuration Manager will detect that the optional component has already been added. It will not try to add the optional component again whenever it is updating the boot image. +When adding optional components to any boot image used by Configuration Manager during the [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) step, make sure to add the above components in the above order to the boot image. -### Adding optional components manually vs. adding optional components through Configuration Manager +### Add optional components manually -For Microsoft Configuration Manager boot images, make sure to add any desired optional components manually using the above command lines instead of adding them through Configuration Manager via the **Optional Components** tab in the **Properties** of the boot image. This is because the cumulative update being applied at the next step will also update any optional components as needed. If the optional components are instead added through Configuration Manager, then the optional components will not be updated with the cumulative update. This could lead to unexpected behaviors and problems. +For Microsoft Configuration Manager boot images, when applying a cumulative update to a boot image, make sure to add any desired optional components manually using the above command lines instead of adding them through Configuration Manager via the **Optional Components** tab in the **Properties** of the boot image. Optional components need to be added to the boot image manually instead of via Configuration Manager because: + +- When the cumulative update is applied, it will also update any optional components as needed. +- If the optional components are instead added through Configuration Manager after a cumulative update has been applied to the boot image, then the optional components will not be updated with the cumulative update. This could lead to unexpected behaviors and problems. + +Once any optional components has been manually added to a boot image, if that optional component is attempted to be added via the **Optional Components** tab in the **Properties** of the boot image in Configuration Manager, Configuration Manager will detect that the optional component has already been added and it will not try to add the optional component again. ## Microsoft Deployment Toolkit (MDT) considerations Copy boot files +since the Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Windows ADK beyond Windows 10, the recommendation is to instead use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version was the last version of the Windows ADK supported by MDT. + ## Windows Deployment Services (WDS) considerations -The **boot.wim** that is part of Windows installation media isn't supported for deploying Windows 11 with Windows Deployment Services (WDS). Additionally, the **boot.wim** from Windows 11 installation media isn't supported for deploying any version of Windows with Windows Deployment Services (WDS). For more information, see [Windows Deployment Services (WDS) boot.wim support](wds-boot-support.md) +The **boot.wim** that is part of Windows installation media isn't supported for deploying Windows 11 with Windows Deployment Services (WDS). Additionally, the **boot.wim** from Windows 11 installation media isn't supported for deploying any version of Windows with Windows Deployment Services (WDS). For more information, see [Windows Deployment Services (WDS) boot.wim support](wds-boot-support.md). ## Windows Server 2012 R2 From 45be907e267f94640c5446d65742b5419554c251 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 1 Aug 2023 16:26:52 -0400 Subject: [PATCH 041/110] Update Boot Image with CU Article 35 --- windows/deployment/update-boot-image.md | 50 ++++++++++++++++++------- 1 file changed, 37 insertions(+), 13 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 0435789f25..9823179880 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -59,7 +59,7 @@ Microsoft recommends updating Windows PE (WinPE) boot images with the latest cum > > It's strongly recommended to download and install the latest version of the Windows ADK and the Windows PE add-on for the Windows ADK. > -> However, since the Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Windows ADK beyond Windows 10, the recommendation is to instead use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version was the last version of the Windows ADK supported by MDT. +> However, the Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Windows ADK beyond Windows 10. If using MDT, the recommendation is to instead use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version was the last version of the Windows ADK supported by MDT. > > Additionally, the latest versions of the **Windows PE add-on for the Windows ADK** only includes 64-bit boot images. If a 32-bit boot image is required, then the recommendation in this scenario is to also use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version of the Windows ADK was the last version to include both 32-bit and 64-bit boot images. @@ -121,9 +121,9 @@ Adjust the above paths for 32-bit boot images (only available in Windows 10 ADKs DISM.exe /Mount-image /imagefile:"" /Index:1 /MountDir:"" ``` - **Example**: + Example: - `MDISM.exe /Mount-image /imagefile:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" /Index:1 /MountDir:"C:\Mount"` + **DISM.exe /Mount-image /imagefile:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" /Index:1 /MountDir:"C:\Mount"** For more information, see [Modify a Windows image using DISM: Mount an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism) and [DISM Image Management Command-Line Options: /Mount-Image](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14#mount-image). @@ -165,18 +165,18 @@ For more information, see [Add and Remove Driver packages to an offline Windows --- -Drivers are not affected by the cumulative update installed later in this walkthrough. Once a driver is added to a boot image, it does not need to be added again if a newer cumulative update is installed at a later point in time. +Drivers are not affected by the cumulative update installed later in this walkthrough. Once a driver is added to a boot image, it does not need to be added again if a newer cumulative update is applied to the boot image at a later point in time. > [!TIP] > -> A full set of drivers is not needed in Windows PE boot images. Only a small subset of drivers is needed that provide basic functionality while in WinPE. In most cases, no drivers need to be added to an out of box Windows ADK boot image since it already has many drivers built in. Don't add drivers to a boot image until it is verifed that they are needed. When drivers do need to be added, generally only network (NIC) drivers are needed. Occasionally, mass storage (disk) may also be needed. Some Surface devices may also need keyboard and mouse drivers. +> A full set of drivers is not needed in Windows PE boot images. Only a small subset of drivers is needed that provide basic functionality while in WinPE. In most cases, no drivers need to be added to an out of box Windows ADK boot image since it already has many drivers built in. Don't add drivers to a boot image until it is verified that they are needed. When drivers do need to be added, generally only network (NIC) drivers are needed. Occasionally, mass storage (disk) may also be needed. Some Surface devices may also need keyboard and mouse drivers. > [!IMPORTANT] > > For Microsoft Configuration Manager and Microsoft Deployment Toolkit (MDT) boot images, don't manually add drivers to the boot image using the above steps. Instead, add drivers to the boot images via Microsoft Configuration Manager or Microsoft Deployment Toolkit (MDT): > > - In Configuration Manager, via the **Drivers** tab in the **Properties** of the boot image. -> - In Microsoft Deployment Toolkit (MDT), via the **Out-of-Box Drivers** tab in the **Properties** of the boot image. +> - In Microsoft Deployment Toolkit (MDT), via the **Drivers and Patches** tab under the **Windows PE** tab in the **Properties** of the deployment share. > > This will ensure that the drivers in the boot image can be properly managed through Configuration Manager or Microsoft Deployment Toolkit (MDT). @@ -426,38 +426,60 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag Microsoft Configuration Manager creates its own boot images by taking the `winpe.wim` from the Windows ADK, adding some [optional components it requires](#microsoft-configuration-manager-boot-image-required-components) to function correctly, and then saving the boot image as `boot.wim` in the directory `\OSD\boot\\boot.wim`. This `boot.wim` boot image is considered the pristine authoritative copy of the boot image by Configuration Manager and is never touched, modified, or updated by Configuration Manager except in some very specific scenarios. Instead, when changes such as: - Adding drivers -- Adding additional optional components +- Adding optional components - Enabling the command prompt -are done in the properties of the boot image in Configuration Manager, Configuration Manager makes a copy of `boot.wim`, applies the changes to the copy, and then saves the new boot image as `boot..wim`. If any additional changes are done to the boot image, Configuration Manager discards the previously created `boot..wim` boot image, makes a copy of `boot.wim`, applies the changes to the copy, and then saves the new boot image as `boot..wim`. In other words, `boot.wim` is never touched. Any time any changes are made to a boot image, both the new changes and any changes done in the past are reapplied to a new copy of `boot.wim`. The new changes are not applied the existing copy of `boot..wim`. +are done in the properties of the boot image in Configuration Manager, Configuration Manager makes a copy of `boot.wim`, applies the changes to the copy, and then saves the new boot image as `boot..wim`. If any additional changes are done to the boot image, Configuration Manager discards the previously created `boot..wim` boot image, makes a new copy of `boot.wim`, applies the changes to the copy, and then saves the new boot image as `boot..wim`. In other words, `boot.wim` is never touched. Any time any changes are made to a boot image, both the new changes and any changes done in the past are all reapplied to a new copy of `boot.wim`. This process makes has the following advantages: 1. Keeps `boot.wim` pristine. + 1. Makes sure that when changes are made to a boot image, they are being done to a copy of a pristine version of the boot image that hasn't had been modified in the past. This helps avoid corruption and/or corrects issues with existing boot images. + 1. Helps manage components in the boot image. The process doesn't need to know what components it might need to remove from the boot image each time the boot image is rebuilt. Instead, it just needs to know what components to add to the boot image. + 1. Reduces the size of the boot image that can occur when components are removed from the boot image. There are two scenarios when the `boot.wim` boot image is updated by Configuration Manager: 1. When upgrading between versions of Configuration Manager or when applying hotfix roll ups (HFRUs) to Configuration Manager, `boot.wim` may be updated as part of the upgrade process. + 1. When selecting the option **Reload this boot image with the current Windows PE version from the Windows ADK** in the **Update Distribution Points Wizard**. In theses scenarios, the `boot.wim` boot image is updated using the `winpe.wim` boot image from the Windows ADK as described earlier in this section. This process creates a new pristine copy of the `boot.wim` boot image using the current version of the `winpe.wim` boot image that is part of the Windows ADK. -### Which boot image should be updated? +### Which boot image should be updated with the cumulative update? -When adding a cumulative update to a Configuration Manager boot image, it's recommended to update the `winpe.wim` boot image from the Windows ADK. After updating the `winpe.wim` boot image from the Windows ADK, generate a new `boot.wim` boot image for Configuration Manager by using the **Reload this boot image with the current Windows PE version from the Windows ADK** option in the **Update Distribution Points Wizard**. +When adding a cumulative update to a Configuration Manager boot image, it's recommended to update the `winpe.wim` boot image from the Windows ADK. After updating the `winpe.wim` boot image from the Windows ADK, generate a new `boot.wim` boot image for Configuration Manager by using the following steps: -The `winpe.wim` boot image from the Windows ADK should be updated when using Configuration Manager because: +1. Open the Microsoft Configuration manager console. -1. If `boot.wim` is updated, then the next time `boot.wim` is updated via a Configuration Manager upgrade or the **Reload this boot image with the current Windows PE version from the Windows ADK** option, the changes made to `boot.wim` including the cumulative updates applied will be lost. If the `winpe.wim` boot image from the Windows ADK is updated instead, the the changes to the boot image including the cumulative updates applied will be preserved. +1. In the Microsoft Configuration manager console, navigate to **Software Library** > **Overview** > **Operating Systems** > **Boot Images**. + +1. In the **Boot Images** pane, select the desired boot image. + +1. In the toolbar, select **Update Distribution Points**. + +1. In the **Update Distribution Points Wizard** window that appears: + + 1. In the **General**/**Update distribution points with this image** page, select the **Reload this boot image with the current Windows PE version from the Windows ADK** option, and then select the **Next >** button. + + 1. In the **Summary** page, select the **Next >** button. + + 1. The **Progress** page will appears while the boot image builds. + + 1. Once the boot image finishes building, the **Completion**/**The task "Update Distribution Points Wizard" completed successfully** page will appear. Select the **Close** button. + +When using Configuration Manager, the `winpe.wim` boot image from the Windows ADK should be updated instead of the `boot.wim` from Configuration Manager because: + +1. If `boot.wim` is updated, then the next time `boot.wim` is updated via a Configuration Manager upgrade or the **Reload this boot image with the current Windows PE version from the Windows ADK** option, the changes made to `boot.wim` including the cumulative updates applied will be lost. If the `winpe.wim` boot image from the Windows ADK is updated instead, then the changes to the boot image including the cumulative updates applied will persist and be preserved. 1. If `boot..wim` is updated, then it will not only face the issues when `boot.wim` is updated, but it will also lose any changes, including the cumulative update, when any changes are done to the boot image (e.g. adding drivers, enabling the command prompt, etc.). Additionally, it will change the hash value of the boot image which can lead to download failures when downloading the boot image from a distribution point. By updating `winpe.wim` from the Windows ADK, this will ensure that the cumulative update will stay applied regardless of what changes are made to the boot image via Configuration Manager. -### Microsoft Configuration Manager boot image required components +### Boot image required components The following components are required by Microsoft Configuration Manager boot images for Configuration Manager to function correctly: @@ -470,6 +492,8 @@ The following components are required by Microsoft Configuration Manager boot im When adding optional components to any boot image used by Configuration Manager during the [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) step, make sure to add the above components in the above order to the boot image. +After adding the required components to the boot image, any additional optional components can also be added to the boot image. + ### Add optional components manually For Microsoft Configuration Manager boot images, when applying a cumulative update to a boot image, make sure to add any desired optional components manually using the above command lines instead of adding them through Configuration Manager via the **Optional Components** tab in the **Properties** of the boot image. Optional components need to be added to the boot image manually instead of via Configuration Manager because: From ddbe00600b3af9674e5819b397f22958ee2c3765 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 1 Aug 2023 16:45:33 -0400 Subject: [PATCH 042/110] Update Boot Image with CU Article 36 --- windows/deployment/update-boot-image.md | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 9823179880..fa75b5b81c 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -139,6 +139,11 @@ From an elevated **PowerShell** command prompt, run the following command to add ```powershell Add-WindowsDriver -Path "" -Driver "\.inf" + +Example: + +Add-WindowsDriver -Path "C:\Mount" -Driver "C:\Drivers\driver.inf" + ``` or @@ -147,6 +152,11 @@ or Add-WindowsDriver -Path "" -Driver "" -Recurse ``` +**Example**: + +Add-WindowsDriver -Path "C:\Mount" -Driver "C:\Drivers\" -Recurse + + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) From an elevated **Deployment and Imaging Tools Environment** command prompt, run one of the following command to add drivers to the boot image: @@ -423,7 +433,7 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag ### How Microsoft Configuration Manager creates boot images -Microsoft Configuration Manager creates its own boot images by taking the `winpe.wim` from the Windows ADK, adding some [optional components it requires](#microsoft-configuration-manager-boot-image-required-components) to function correctly, and then saving the boot image as `boot.wim` in the directory `\OSD\boot\\boot.wim`. This `boot.wim` boot image is considered the pristine authoritative copy of the boot image by Configuration Manager and is never touched, modified, or updated by Configuration Manager except in some very specific scenarios. Instead, when changes such as: +Microsoft Configuration Manager creates its own boot images by taking the `winpe.wim` from the Windows ADK, adding some [optional components it requires](#configuration-manager-boot-image-required-components) to function correctly, and then saving the boot image as `boot.wim` in the directory `\OSD\boot\\boot.wim`. This `boot.wim` boot image is considered the pristine authoritative copy of the boot image by Configuration Manager and is never touched, modified, or updated by Configuration Manager except in some very specific scenarios. Instead, when changes such as: - Adding drivers - Adding optional components @@ -479,7 +489,7 @@ When using Configuration Manager, the `winpe.wim` boot image from the Windows AD By updating `winpe.wim` from the Windows ADK, this will ensure that the cumulative update will stay applied regardless of what changes are made to the boot image via Configuration Manager. -### Boot image required components +### Configuration Manager boot image required components The following components are required by Microsoft Configuration Manager boot images for Configuration Manager to function correctly: From 0282239ebb9c0251c6cd8e4bc61e9f3f362117bd Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 1 Aug 2023 17:08:00 -0400 Subject: [PATCH 043/110] Update Boot Image with CU Article 37 --- windows/deployment/update-boot-image.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index fa75b5b81c..e4332db38c 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -140,10 +140,9 @@ From an elevated **PowerShell** command prompt, run the following command to add ```powershell Add-WindowsDriver -Path "" -Driver "\.inf" -Example: - -Add-WindowsDriver -Path "C:\Mount" -Driver "C:\Drivers\driver.inf" +# Example: +# Add-WindowsDriver -Path "C:\Mount" -Driver "C:\Drivers\driver.inf" ``` or @@ -202,6 +201,12 @@ Drivers are not affected by the cumulative update installed later in this walkth Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" -Path "" -Verbose ``` + **Example**: + + ```powershell + Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-WMI.cab" -Path "C:\Mount" -Verbose + ``` + This example assumes an x64 boot image. If a different architecture is being used, then adjust the commands accordingly. For more information, see [Add-WindowsPackage](/powershell/module/dism/add-windowspackage). From 88acab38a8bb053b5a382bab7e70d76ab8323aac Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 1 Aug 2023 17:59:56 -0400 Subject: [PATCH 044/110] Update Boot Image with CU Article 38 --- windows/deployment/update-boot-image.md | 131 +++++++++++++++++++++--- 1 file changed, 117 insertions(+), 14 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index e4332db38c..7b90088dc7 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -109,7 +109,9 @@ Adjust the above paths for 32-bit boot images (only available in Windows 10 ADKs **Example**: - `Mount-WindowsImage -Path "C:\Mount" -ImagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" -Index 1 -Verbose` + ```powershell + Mount-WindowsImage -Path "C:\Mount" -ImagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" -Index 1 -Verbose + ``` For more information, see [Mount-WindowsImage](/powershell/module/dism/mount-windowsimage). @@ -123,7 +125,9 @@ Adjust the above paths for 32-bit boot images (only available in Windows 10 ADKs Example: - **DISM.exe /Mount-image /imagefile:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" /Index:1 /MountDir:"C:\Mount"** + ```cmd + DISM.exe /Mount-image /imagefile:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" /Index:1 /MountDir:"C:\Mount" + ``` For more information, see [Modify a Windows image using DISM: Mount an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism) and [DISM Image Management Command-Line Options: /Mount-Image](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14#mount-image). @@ -135,14 +139,10 @@ If needed, add any drivers to the boot image: ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) -From an elevated **PowerShell** command prompt, run the following command to add drivers to the boot image: +From an elevated **PowerShell** command prompt, run one of the following commands to add drivers to the boot image: ```powershell Add-WindowsDriver -Path "" -Driver "\.inf" - -# Example: - -# Add-WindowsDriver -Path "C:\Mount" -Driver "C:\Drivers\driver.inf" ``` or @@ -151,14 +151,21 @@ or Add-WindowsDriver -Path "" -Driver "" -Recurse ``` -**Example**: +**Examples**: -Add-WindowsDriver -Path "C:\Mount" -Driver "C:\Drivers\" -Recurse +```powershell +Add-WindowsDriver -Path "C:\Mount" -Driver "C:\Drivers\driver.inf" +``` +or + +```powershell +Add-WindowsDriver -Path "C:\Mount" -Driver "C:\Drivers" -Recurse +``` ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) -From an elevated **Deployment and Imaging Tools Environment** command prompt, run one of the following command to add drivers to the boot image: +From an elevated **Deployment and Imaging Tools Environment** command prompt, run one of the following commands to add drivers to the boot image: ```cmd DISM.exe /Image:"" /Add-Driver /Driver:"\.inf" @@ -170,6 +177,18 @@ or DISM.exe /Image:"" /Add-Driver /Driver:"" /Recurse ``` +**Examples**: + +```cmd +DISM.exe /Image:"C:\Mount" /Add-Driver /Driver:"C:\Drivers\driver.inf" +``` + +or + +```cmd +DISM.exe /Image:"C:\Mount" /Add-Driver /Driver:"C:\Drivers" /Recurse +``` + For more information, see [Add and Remove Driver packages to an offline Windows Image](/windows-hardware/manufacture/desktop/add-and-remove-drivers-to-an-offline-windows-image) --- @@ -207,7 +226,7 @@ Drivers are not affected by the cumulative update installed later in this walkth Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-WMI.cab" -Path "C:\Mount" -Verbose ``` - This example assumes an x64 boot image. If a different architecture is being used, then adjust the commands accordingly. + These examples assume a 64-bit boot image. If a different architecture is being used, then adjust the paths in the commands accordingly. For more information, see [Add-WindowsPackage](/powershell/module/dism/add-windowspackage). @@ -219,7 +238,13 @@ Drivers are not affected by the cumulative update installed later in this walkth DISM.exe /Image:"" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" ``` - This example assumes an x64 boot image. If a different architecture is being used, then adjust the commands accordingly. + **Example**: + + ```cmd + DISM.exe /Image:"C:\Mount" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-WMI.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-SecureStartup.cab" + ``` + + These examples assume a 64-bit boot image image. If a different architecture is being used, then adjust the paths in the commands accordingly. You can add as many desired optional components as needed on a single **DISM.exe** command line. @@ -239,7 +264,13 @@ Drivers are not affected by the cumulative update installed later in this walkth Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" -Path "" -Verbose ``` - This example assumes a 64-bit boot image. If a different architecture is being used, then adjust the paths accordingly. + **Example**: + + ```powershell + Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-WMI_en-us.cab" -Path "C:\Mount" -Verbose + ``` + + These examples assume a 64-bit boot image. If a different architecture is being used, then adjust the paths accordingly. ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) @@ -249,7 +280,13 @@ Drivers are not affected by the cumulative update installed later in this walkth DISM.exe /Image:"" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" ``` - This example assumes a 64-bit boot image. If a different architecture is being used, then adjust the paths accordingly. + **Example**: + + ```cmd + DISM.exe /Image:"C:\Mount" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-WMI_en-us.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-SecureStartup_en-us.cab" + ``` + + These examples assume a 64-bit boot image. If a different architecture is being used, then adjust the paths accordingly. You can add as many desired optional components as needed on a single DISM.exe command line. @@ -279,6 +316,12 @@ From an elevated **PowerShell** command prompt, run the following command to add Add-WindowsPackage -PackagePath "" -Path "" -Verbose ``` +**Example**: + +```powershell +Add-WindowsPackage -PackagePath "C:\Updates\windows11.0-kb5026372-x64_d2e542ce70571b093d815adb9013ed467a3e0a85.msu" -Path "C:\Mount" -Verbose +``` + For more information, see [Add-WindowsPackage](/powershell/module/dism/add-windowspackage) ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) @@ -289,6 +332,12 @@ From an elevated **Deployment and Imaging Tools Environment** command prompt, ru DISM.exe /Image:"" /Add-Package /PackagePath:"" ``` +**Example**: + +```cmd +DISM.exe /Image:"C:\Mount" /Add-Package /PackagePath:"C:\Updates\windows11.0-kb5026372-x64_d2e542ce70571b093d815adb9013ed467a3e0a85.msu" +``` + For more information, see [Add or Remove Packages Offline Using DISM](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism) and [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Add-Package](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#add-package). --- @@ -311,6 +360,14 @@ Copy-Item "\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files ( Copy-Item "\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" -Force ``` +**Example**: + +```powershell +Copy-Item "C:\Mount\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" -Force + +Copy-Item "C:\Mount\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" -Force +``` + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to copy the boot files from the mounted boot image to the ADK installation path: @@ -337,6 +394,14 @@ Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:"" /Cleanup-image /StartComponentCleanup /Resetbase" -Wait -LoadUserProfile ``` +**Example**: + +```powershell +Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:"C:\Mount" /Cleanup-image /StartComponentCleanup /Resetbase /Defer" -Wait -LoadUserProfile + +Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:"C:\Mount" /Cleanup-image /StartComponentCleanup /Resetbase" -Wait -LoadUserProfile +``` + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to clean up the mounted boot image and help reduce its size: @@ -347,6 +412,14 @@ DISM.exe /Image:"" /Cleanup-image /StartComponentCleanup /Res DISM.exe /Image:"" /Cleanup-image /StartComponentCleanup /Resetbase ``` +**Example**: + +```cmd +DISM.exe /Image:"C:\Mount" /Cleanup-image /StartComponentCleanup /Resetbase /Defer + +DISM.exe /Image:"C:\Mount" /Cleanup-image /StartComponentCleanup /Resetbase +``` + For more information, see [Modify a Windows image using DISM: Reduce the size of an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#reduce-the-size-of-an-image) and [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Cleanup-Image](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#cleanup-image). --- @@ -363,6 +436,12 @@ From an elevated **PowerShell** command prompt, run the following command to ver Get-WindowsPackage -Path "" ``` +**Example**: + +```powershell +Get-WindowsPackage -Path "C:\Mount" +``` + For more information, see [Get-WindowsPackage](/powershell/module/dism/get-windowspackage). ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) @@ -373,6 +452,12 @@ From an elevated **Deployment and Imaging Tools Environment** command prompt, ru DISM.exe /Image:"" /Get-Packages ``` +**Example**: + +```cmd +DISM.exe /Image:"C:\Mount" /Get-Packages +``` + For more information, see [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Get-Packages](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#get-packages). --- @@ -389,6 +474,12 @@ From an elevated **PowerShell** command prompt, run the following command to unm Dismount-WindowsImage -Path "" -Save -Verbose ``` +**Example**: + +```powershell +Dismount-WindowsImage -Path "C:\Mount" -Save -Verbose +``` + For more information, see [Dismount-WindowsImage](/powershell/module/dism/dismount-windowsimage). ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) @@ -399,6 +490,12 @@ From an elevated **Deployment and Imaging Tools Environment** command prompt, ru DISM.exe /Unmount-Image /MountDir:"" /Commit ``` +**Example:** + +```cmd +DISM.exe /Unmount-Image /MountDir:"C:\Mount" /Commit +``` + For more information, see [Modify a Windows image using DISM: Unmounting an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image) and [DISM Image Management Command-Line Options: /Unmount-Image](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14#unmount-image). --- @@ -415,6 +512,12 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag Export-WindowsImage -SourceImagePath "\.wim" -SourceIndex 1 -DestinationImagePath "\-export.wim" -CompressionType max -Verbose ``` + **Example**: + + ```powershell + Export-WindowsImage -SourceImagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" -SourceIndex 1 -DestinationImagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe-export.wim" -CompressionType max -Verbose + ``` + For more information, see [Export-WindowsImage](/powershell/module/dism/export-windowsimage). ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) From bf102e59242f34947441da83bf1c908f52bee477 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 1 Aug 2023 21:17:38 -0400 Subject: [PATCH 045/110] Update Boot Image with CU Article 39 --- windows/deployment/update-boot-image.md | 148 +++++++++++++++++++----- 1 file changed, 116 insertions(+), 32 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 7b90088dc7..455a597c82 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -292,11 +292,11 @@ Drivers are not affected by the cumulative update installed later in this walkth --- -For a list of all available WinPE optional components including descriptions for each component, see [WinPE Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#winpe-optional-components). +For a list of all available WinPE optional components including descriptions for each component, see [WinPE Optional Components (OC) Reference: WinPE Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#winpe-optional-components). > [!IMPORTANT] > -> When adding optional components, make sure to install optional components that are prerequisites of other optional components. Additionally, make sure that the prerequisite is installed first. For more information on adding optional components, see [WinPE Optional Components (OC) Reference: How to add Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#how-to-add-optional-components). +> When adding optional components, make sure check if an optional component has a prerequisite of another optional component. When an optional component does have a prerequisite, make sure that the prerequisite component is installed first. For more information on adding optional components, see [WinPE Optional Components (OC) Reference: How to add Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#how-to-add-optional-components). > [!IMPORTANT] > @@ -348,11 +348,11 @@ For more information, see [Add or Remove Packages Offline Using DISM](/windows-h ## Step 8: Copy boot files from mounted boot image to ADK installation path -Copy the updated bootmgr files from the updated boot image to the ADK installation path: +Some cumulative updates will update the bootmgr boot files in the boot image. After these bootmgr boot files have been updated in the boot image, it's recommended to copy these updated bootmgr boot files from the boot image back to the Windows ADK. This will ensure that the Windows ADK has the updated bootmgr boot files. ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) -From an elevated **PowerShell** command prompt, run the following command to copy the boot files from the mounted boot image to the ADK installation path: +From an elevated **PowerShell** command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path: ```powershell Copy-Item "\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" -Force @@ -370,15 +370,31 @@ Copy-Item "C:\Mount\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windo ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) -From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to copy the boot files from the mounted boot image to the ADK installation path: +From an elevated command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path: ```cmd -Command to be determined +copy "\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" /Y + +copy "\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" /Y +``` + +**Example**: + +```cmd +copy "C:\Mount\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" /Y + +copy "C:\Mount\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" /Y ``` --- -This step doesn't update or change the boot image. However, it makes sure that the latest bootmgr files are available to the ADK when creating bootable media. In particular, this step is needed when addressing the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932). +This step doesn't update or change the boot image. However, it makes sure that the latest bootmgr boot files are available to the ADK when creating bootable media. This includes any product that uses the ADK to create bootable media. + +In particular, this step is needed when addressing the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932). + +> [!IMPORTANT] +> +> If using Microsoft Deployment Toolkit (MDT), make sure to also follow the section [Copy updated boot files to MDT deployment share](#copy-updated-boot-files-to-mdt-deployment-share) before proceeding to the next step. ## Step 9: Perform component cleanup @@ -569,7 +585,15 @@ In theses scenarios, the `boot.wim` boot image is updated using the `winpe.wim` ### Which boot image should be updated with the cumulative update? -When adding a cumulative update to a Configuration Manager boot image, it's recommended to update the `winpe.wim` boot image from the Windows ADK. After updating the `winpe.wim` boot image from the Windows ADK, generate a new `boot.wim` boot image for Configuration Manager by using the following steps: +When adding a cumulative update to a Configuration Manager boot image, it's recommended to update the `winpe.wim` boot image from the Windows ADK instead of directly updating the `boot.wim` boot image generated by Configuration Manager. The `winpe.wim` boot image from the Windows ADK should be updated instead of the `boot.wim` boot image generated by Configuration Manager for the following reasons: + +1. If `boot.wim` is updated, then the next time `boot.wim` is updated via a Configuration Manager upgrade or the **Reload this boot image with the current Windows PE version from the Windows ADK** option, the changes made to `boot.wim` including the applied cumulative update will be lost. If the `winpe.wim` boot image from the Windows ADK is updated instead, then the changes to the Configuration Manager boot image including the applied cumulative update will persist and be preserved when Configuration Manager does update the `boot.wim` boot image. + +1. If `boot..wim` is updated, then it will not only face the issues when `boot.wim` is updated, but it will also lose any changes, including the applied cumulative update, when any changes are done to the boot image (e.g. adding drivers, enabling the command prompt, etc.). Additionally, it will change the hash value of the boot image which can lead to download failures when downloading the boot image from a distribution point. + +By updating `winpe.wim` from the Windows ADK, this will ensure that the cumulative update will stay applied regardless of what changes are made to the `boot.wim` boot image via Configuration Manager. + +After updating the `winpe.wim` boot image from the Windows ADK, generate a new `boot.wim` boot image for Configuration Manager by using the following steps: 1. Open the Microsoft Configuration manager console. @@ -589,30 +613,11 @@ When adding a cumulative update to a Configuration Manager boot image, it's reco 1. Once the boot image finishes building, the **Completion**/**The task "Update Distribution Points Wizard" completed successfully** page will appear. Select the **Close** button. +This process in addition to updating the boot image used by Configuration Manager will also update the boot images and the boot files used by any PXE enabled distribution points. + When using Configuration Manager, the `winpe.wim` boot image from the Windows ADK should be updated instead of the `boot.wim` from Configuration Manager because: -1. If `boot.wim` is updated, then the next time `boot.wim` is updated via a Configuration Manager upgrade or the **Reload this boot image with the current Windows PE version from the Windows ADK** option, the changes made to `boot.wim` including the cumulative updates applied will be lost. If the `winpe.wim` boot image from the Windows ADK is updated instead, then the changes to the boot image including the cumulative updates applied will persist and be preserved. - -1. If `boot..wim` is updated, then it will not only face the issues when `boot.wim` is updated, but it will also lose any changes, including the cumulative update, when any changes are done to the boot image (e.g. adding drivers, enabling the command prompt, etc.). Additionally, it will change the hash value of the boot image which can lead to download failures when downloading the boot image from a distribution point. - -By updating `winpe.wim` from the Windows ADK, this will ensure that the cumulative update will stay applied regardless of what changes are made to the boot image via Configuration Manager. - -### Configuration Manager boot image required components - -The following components are required by Microsoft Configuration Manager boot images for Configuration Manager to function correctly: - -| Feature | File Name | Dependance | -|---------|-----------|------------| -| Scripting/WinPE-Scripting | `WinPE-Scripting.cab` | NA | -| Network/WinPE-WDS-Tools | `WinPE-WDS-Tools.cab` | NA | -| Scripting/WinPE-WMI | `WinPE-WMI.cab` | NA | -| Startup/WinPE-SecureStartup | `WinPE-SecureStartup.cab` | Scripting/WinPE-WMI (`WinPE-WMI.cab`) | - -When adding optional components to any boot image used by Configuration Manager during the [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) step, make sure to add the above components in the above order to the boot image. - -After adding the required components to the boot image, any additional optional components can also be added to the boot image. - -### Add optional components manually +### Add optional components manually to Configuration Manager boot images For Microsoft Configuration Manager boot images, when applying a cumulative update to a boot image, make sure to add any desired optional components manually using the above command lines instead of adding them through Configuration Manager via the **Optional Components** tab in the **Properties** of the boot image. Optional components need to be added to the boot image manually instead of via Configuration Manager because: @@ -621,11 +626,90 @@ For Microsoft Configuration Manager boot images, when applying a cumulative upda Once any optional components has been manually added to a boot image, if that optional component is attempted to be added via the **Optional Components** tab in the **Properties** of the boot image in Configuration Manager, Configuration Manager will detect that the optional component has already been added and it will not try to add the optional component again. +### Configuration Manager boot image required components + +The following components are required by Microsoft Configuration Manager boot images for Configuration Manager to function correctly: + +| Feature | File Name | Dependency | +|---------|-----------|------------| +| Scripting/WinPE-Scripting | `WinPE-Scripting.cab` | NA | +| Network/WinPE-WDS-Tools | `WinPE-WDS-Tools.cab` | NA | +| Scripting/WinPE-WMI | `WinPE-WMI.cab` | NA | +| Startup/WinPE-SecureStartup | `WinPE-SecureStartup.cab` | Scripting/WinPE-WMI (`WinPE-WMI.cab`) | + +When adding optional components to any boot image used by Configuration Manager during the [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) step, make sure to first add the above required components in the above order to the boot image. After adding the required components to the boot image, any additional optional components can also be added to the boot image. + +For a list of all available WinPE optional components including descriptions for each component, see [WinPE Optional Components (OC) Reference: WinPE Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#winpe-optional-components). + +### Updating Configuration Manager boot media + +After completing the walkthrough, update any Configuration Manager boot media to ensure that the boot media has both the updated boot image and if applicable, updated boot files. + ## Microsoft Deployment Toolkit (MDT) considerations -Copy boot files +Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Windows ADK beyond Windows 10. When using MDT, the recommendation is to use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads) instead of the latest version of the Windows ADK. **ADK for Windows 10, version 2004** was the last version of the Windows ADK supported by MDT. -since the Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Windows ADK beyond Windows 10, the recommendation is to instead use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version was the last version of the Windows ADK supported by MDT. +### MDT boot image required components + +The following components are required by Microsoft Configuration Manager boot images for Configuration Manager to function correctly: + +| Feature | File Name | Dependency | +|---------|-----------|------------| +| Scripting/WinPE-Scripting | `WinPE-Scripting.cab` | NA | +| Scripting/WinPE-WMI | `WinPE-WMI.cab` | NA | +| File management/WinPE-FMAPI | `WinPE-FMAPI.cab` | NA | +| Startup/WinPE-SecureStartup | `WinPE-SecureStartup.cab` | Scripting/WinPE-WMI (`WinPE-WMI.cab`) | +| HTML/WinPE-HTA | `WinPE-HTA.cab` | Scripting/WinPE-WMI (`WinPE-WMI.cab`) | + +When adding optional components to any boot image used by MDT during the [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) step, make sure to first add the above required components in the above order to the boot image. After adding the required components to the boot image, any additional optional components can also be added to the boot image. + +For a list of all available WinPE optional components including descriptions for each component, see [WinPE Optional Components (OC) Reference: WinPE Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#winpe-optional-components). + +### Copy updated boot files to MDT deployment share + +When the MDT deployment share is created, it copies the bootmgr boot files from the Windows ADK to the MDT deployment share. When using MDT, if the cumulative update updates the bootmgr boot files, these updated bootmgr boot files need to be manually copied to the MDT deployment share. This should be done during [Step 8: Copy boot files from mounted boot image to ADK installation path](#step-8-copy-boot-files-from-mounted-boot-image-to-adk-installation-path): + +### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) + +From an elevated **PowerShell** command prompt, run the following commands to copy the updated bootmgr boot files from the mounted boot image to the MDT deployment share: + +```powershell +Copy-Item "\Windows\Boot\EFI\bootmgr.efi" "\Boot\x64\bootmgr.efi" -Force + +Copy-Item "\Windows\Boot\EFI\bootmgfw.efi" "\Boot\x64\EFI\Boot\bootx64.efi" -Force +``` + +**Example**: + +```powershell +Copy-Item "C:\Mount\Windows\Boot\EFI\bootmgr.efi" "C:\DeploymentShare\Boot\x64\bootmgr.efi" -Force + +Copy-Item "C:\Mount\Windows\Boot\EFI\bootmgfw.efi" "C:\DeploymentShare\Boot\x64\EFI\Boot\bootx64.efi" -Force +``` + +### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) + +From an elevated command prompt, run the following commands to copy the updated bootmgr boot files from the mounted boot image to the MDT deployment share: + +```cmd +copy "\Windows\Boot\EFI\bootmgr.efi" "\Boot\x64\bootmgr.efi" /Y + +copy "\Windows\Boot\EFI\bootmgfw.efi" "\Boot\x64\EFI\Boot\bootx64.efi" /Y +``` + +**Example**: + +```cmd +copy "C:\Mount\Windows\Boot\EFI\bootmgr.efi" "C:\DeploymentShare\Boot\x64\bootmgr.efi" /Y + +copy "C:\Mount\Windows\Boot\EFI\bootmgfw.efi" "C:\DeploymentShare\Boot\x64\EFI\Boot\bootx64.efi" /Y +``` + +--- + +### Updating MDT boot media + +After completing the walkthrough, update any MDT boot media to ensure that the boot media has both the updated boot image and if applicable, updated boot files. ## Windows Deployment Services (WDS) considerations From 6e620993c2b677994b0d962771bcbcc26a6c141b Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Wed, 2 Aug 2023 11:14:02 -0400 Subject: [PATCH 046/110] Update Boot Image with CU Article 40 --- windows/deployment/update-boot-image.md | 49 +++++++++++++++++-------- 1 file changed, 33 insertions(+), 16 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 455a597c82..1dc2719298 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -292,8 +292,6 @@ Drivers are not affected by the cumulative update installed later in this walkth --- -For a list of all available WinPE optional components including descriptions for each component, see [WinPE Optional Components (OC) Reference: WinPE Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#winpe-optional-components). - > [!IMPORTANT] > > When adding optional components, make sure check if an optional component has a prerequisite of another optional component. When an optional component does have a prerequisite, make sure that the prerequisite component is installed first. For more information on adding optional components, see [WinPE Optional Components (OC) Reference: How to add Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#how-to-add-optional-components). @@ -304,6 +302,25 @@ For a list of all available WinPE optional components including descriptions for > > Additionally, when adding any optional component for either **Microsoft Configuration Manager** or **Microsoft Deployment Toolkit (MDT)** boot images, make sure to add the components manually using the above command lines instead of adding them through **Configuration Manager** or **MDT**. For more information, see [Microsoft Configuration Manager considerations](#microsoft-configuration-manager-considerations) or [Microsoft Deployment Toolkit (MDT) considerations](#microsoft-deployment-toolkit-mdt-considerations). +### Popular optional components + +The following is a list of popular optional components that are commonly added to boot images: + +| **Feature** | **File Name** | **Dependency** | **Purpose** | **Required by ConfigMgr** | **Required by MDT** | +| --- | --- | --- | --- | --- | +| Scripting/WinPE-Scripting | `WinPE-Scripting.cab` | NA | | Yes | Yes | +| Network/WinPE-WDS-Tools | `WinPE-WDS-Tools.cab` | NA | | Yes | No | +| Scripting/WinPE-WMI | `WinPE-WMI.cab` | NA | | Yes | Yes | +| Startup/WinPE-SecureStartup | `WinPE-SecureStartup.cab` | Scripting/WinPE-WMI (`WinPE-WMI.cab`) | Yes | Yes| +| File management/WinPE-FMAPI | `WinPE-FMAPI.cab` | NA | | No | Yes | +| Windows PowerShell/WinPE-PowerShell | `WinPE-PowerShell.cab` | Scripting/WinPE-Scripting
Scripting/WinPE-WMI
Microsoft .NET/WinPE-NetFx | Supports running PowerShell commands and scripts in WinPE | No | No | +| Microsoft .NET/WinPE-NetFx | `WinPE-NetFx.cab` | Scripting/WinPE-WMI | Supports .Net applications in WinPE | No | No | +| Network/WinPE-Dot3Svc | `WinPE-Dot3Svc.cab` | NA | Supports the 802.1X network protocol in WinPE | No | No | +| HTML/WinPE-HTA | `WinPE-HTA.cab` | Scripting/WinPE-WMI (`WinPE-WMI.cab`) | Supports running HTML applications in WinPE | No | No | +| Database/WinPE-MDAC | `WinPE-MDAC.cab` | NA | Supports connecting to databases in WinPE | No | No | + +For a full list of all available WinPE optional components including descriptions for each component, see [WinPE Optional Components (OC) Reference: WinPE Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#winpe-optional-components). + ## Step 7: Add cumulative update (CU) to boot image Apply the cumulative update (CU) downloaded earlier in the walkthrough to the boot image: @@ -630,14 +647,14 @@ Once any optional components has been manually added to a boot image, if that op The following components are required by Microsoft Configuration Manager boot images for Configuration Manager to function correctly: -| Feature | File Name | Dependency | -|---------|-----------|------------| -| Scripting/WinPE-Scripting | `WinPE-Scripting.cab` | NA | -| Network/WinPE-WDS-Tools | `WinPE-WDS-Tools.cab` | NA | -| Scripting/WinPE-WMI | `WinPE-WMI.cab` | NA | -| Startup/WinPE-SecureStartup | `WinPE-SecureStartup.cab` | Scripting/WinPE-WMI (`WinPE-WMI.cab`) | +| **Feature** | **File Name** | **Dependency** | **Required by ConfigMgr** | +| --- | --- | --- | --- | +| Scripting/WinPE-Scripting | `WinPE-Scripting.cab` | NA | Yes | +| Network/WinPE-WDS-Tools | `WinPE-WDS-Tools.cab` | NA | Yes | +| Scripting/WinPE-WMI | `WinPE-WMI.cab` | NA | Yes | +| Startup/WinPE-SecureStartup | `WinPE-SecureStartup.cab` | Scripting/WinPE-WMI (`WinPE-WMI.cab`) | Yes | -When adding optional components to any boot image used by Configuration Manager during the [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) step, make sure to first add the above required components in the above order to the boot image. After adding the required components to the boot image, any additional optional components can also be added to the boot image. +When adding optional components to any boot image used by Configuration Manager during the [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) step, make sure to first add the above required components in the above order to the boot image. After adding the required components to the boot image, add any additional desired optional components to the boot image. For a list of all available WinPE optional components including descriptions for each component, see [WinPE Optional Components (OC) Reference: WinPE Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#winpe-optional-components). @@ -653,15 +670,15 @@ Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Wi The following components are required by Microsoft Configuration Manager boot images for Configuration Manager to function correctly: -| Feature | File Name | Dependency | +| **Feature** | **File Name** | **Dependency** | **Required by MDT** | |---------|-----------|------------| -| Scripting/WinPE-Scripting | `WinPE-Scripting.cab` | NA | -| Scripting/WinPE-WMI | `WinPE-WMI.cab` | NA | -| File management/WinPE-FMAPI | `WinPE-FMAPI.cab` | NA | -| Startup/WinPE-SecureStartup | `WinPE-SecureStartup.cab` | Scripting/WinPE-WMI (`WinPE-WMI.cab`) | -| HTML/WinPE-HTA | `WinPE-HTA.cab` | Scripting/WinPE-WMI (`WinPE-WMI.cab`) | +| Scripting/WinPE-Scripting | `WinPE-Scripting.cab` | NA | Yes | +| Scripting/WinPE-WMI | `WinPE-WMI.cab` | NA | Yes | +| File management/WinPE-FMAPI | `WinPE-FMAPI.cab` | NA | Yes | +| Startup/WinPE-SecureStartup | `WinPE-SecureStartup.cab` | Scripting/WinPE-WMI (`WinPE-WMI.cab`) | Yes | +| HTML/WinPE-HTA | `WinPE-HTA.cab` | Scripting/WinPE-WMI (`WinPE-WMI.cab`) | Yes | -When adding optional components to any boot image used by MDT during the [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) step, make sure to first add the above required components in the above order to the boot image. After adding the required components to the boot image, any additional optional components can also be added to the boot image. +When adding optional components to any boot image used by MDT during the [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) step, make sure to first add the above required components in the above order to the boot image. After adding the required components to the boot image, add any additional desired optional components to the boot image. For a list of all available WinPE optional components including descriptions for each component, see [WinPE Optional Components (OC) Reference: WinPE Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#winpe-optional-components). From 3cd67f7df5c2ed5c6b43a902b05aa074994b8b10 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Wed, 2 Aug 2023 11:26:39 -0400 Subject: [PATCH 047/110] Update Boot Image with CU Article 41 --- windows/deployment/update-boot-image.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 1dc2719298..7cf0935259 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -294,7 +294,7 @@ Drivers are not affected by the cumulative update installed later in this walkth > [!IMPORTANT] > -> When adding optional components, make sure check if an optional component has a prerequisite of another optional component. When an optional component does have a prerequisite, make sure that the prerequisite component is installed first. For more information on adding optional components, see [WinPE Optional Components (OC) Reference: How to add Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#how-to-add-optional-components). +> When adding optional components, make sure to check if an optional component has a prerequisite for another optional component. When an optional component does have a prerequisite, make sure that the prerequisite component is installed first. For more information on adding optional components, see [WinPE Optional Components (OC) Reference: How to add Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#how-to-add-optional-components). > [!IMPORTANT] > @@ -308,11 +308,11 @@ The following is a list of popular optional components that are commonly added t | **Feature** | **File Name** | **Dependency** | **Purpose** | **Required by ConfigMgr** | **Required by MDT** | | --- | --- | --- | --- | --- | -| Scripting/WinPE-Scripting | `WinPE-Scripting.cab` | NA | | Yes | Yes | -| Network/WinPE-WDS-Tools | `WinPE-WDS-Tools.cab` | NA | | Yes | No | -| Scripting/WinPE-WMI | `WinPE-WMI.cab` | NA | | Yes | Yes | -| Startup/WinPE-SecureStartup | `WinPE-SecureStartup.cab` | Scripting/WinPE-WMI (`WinPE-WMI.cab`) | Yes | Yes| -| File management/WinPE-FMAPI | `WinPE-FMAPI.cab` | NA | | No | Yes | +| Scripting/WinPE-Scripting | `WinPE-Scripting.cab` | NA | Supports running non-PowerShell scripts in WinPE | Yes | Yes | +| Network/WinPE-WDS-Tools | `WinPE-WDS-Tools.cab` | NA | Supports WDS in WinPE, including image capture and multicast | Yes | No | +| Scripting/WinPE-WMI | `WinPE-WMI.cab` | NA | Supports WMI and WMI scripting in WinPE | Yes | Yes | +| Startup/WinPE-SecureStartup | `WinPE-SecureStartup.cab` | Scripting/WinPE-WMI | Supports managing BitLocker and TPMs within WinPE | Yes | Yes| +| File management/WinPE-FMAPI | `WinPE-FMAPI.cab` | NA | Supports access to the Windows PE File Management API | No | Yes | | Windows PowerShell/WinPE-PowerShell | `WinPE-PowerShell.cab` | Scripting/WinPE-Scripting
Scripting/WinPE-WMI
Microsoft .NET/WinPE-NetFx | Supports running PowerShell commands and scripts in WinPE | No | No | | Microsoft .NET/WinPE-NetFx | `WinPE-NetFx.cab` | Scripting/WinPE-WMI | Supports .Net applications in WinPE | No | No | | Network/WinPE-Dot3Svc | `WinPE-Dot3Svc.cab` | NA | Supports the 802.1X network protocol in WinPE | No | No | From 8e052d56dd76ebefb10b0d398d863a46bca13c16 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Wed, 2 Aug 2023 13:55:35 -0400 Subject: [PATCH 048/110] Update Boot Image with CU Article 42 --- windows/deployment/update-boot-image.md | 33 +++++++++++++++++++++---- 1 file changed, 28 insertions(+), 5 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 7cf0935259..6ffd5d1db0 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -85,7 +85,7 @@ Before modifying the desired boot image, make a backup copy of the boot image th - For the 64-bit boot image included with the **Windows PE add-on for the Windows ADK**, the boot image is located at `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim`. -- For the default 64-bit boot image that is generated by **Microsoft Configuration Manager**, the boot image is located at `\OSD\boot\x64\boot.wim`. However, for **Microsoft Configuration Manager** it's recommended to modify the `winpe.wim` boot image included with the **Windows PE add-on for the Windows ADK**. For more information, see [Microsoft Configuration Manager considerations](#microsoft-configuration-manager-considerations). +- For the default 64-bit boot image that is generated by **Microsoft Configuration Manager**, the boot image is located at `\OSD\boot\x64\boot.wim`. For other boot images in Configuration Manager, the path to the boot image will be displayed in the **Image path:** field under the **Data Source** tab in the properties of the boot image. However, for **Microsoft Configuration Manager** it's recommended to modify the `winpe.wim` boot image included with the **Windows PE add-on for the Windows ADK**. For more information, see [Microsoft Configuration Manager considerations](#microsoft-configuration-manager-considerations). - For the default 64-bit boot image that is generated by the **Microsoft Deployment Toolkit (MDT)**, the boot image is located at `\Boot\LiteTouchPE_x64.wim`. However, for **Microsoft Deployment Toolkit (MDT)** it's recommended to modify the `winpe.wim` boot image included with the **Windows PE add-on for the Windows ADK**. For more information, see [Microsoft Deployment Toolkit (MDT) considerations](#microsoft-deployment-toolkit-mdt-considerations). @@ -93,6 +93,29 @@ Before modifying the desired boot image, make a backup copy of the boot image th Adjust the above paths for 32-bit boot images (only available in Windows 10 ADKs). +The following commands will backup the 64-bit boot image included with the **Windows PE add-on for the Windows ADK**: +### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) + +From an elevated **PowerShell** command prompt, run the following command to create a backup copy of the 64-bit boot image included with the Windows ADK. This command won't automatically overwrite a backup of a boot image if one already exists: + +```powershell +Copy-Item "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.bak.wim" +``` + +Adjust paths and file names accordingly to back up other boot images. + +### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) + +From an elevated command prompt, run the following command to create a backup copy of the 64-bit boot image included with the Windows ADK. This command won't automatically overwrite a backup of a boot image if one already exists: + +```cmd +copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.bak.wim" +``` + +Adjust paths and file names accordingly to back up other boot images. + +--- + ## Step 4: Mount boot image to mount folder 1. Create a new empty empty folder to mount the boot image to. For example, `C:\Mount`. @@ -316,7 +339,7 @@ The following is a list of popular optional components that are commonly added t | Windows PowerShell/WinPE-PowerShell | `WinPE-PowerShell.cab` | Scripting/WinPE-Scripting
Scripting/WinPE-WMI
Microsoft .NET/WinPE-NetFx | Supports running PowerShell commands and scripts in WinPE | No | No | | Microsoft .NET/WinPE-NetFx | `WinPE-NetFx.cab` | Scripting/WinPE-WMI | Supports .Net applications in WinPE | No | No | | Network/WinPE-Dot3Svc | `WinPE-Dot3Svc.cab` | NA | Supports the 802.1X network protocol in WinPE | No | No | -| HTML/WinPE-HTA | `WinPE-HTA.cab` | Scripting/WinPE-WMI (`WinPE-WMI.cab`) | Supports running HTML applications in WinPE | No | No | +| HTML/WinPE-HTA | `WinPE-HTA.cab` | Scripting/WinPE-WMI | Supports running HTML applications in WinPE | No | No | | Database/WinPE-MDAC | `WinPE-MDAC.cab` | NA | Supports connecting to databases in WinPE | No | No | For a full list of all available WinPE optional components including descriptions for each component, see [WinPE Optional Components (OC) Reference: WinPE Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#winpe-optional-components). @@ -652,7 +675,7 @@ The following components are required by Microsoft Configuration Manager boot im | Scripting/WinPE-Scripting | `WinPE-Scripting.cab` | NA | Yes | | Network/WinPE-WDS-Tools | `WinPE-WDS-Tools.cab` | NA | Yes | | Scripting/WinPE-WMI | `WinPE-WMI.cab` | NA | Yes | -| Startup/WinPE-SecureStartup | `WinPE-SecureStartup.cab` | Scripting/WinPE-WMI (`WinPE-WMI.cab`) | Yes | +| Startup/WinPE-SecureStartup | `WinPE-SecureStartup.cab` | Scripting/WinPE-WMI | Yes | When adding optional components to any boot image used by Configuration Manager during the [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) step, make sure to first add the above required components in the above order to the boot image. After adding the required components to the boot image, add any additional desired optional components to the boot image. @@ -675,8 +698,8 @@ The following components are required by Microsoft Configuration Manager boot im | Scripting/WinPE-Scripting | `WinPE-Scripting.cab` | NA | Yes | | Scripting/WinPE-WMI | `WinPE-WMI.cab` | NA | Yes | | File management/WinPE-FMAPI | `WinPE-FMAPI.cab` | NA | Yes | -| Startup/WinPE-SecureStartup | `WinPE-SecureStartup.cab` | Scripting/WinPE-WMI (`WinPE-WMI.cab`) | Yes | -| HTML/WinPE-HTA | `WinPE-HTA.cab` | Scripting/WinPE-WMI (`WinPE-WMI.cab`) | Yes | +| Startup/WinPE-SecureStartup | `WinPE-SecureStartup.cab` | Scripting/WinPE-WMI | Yes | +| HTML/WinPE-HTA | `WinPE-HTA.cab` | Scripting/WinPE-WMI | Yes | When adding optional components to any boot image used by MDT during the [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) step, make sure to first add the above required components in the above order to the boot image. After adding the required components to the boot image, add any additional desired optional components to the boot image. From a0d12e291d6b0b3c923890eaace8dfa9ae631e77 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Wed, 2 Aug 2023 15:00:04 -0400 Subject: [PATCH 049/110] Update Boot Image with CU Article 43 --- windows/deployment/update-boot-image.md | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 6ffd5d1db0..04c3adc1d7 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -67,11 +67,11 @@ Microsoft recommends updating Windows PE (WinPE) boot images with the latest cum 1. Go to the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site and search for the latest cumulative update for the version of Windows that matches the version of Windows PE that was downloaded in [Step 1](#step-1-download-and-install-adk) or the version of the Windows PE boot image that will be updated. -1. When searching the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site, use the search term `"- cumulative update for windows "` where `year` is the four digit current year, `` is the two digit current month, and `` is the version of Windows that Windows PE is based on. For example, to search for the latest cumulative update for Windows 11 in July 2023, use the search term `"2023-07 cumulative update for windows 11"`. If the cumulative update hasn't been released yet for the current month, then search on the previous month. +1. When searching the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site, use the search term `"- cumulative update for windows "` where `year` is the four digit current year, `` is the two digit current month, and `` is the version of Windows that Windows PE is based on. Make sure to include the quotes (`"`). For example, to search for the latest cumulative update for Windows 11 in July 2023, use the search term `"2023-07 cumulative update for windows 11"`, again making sure to include the quotes. If the cumulative update hasn't been released yet for the current month, then search on the previous month. 1. Once the cumulative update has been found, download the appropriate version for the version and architecture of Windows that matches the Windows PE boot image. For example, if the version of the Windows PE boot image is Windows 11 22H2 64-bit, then download the **Cumulative Update for Windows 11 Version 22H2 for x64-based Systems** version of the update. -1. Store the downloaded cumulative update in a known location for later use. +1. Store the downloaded cumulative update in a known location for later use, for example `C:\Updates`. > [!TIP] > @@ -85,9 +85,13 @@ Before modifying the desired boot image, make a backup copy of the boot image th - For the 64-bit boot image included with the **Windows PE add-on for the Windows ADK**, the boot image is located at `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim`. -- For the default 64-bit boot image that is generated by **Microsoft Configuration Manager**, the boot image is located at `\OSD\boot\x64\boot.wim`. For other boot images in Configuration Manager, the path to the boot image will be displayed in the **Image path:** field under the **Data Source** tab in the properties of the boot image. However, for **Microsoft Configuration Manager** it's recommended to modify the `winpe.wim` boot image included with the **Windows PE add-on for the Windows ADK**. For more information, see [Microsoft Configuration Manager considerations](#microsoft-configuration-manager-considerations). +- For the default 64-bit boot image that is generated by **Microsoft Configuration Manager**, the boot image is located at `\OSD\boot\x64\boot.wim`. For other boot images in Configuration Manager, the path to the boot image will be displayed in the **Image path:** field under the **Data Source** tab in the **Properties** of the boot image. -- For the default 64-bit boot image that is generated by the **Microsoft Deployment Toolkit (MDT)**, the boot image is located at `\Boot\LiteTouchPE_x64.wim`. However, for **Microsoft Deployment Toolkit (MDT)** it's recommended to modify the `winpe.wim` boot image included with the **Windows PE add-on for the Windows ADK**. For more information, see [Microsoft Deployment Toolkit (MDT) considerations](#microsoft-deployment-toolkit-mdt-considerations). + However, for **Microsoft Configuration Manager** it's recommended to modify the `winpe.wim` boot image included with the **Windows PE add-on for the Windows ADK**. For more information, see [Microsoft Configuration Manager considerations](#microsoft-configuration-manager-considerations). + +- For the default 64-bit boot image that is generated by the **Microsoft Deployment Toolkit (MDT)**, the boot image is located at `\Boot\LiteTouchPE_x64.wim`. + + However, for **Microsoft Deployment Toolkit (MDT)** it's recommended to modify the `winpe.wim` boot image included with the **Windows PE add-on for the Windows ADK**. For more information, see [Microsoft Deployment Toolkit (MDT) considerations](#microsoft-deployment-toolkit-mdt-considerations). - For 64-bit boot images in **Windows Deployment Services (WDS)**, the boot images are located at `\Boot\x64\Images`. @@ -264,7 +268,7 @@ Drivers are not affected by the cumulative update installed later in this walkth **Example**: ```cmd - DISM.exe /Image:"C:\Mount" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-WMI.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-SecureStartup.cab" + DISM.exe /Image:"C:\Mount" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-Scripting.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-WMI.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-WDS-Tools.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-SecureStartup.cab" ``` These examples assume a 64-bit boot image image. If a different architecture is being used, then adjust the paths in the commands accordingly. @@ -290,7 +294,7 @@ Drivers are not affected by the cumulative update installed later in this walkth **Example**: ```powershell - Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-WMI_en-us.cab" -Path "C:\Mount" -Verbose + Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-Scripting_en-us.cab" -Path "C:\Mount" -Verbose ``` These examples assume a 64-bit boot image. If a different architecture is being used, then adjust the paths accordingly. @@ -306,7 +310,7 @@ Drivers are not affected by the cumulative update installed later in this walkth **Example**: ```cmd - DISM.exe /Image:"C:\Mount" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-WMI_en-us.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-SecureStartup_en-us.cab" + DISM.exe /Image:"C:\Mount" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-Scripting_en-us.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-WMI_en-us.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-WDS-Tools_en-us.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-SecureStartup_en-us.cab" ``` These examples assume a 64-bit boot image. If a different architecture is being used, then adjust the paths accordingly. @@ -359,7 +363,7 @@ Add-WindowsPackage -PackagePath "" -Path "" /Add-Package /PackagePath:" Date: Wed, 2 Aug 2023 19:42:49 -0400 Subject: [PATCH 050/110] Update Boot Image with CU Article 44 --- windows/deployment/update-boot-image.md | 86 +++++++++++-------------- 1 file changed, 39 insertions(+), 47 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 04c3adc1d7..c1c4e632d5 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -436,9 +436,9 @@ This step doesn't update or change the boot image. However, it makes sure that t In particular, this step is needed when addressing the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932). -> [!IMPORTANT] +> [!NOTE] > -> If using Microsoft Deployment Toolkit (MDT), make sure to also follow the section [Copy updated boot files to MDT deployment share](#copy-updated-boot-files-to-mdt-deployment-share) before proceeding to the next step. +> Both **Microsoft Configuration Manager** and **Microsoft Deployment Toolkit (MDT)** will automatically extract these bootmgr boot files from the boot images as needed. No additional steps are needed for these products. ## Step 9: Perform component cleanup @@ -588,6 +588,12 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag DISM.exe /Export-Image /SourceImageFile:"\.wim" /SourceIndex:1 /DestinationImageFile:"\-export.wim" ``` + **Example**: + + ```cmd + DISM.exe /Export-Image /SourceImageFile:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" /SourceIndex:1 /DestinationImageFile:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe-export.wim" + ``` + For more information, see [Modify a Windows image using DISM: Reduce the size of an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#reduce-the-size-of-an-image) and [DISM Image Management Command-Line Options: /Export-Image](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14#export-image). --- @@ -637,7 +643,7 @@ When adding a cumulative update to a Configuration Manager boot image, it's reco By updating `winpe.wim` from the Windows ADK, this will ensure that the cumulative update will stay applied regardless of what changes are made to the `boot.wim` boot image via Configuration Manager. -After updating the `winpe.wim` boot image from the Windows ADK, generate a new `boot.wim` boot image for Configuration Manager by using the following steps: +After updating the `winpe.wim` boot image from the Windows ADK, generate a new `boot.wim` boot image for Configuration Manager that contains the cumulative update by using the following steps: 1. Open the Microsoft Configuration manager console. @@ -659,8 +665,6 @@ After updating the `winpe.wim` boot image from the Windows ADK, generate a new ` This process in addition to updating the boot image used by Configuration Manager will also update the boot images and the boot files used by any PXE enabled distribution points. -When using Configuration Manager, the `winpe.wim` boot image from the Windows ADK should be updated instead of the `boot.wim` from Configuration Manager because: - ### Add optional components manually to Configuration Manager boot images For Microsoft Configuration Manager boot images, when applying a cumulative update to a boot image, make sure to add any desired optional components manually using the above command lines instead of adding them through Configuration Manager via the **Optional Components** tab in the **Properties** of the boot image. Optional components need to be added to the boot image manually instead of via Configuration Manager because: @@ -691,6 +695,32 @@ After completing the walkthrough, update any Configuration Manager boot media to ## Microsoft Deployment Toolkit (MDT) considerations +When adding a cumulative update to a Microsoft Deployment Toolkit (MDT) boot image, it's recommended to update the `winpe.wim` boot image from the Windows ADK instead of directly updating the `LiteTouchPE_.wim` boot image in the MDT Deployment Share. The `winpe.wim` boot image from the Windows ADK should be updated instead of the `LiteTouchPE_.wim` boot image from the MDT Deployment Share because if `LiteTouchPE_.wim` is updated, then the next time the MDT Deployment Share is updated, the changes made to `LiteTouchPE_.wim`, including the applied cumulative update, may be lost. If the `winpe.wim` boot image from the Windows ADK is updated instead, then the changes to the MDT boot image including the applied cumulative update will persist and be preserved when the MDT Deployment Share is updated. + +After updating the `winpe.wim` boot image from the Windows ADK, generate a new `LiteTouchPE_.wim` boot image for MDT that contains the cumulative update by using the following steps: + +1. Open the Microsoft Configuration manager console. + +1. In the Microsoft Configuration manager console, navigate to **Software Library** > **Overview** > **Operating Systems** > **Boot Images**. + +1. In the **Boot Images** pane, select the desired boot image. + +1. In the toolbar, select **Update Distribution Points**. + +1. In the **Update Distribution Points Wizard** window that appears: + + 1. In the **General**/**Update distribution points with this image** page, select the **Reload this boot image with the current Windows PE version from the Windows ADK** option, and then select the **Next >** button. + + 1. In the **Summary** page, select the **Next >** button. + + 1. The **Progress** page will appears while the boot image builds. + + 1. Once the boot image finishes building, the **Completion**/**The task "Update Distribution Points Wizard" completed successfully** page will appear. Select the **Close** button. + +This process in addition to updating the boot image used by Configuration Manager will also update the boot images and the boot files used by any PXE enabled distribution points. + +### MDT and Windows ADK versions + Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Windows ADK beyond Windows 10. When using MDT, the recommendation is to use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads) instead of the latest version of the Windows ADK. **ADK for Windows 10, version 2004** was the last version of the Windows ADK supported by MDT. ### MDT boot image required components @@ -698,7 +728,7 @@ Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Wi The following components are required by Microsoft Configuration Manager boot images for Configuration Manager to function correctly: | **Feature** | **File Name** | **Dependency** | **Required by MDT** | -|---------|-----------|------------| +| --- | --- | --- | --- | | Scripting/WinPE-Scripting | `WinPE-Scripting.cab` | NA | Yes | | Scripting/WinPE-WMI | `WinPE-WMI.cab` | NA | Yes | | File management/WinPE-FMAPI | `WinPE-FMAPI.cab` | NA | Yes | @@ -709,51 +739,13 @@ When adding optional components to any boot image used by MDT during the [Step 6 For a list of all available WinPE optional components including descriptions for each component, see [WinPE Optional Components (OC) Reference: WinPE Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#winpe-optional-components). -### Copy updated boot files to MDT deployment share +### Update MDT boot image -When the MDT deployment share is created, it copies the bootmgr boot files from the Windows ADK to the MDT deployment share. When using MDT, if the cumulative update updates the bootmgr boot files, these updated bootmgr boot files need to be manually copied to the MDT deployment share. This should be done during [Step 8: Copy boot files from mounted boot image to ADK installation path](#step-8-copy-boot-files-from-mounted-boot-image-to-adk-installation-path): - -### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) - -From an elevated **PowerShell** command prompt, run the following commands to copy the updated bootmgr boot files from the mounted boot image to the MDT deployment share: - -```powershell -Copy-Item "\Windows\Boot\EFI\bootmgr.efi" "\Boot\x64\bootmgr.efi" -Force - -Copy-Item "\Windows\Boot\EFI\bootmgfw.efi" "\Boot\x64\EFI\Boot\bootx64.efi" -Force -``` - -**Example**: - -```powershell -Copy-Item "C:\Mount\Windows\Boot\EFI\bootmgr.efi" "C:\DeploymentShare\Boot\x64\bootmgr.efi" -Force - -Copy-Item "C:\Mount\Windows\Boot\EFI\bootmgfw.efi" "C:\DeploymentShare\Boot\x64\EFI\Boot\bootx64.efi" -Force -``` - -### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) - -From an elevated command prompt, run the following commands to copy the updated bootmgr boot files from the mounted boot image to the MDT deployment share: - -```cmd -copy "\Windows\Boot\EFI\bootmgr.efi" "\Boot\x64\bootmgr.efi" /Y - -copy "\Windows\Boot\EFI\bootmgfw.efi" "\Boot\x64\EFI\Boot\bootx64.efi" /Y -``` - -**Example**: - -```cmd -copy "C:\Mount\Windows\Boot\EFI\bootmgr.efi" "C:\DeploymentShare\Boot\x64\bootmgr.efi" /Y - -copy "C:\Mount\Windows\Boot\EFI\bootmgfw.efi" "C:\DeploymentShare\Boot\x64\EFI\Boot\bootx64.efi" /Y -``` - ---- +After completing the walkthrough, . ### Updating MDT boot media -After completing the walkthrough, update any MDT boot media to ensure that the boot media has both the updated boot image and if applicable, updated boot files. +After completing the walkthrough and updating the Deployment Share, update any MDT boot media to ensure that the boot media has both the updated boot image and if applicable, updated boot files. ## Windows Deployment Services (WDS) considerations From 3c6fcc554b5c6df9521bc750acd31cd431426629 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Wed, 2 Aug 2023 18:08:51 -0700 Subject: [PATCH 051/110] delete unnecessary articles --- .openpublishing.redirection.json | 12 +- ...ishing.redirection.windows-deployment.json | 65 +++++++++++ windows/deployment/TOC.yml | 10 +- windows/deployment/add-store-apps-to-image.md | 89 --------------- windows/deployment/deploy.md | 34 ------ windows/deployment/index.yml | 2 - .../planning/act-technical-reference.md | 45 -------- windows/deployment/planning/index.md | 34 ------ windows/deployment/update/WIP4Biz-intro.md | 64 ----------- .../update/deploy-updates-configmgr.md | 21 ---- .../update/deploy-updates-intune.md | 24 ---- .../get-started-updates-channels-tools.md | 2 +- windows/deployment/update/index.md | 47 -------- .../olympia/olympia-enrollment-guidelines.md | 43 ------- windows/deployment/update/waas-morenews.md | 54 --------- .../deployment/update/windows-as-a-service.md | 106 ------------------ .../windows-10-deployment-tools-reference.md | 25 ----- .../deployment/windows-10-deployment-tools.md | 25 ----- 18 files changed, 75 insertions(+), 627 deletions(-) delete mode 100644 windows/deployment/add-store-apps-to-image.md delete mode 100644 windows/deployment/deploy.md delete mode 100644 windows/deployment/planning/act-technical-reference.md delete mode 100644 windows/deployment/planning/index.md delete mode 100644 windows/deployment/update/WIP4Biz-intro.md delete mode 100644 windows/deployment/update/deploy-updates-configmgr.md delete mode 100644 windows/deployment/update/deploy-updates-intune.md delete mode 100644 windows/deployment/update/index.md delete mode 100644 windows/deployment/update/olympia/olympia-enrollment-guidelines.md delete mode 100644 windows/deployment/update/waas-morenews.md delete mode 100644 windows/deployment/update/windows-as-a-service.md delete mode 100644 windows/deployment/windows-10-deployment-tools-reference.md delete mode 100644 windows/deployment/windows-10-deployment-tools.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 010a1f7eaf..7cc99f80b3 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -2517,7 +2517,7 @@ }, { "source_path": "windows/deploy/windows-10-deployment-tools-reference.md", - "redirect_url": "/windows/deployment/windows-10-deployment-tools-reference", + "redirect_url": "/windows/deployment/windows-deployment-scenarios-and-tools", "redirect_document_id": false }, { @@ -10602,7 +10602,7 @@ }, { "source_path": "windows/manage/introduction-to-windows-10-servicing.md", - "redirect_url": "/windows/deployment/update/index", + "redirect_url": "/windows/deployment/", "redirect_document_id": false }, { @@ -11037,7 +11037,7 @@ }, { "source_path": "windows/manage/waas-update-windows-10.md", - "redirect_url": "/windows/deployment/update/index", + "redirect_url": "/windows/deployment/", "redirect_document_id": false }, { @@ -11147,7 +11147,7 @@ }, { "source_path": "windows/plan/act-technical-reference.md", - "redirect_url": "/windows/deployment/planning/act-technical-reference", + "redirect_url": "/windows/deployment/planning/compatibility-administrator-users-guide", "redirect_document_id": false }, { @@ -11377,7 +11377,7 @@ }, { "source_path": "windows/plan/index.md", - "redirect_url": "/windows/deployment/planning/index", + "redirect_url": "/windows/deployment/", "redirect_document_id": false }, { @@ -12617,7 +12617,7 @@ }, { "source_path": "windows/update/index.md", - "redirect_url": "/windows/deployment/update/index", + "redirect_url": "/windows/deployment/", "redirect_document_id": false }, { diff --git a/.openpublishing.redirection.windows-deployment.json b/.openpublishing.redirection.windows-deployment.json index 5ac6d20892..291aac7fbf 100644 --- a/.openpublishing.redirection.windows-deployment.json +++ b/.openpublishing.redirection.windows-deployment.json @@ -1039,6 +1039,71 @@ "source_path": "windows/deployment/windows-autopilot/index.yml", "redirect_url": "/mem/autopilot/", "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy.md", + "redirect_url": "/windows/deployment/", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/planning/act-technical-reference.md", + "redirect_url": "/windows/deployment/planning/compatibility-administrator-users-guide", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/planning/index.md", + "redirect_url": "/windows/deployment/", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/add-store-apps-to-image.md", + "redirect_url": "/windows/deployment/", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/deploy-updates-configmgr.md", + "redirect_url": "/mem/configmgr/osd/deploy-use/manage-windows-as-a-service", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/deploy-updates-intune.md", + "redirect_url": "/mem/intune/protect/windows-update-for-business-configure", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/index.md", + "redirect_url": "/windows/deployment/", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/olympia/olympia-enrollment-guidelines.md", + "redirect_url": "/windows-insider/business/register", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/WIP4Biz-intro.md", + "redirect_url": "/windows-insider/business/register", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/waas-morenews.md", + "redirect_url": "/windows/deployment/update/waas-overview", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/windows-as-a-service.md", + "redirect_url": "/windows/deployment/update/waas-overview", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-10-deployment-tools.md", + "redirect_url": "/windows/deployment/windows-deployment-scenarios-and-tools", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-10-deployment-tools-reference.md", + "redirect_url": "/windows/deployment/windows-deployment-scenarios-and-tools", + "redirect_document_id": false } ] } diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 128256240a..20d9752fdf 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -101,7 +101,9 @@ - name: Deploy Windows client items: - name: Deploy Windows client with Autopilot - href: windows-autopilot/index.yml + href: /autopilot/ + - name: Windows deployment scenarios and tools + href: windows-deployment-scenarios-and-tools.md - name: Deploy Windows client with Configuration Manager items: - name: Deploy to a new device @@ -136,10 +138,6 @@ items: - name: Assign devices to servicing channels href: update/waas-servicing-channels-windows-10-updates.md - - name: Deploy updates with Configuration Manager - href: update/deploy-updates-configmgr.md - - name: Deploy updates with Intune - href: update/deploy-updates-intune.md - name: Deploy updates with WSUS href: update/waas-manage-updates-wsus.md - name: Deploy updates with Group Policy @@ -170,8 +168,6 @@ href: update/waas-integrate-wufb.md - name: 'Walkthrough: use Group Policy to configure Windows Update for Business' href: update/waas-wufb-group-policy.md - - name: 'Walkupdatesthrough: use Intune to configure Windows Update for Business' - href: update/deploy-updates-intune.md - name: Windows Update for Business deployment service items: - name: Windows Update for Business deployment service overview diff --git a/windows/deployment/add-store-apps-to-image.md b/windows/deployment/add-store-apps-to-image.md deleted file mode 100644 index 8a3e5bc940..0000000000 --- a/windows/deployment/add-store-apps-to-image.md +++ /dev/null @@ -1,89 +0,0 @@ ---- -title: Add Microsoft Store for Business applications to a Windows 10 image -description: This article describes the correct way to add Microsoft Store for Business applications to a Windows 10 image. -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.author: frankroj -manager: aaroncz -ms.topic: article -ms.date: 11/23/2022 -ms.technology: itpro-deploy ---- - -# Add Microsoft Store for Business applications to a Windows 10 image - -*Applies to:* - -- Windows 10 - -This article describes the correct way to add Microsoft Store for Business applications to a Windows 10 image. Adding Microsoft Store for Business applications to a Windows 10 image will enable you to deploy Windows 10 with pre-installed Microsoft Store for Business apps. - -> [!IMPORTANT] -> In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment. - -## Prerequisites - -- [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) for the tools required to mount and edit Windows images. - -- Download an offline signed app package and license of the application you would like to add through [Microsoft Store for Business](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app). -- A Windows Image. For instructions on image creation, see [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md). - -> [!NOTE] -> If you'd like to add an internal LOB Microsoft Store application, please follow the instructions on **[Sideload line of business (LOB) apps in Windows client devices](/windows/application-management/sideload-apps-in-windows-10)**. - -## Adding a Store application to your image - -On a machine where your image file is accessible: - -1. Open Windows PowerShell with administrator privileges. - -2. Mount the image. At the Windows PowerShell prompt, enter: -`Mount-WindowsImage -ImagePath c:\images\myimage.wim -Index 1 -Path C:\test` - -3. Use the Add-AppxProvisionedPackage cmdlet in Windows PowerShell to preinstall the app. Use the /PackagePath option to specify the location of the Store package and /LicensePath to specify the location of the license .xml file. In Windows PowerShell, enter: -`Add-AppxProvisionedPackage -Path C:\test -PackagePath C:\downloads\appxpackage -LicensePath C:\downloads\appxpackage\license.xml` - -> [!NOTE] -> Paths and file names are examples. Use your paths and file names where appropriate. -> -> Do not dismount the image, as you will return to it later. - -## Editing the Start Layout - -In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment. - -On a test machine: - -1. **Install the Microsoft Store for Business application you previously added** to your image. - -2. **Pin these apps to the Start screen**, by typing the name of the app, right-clicking and selecting **Pin to Start**. - -3. Open Windows PowerShell with administrator privileges. - -4. Use `Export-StartLayout -path .xml` where *\\* is the path and name of the xml file your will later import into your Windows Image. - -5. Copy the XML file you created to a location accessible by the machine you previously used to add Store applications to your image. - -Now, on the machine where your image file is accessible: - -1. Import the Start layout. At the Windows PowerShell prompt, enter: -`Import-StartLayout -LayoutPath ".xml" -MountPath "C:\test\"` - -2. Save changes and dismount the image. At the Windows PowerShell prompt, enter: -`Dismount-WindowsImage -Path c:\test -Save` - -> [!NOTE] -> Paths and file names are examples. Use your paths and file names where appropriate. -> -> For more information on Start customization, see [Windows 10 Start Layout Customization](/archive/blogs/deploymentguys/windows-10-start-layout-customization) - -## Related articles - -- [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout) -- [Export-StartLayout](/powershell/module/startlayout/export-startlayout) -- [Import-StartLayout](/powershell/module/startlayout/import-startlayout) -- [Sideload line of business (LOB) apps in Windows client devices](/windows/application-management/sideload-apps-in-windows-10) -- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) -- [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) -- [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md deleted file mode 100644 index b72a595c2a..0000000000 --- a/windows/deployment/deploy.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: Deploy Windows 10 (Windows 10) -description: Learn about Windows 10 upgrade options for planning, testing, and managing your production deployment. -manager: aaroncz -author: frankroj -ms.author: frankroj -ms.prod: windows-client -ms.localizationpriority: medium -ms.topic: article -ms.date: 11/23/2022 -ms.technology: itpro-deploy ---- - -# Deploy Windows 10 - -Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment. Procedures are provided to help you with a new deployment of the Windows 10 operating system, or to upgrade from a previous version of Windows to Windows 10. The following sections and articles are available. - -|Article |Description | -|------|------------| -|[Overview of Windows Autopilot](/mem/autopilot/windows-autopilot) |This article provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. | -|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This article provides information about support for upgrading directly to Windows 10 from a previous operating system. | -|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This article provides information about support for upgrading from one edition of Windows 10 to another. | -|[Windows 10 volume license media](windows-10-media.md) |This article provides information about updates to volume licensing media in the current version of Windows 10. | -|[Manage Windows upgrades with Upgrade Readiness](/mem/configmgr/desktop-analytics/overview) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they're known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | -|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After you complete this guide, more guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md). | -|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to help Windows 10 deployment planning. | -|[Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). | -|[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) |If you have Microsoft Configuration Manager in your environment, you'll most likely want to use it to deploy Windows 10. This article will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT). | -|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. | -|[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install more fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.| - -## Related articles - -[Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home) diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index c2e2672c36..b72aa8d9ad 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -60,8 +60,6 @@ landingContent: url: /mem/autopilot - text: Assign devices to servicing channels url: update/waas-servicing-channels-windows-10-updates.md - - text: Deploy Windows updates with Configuration Manager - url: update/deploy-updates-configmgr.md # Card - title: Overview diff --git a/windows/deployment/planning/act-technical-reference.md b/windows/deployment/planning/act-technical-reference.md deleted file mode 100644 index 07cf3c224a..0000000000 --- a/windows/deployment/planning/act-technical-reference.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -title: Application Compatibility Toolkit (ACT) Technical Reference (Windows 10) -description: The Microsoft Application Compatibility Toolkit (ACT) helps you see if the apps and devices in your org are compatible with different versions of Windows. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.date: 10/28/2022 ---- - -# Application Compatibility Toolkit (ACT) Technical Reference - - -**Applies to** -- Windows 10, version 1607 - ->[!IMPORTANT] ->We've replaced the majority of functionality included in the Application Compatibility Toolkit (ACT) with [Windows Analytics](/mem/configmgr/desktop-analytics/overview), a solution in the Microsoft Operations Management Suite. Windows Analytics gives enterprises the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. - -Microsoft developed Windows Analytics in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Windows Analytics was built taking into account multiple channels of customer feedback, testing, and Microsoft's experience upgrading millions of devices to Windows 10. - -With Windows diagnostic data enabled, Windows Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. - -Use Windows Analytics to get: -- A visual workflow that guides you from pilot to production -- Detailed computer and application inventory -- Powerful computer level search and drill-downs -- Guidance and insights into application and driver compatibility issues, with suggested fixes -- Data driven application rationalization tools -- Application usage information, allowing targeted validation; workflow to track validation progress and decisions -- Data export to commonly used software deployment tools, including Microsoft Configuration Manager - -The Windows Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. - -At the same time, we've kept the Standard User Analyzer tool, which helps you test your apps and to monitor API calls for potential compatibility issues, and the Compatibility Administrator, which helps you to resolve potential compatibility issues. - -## In this section - -|Topic |Description | -|------|------------| -|[Standard User Analyzer (SUA) User's Guide](sua-users-guide.md) |The Standard User Analyzer (SUA) helps you test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. | -|[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) |The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. | -|[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) |You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. | diff --git a/windows/deployment/planning/index.md b/windows/deployment/planning/index.md deleted file mode 100644 index 4d26878cb9..0000000000 --- a/windows/deployment/planning/index.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: Plan for Windows 10 deployment (Windows 10) -description: Find resources for your Windows 10 deployment. Windows 10 provides new deployment capabilities and tools, and introduces new ways to keep the OS up to date. -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.author: frankroj -manager: aaroncz -ms.topic: article -ms.technology: itpro-deploy -ms.date: 10/28/2022 ---- - -# Plan for Windows 10 deployment -Windows 10 provides new deployment capabilities, scenarios, and tools by building on technologies introduced in Windows 7, and Windows 8.1, while at the same time introducing new Windows as a service concepts to keep the operating system up to date. Together, these changes require that you rethink the traditional deployment process. - -## In this section -|Topic |Description | -|------|------------| -|[Windows 10 Enterprise: FAQ for IT professionals](windows-10-enterprise-faq-itpro.yml) | Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. | -|[Windows 10 deployment considerations](windows-10-deployment-considerations.md) |There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. | -|[Windows 10 compatibility](windows-10-compatibility.md) |Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. | -|[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) |There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. | -|[Features removed or planned for replacement](/windows/whats-new/feature-lifecycle) |Information is provided about Windows features and functionality that are removed or planned for replacement. | -|[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) |The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. | - -## Related topics -- [Windows 10 servicing options for updates and upgrades](../update/index.md) -- [Deploy Windows 10 with MDT](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) -- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) -- [Upgrade to Windows 10 with MDT](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) -- [Upgrade to Windows 10 with Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md) -- [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) - diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md deleted file mode 100644 index ba129003a6..0000000000 --- a/windows/deployment/update/WIP4Biz-intro.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Introduction to the Windows Insider Program for Business -description: In this article, you'll learn about the Windows Insider Program for Business and why IT Pros should join. -ms.prod: windows-client -author: mestew -ms.author: mstewart -manager: aaroncz -ms.topic: article -ms.technology: itpro-updates -ms.date: 12/31/2017 ---- - -# Introduction to the Windows Insider Program for Business - -**Applies to** - -- Windows 10 - -> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in the General Availability Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available. - -The Windows Insider Program for Business gives you the opportunity to: - -* Get early access to Windows Insider Preview Builds. -* Provide feedback to Microsoft in real time by using the Feedback Hub app. -* Sign in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs. -* Register your Azure Active Directory domain in the program, allowing you to cover all users within your organization with just one registration. -* Starting with Windows 10, version 1709, enable, disable, defer, and pause the installation of preview builds through policies. -* Track feedback provided through the Feedback Hub App across your organization. - -Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans, and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub App. - -The Windows Insider Program doesn't replace General Availability Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. - -[![Illustration showing the Windows Insider PreviewFast Ring for exploration, the Slow Ring for validation, the General Availability Channel Targeted ring for Pilot deployment, and the General Availability Channel for broad deployment.](images/WIP4Biz_deployment.png)](images/WIP4Biz_deployment.png)
-Windows 10 Insider Preview builds enable organizations to prepare sooner for Windows Semi-Annual releases and reduce the overall validation effort required with traditional deployments. - -## Explore new Windows 10 features in Insider Previews -Windows 10 Insider Preview builds offer organizations a valuable and exciting opportunity to evaluate new Windows features well before general release. What’s more, by providing feedback to Microsoft on these features, you and other Insiders in your organization can help shape Windows for your specific business needs. Here’s how to get the most out of your feature exploration: - -|Objective |Feature exploration| -|---------|---------| -|Release channel |**Fast Ring:** Insider Preview builds in the Fast Ring are released approximately once a week and contain the very latest features. This makes them ideal for feature exploration.| -|Users | Because Fast Ring builds are released so early in the development cycle, we recommend limiting feature exploration in your organization to IT administrators and developers running Insider Preview builds on secondary devices. | -|Tasks | - Install and manage Insider Preview builds on devices (per device or centrally across multiple devices)
- Explore new features in Windows designed for organizations, including new features related to current and planned line of business applications
- Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) for a summary of current features. | -|Feedback | - This helps us make adjustments to features as quickly as possible.
- Encourage users to sign into the Feedback Hub using their Azure Active Directory work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
- [Learn how to provide effective feedback in the Feedback Hub](/windows-insider/feedback) | - -## Validate Insider Preview builds -Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. Early validation has several benefits: - -- Get a head start on your Windows validation process. -- Identify issues sooner to accelerate your Windows deployment. -- Engage Microsoft earlier for help with potential compatibility issues. -- Deploy Windows 10 General Availability Channel releases faster and more confidently. -- Maximize the support window that comes with each General Availability Channel release. - -|Objective |Feature exploration| -|---------|---------| -|Release channel |**Slow Ring:** Insider Preview builds in the Slow Ring are released approximately once a month. They are more stable than Fast Ring releases, making them better suited for validation purposes. Slow Ring releases can be run on either secondary or primary production devices by skilled users.| -|Users | Application and infrastructure validation: In addition to Insiders who might have participated in feature exploration, we also recommend including a small group of application users from each business department to ensure a representative sample.| -|Tasks | Application and infrastructure validation: Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) and [Windows Insider Tech Community](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) pages for updates on current issues and fixes. | -|Feedback | Application and infrastructure validation:Provide feedback in the Feedback Hub app and also inform app vendors of any significant issues. | -|Guidance | Application and infrastructure validation:
- [Use Upgrade Readiness to create an app inventory and identify mission-critical apps](/mem/configmgr/desktop-analytics/overview)
- [Use Device Health to identify problem devices and device drivers](/windows/deployment/update/device-health-monitor)
- [Windows 10 application compatibility](/windows/windows-10/)| diff --git a/windows/deployment/update/deploy-updates-configmgr.md b/windows/deployment/update/deploy-updates-configmgr.md deleted file mode 100644 index 3a6115792f..0000000000 --- a/windows/deployment/update/deploy-updates-configmgr.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -title: Deploy Windows client updates with Configuration Manager -description: Deploy Windows client updates with Configuration Manager -ms.prod: windows-client -author: mestew -ms.localizationpriority: medium -ms.author: mstewart -manager: aaroncz -ms.topic: article -ms.technology: itpro-updates -ms.date: 12/31/2017 ---- - -# Deploy Windows 10 updates with Configuration Manager - -**Applies to** - -- Windows 10 -- Windows 11 - -See the [Microsoft Configuration Manager documentation](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates. diff --git a/windows/deployment/update/deploy-updates-intune.md b/windows/deployment/update/deploy-updates-intune.md deleted file mode 100644 index 8ce126fdb1..0000000000 --- a/windows/deployment/update/deploy-updates-intune.md +++ /dev/null @@ -1,24 +0,0 @@ ---- -title: Deploy updates with Intune -description: Deploy Windows client updates with Intune. -ms.prod: windows-client -author: mestew -ms.localizationpriority: medium -ms.author: mstewart -manager: aaroncz -ms.topic: article -ms.technology: itpro-updates -ms.collection: - - highpri - - tier2 -ms.date: 12/31/2017 ---- - -# Deploy Windows 10 updates with Intune - -**Applies to** - -- Windows 10 -- Windows 11 - -See the Microsoft Intune [documentation](/mem/intune/protect/windows-update-for-business-configure#windows-10-feature-updates) for details about using Intune to deploy and manage Windows client updates. diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md index 0ed7fc519a..bb423208bf 100644 --- a/windows/deployment/update/get-started-updates-channels-tools.md +++ b/windows/deployment/update/get-started-updates-channels-tools.md @@ -89,7 +89,7 @@ Windows Server Update Services (WSUS): you set up a WSUS server, which downloads You can set up, control, and manage the server and update process with several tools: - A standalone Windows Server Update Services server operated directly -- [Configuration Manager](deploy-updates-configmgr.md) +- Configuration Manager - Non-Microsoft tools For more information, see [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md deleted file mode 100644 index 98552e3194..0000000000 --- a/windows/deployment/update/index.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: Update Windows client in enterprise deployments -description: Windows as a service provides an all-new way to think about building, deploying, and servicing Windows client. -ms.prod: windows-client -author: mestew -manager: aaroncz -ms.localizationpriority: high -ms.author: mstewart -ms.topic: article -ms.technology: itpro-updates -ms.date: 12/31/2017 ---- - -# Update Windows client in enterprise deployments - - -**Applies to** - -- Windows 10 -- Windows 11 - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -Windows as a service provides a new way to think about building, deploying, and servicing the Windows operating system. The Windows as a service model is focused on continually providing new capabilities and updates while maintaining a high level of hardware and software compatibility. Deploying new versions of Windows is simpler than ever before: Microsoft releases new features two to three times per year rather than the traditional upgrade cycle where new features are only made available every few years. Ultimately, this model replaces the need for traditional Windows deployment projects, which can be disruptive and costly. It spreads out the required effort into a continuous updating process, reducing the overall effort required to maintain Windows client devices in your environment. In addition, with the Windows client operating system, organizations have the chance to try out “flighted” builds of Windows as Microsoft develops them, gaining insight into new features and the ability to provide continual feedback about them. - - - - -## In this section - -| Article | Description| -| --- | --- | -| [Quick guide to Windows as a service](waas-quick-start.md) | Provides a brief summary of the key points for the servicing model for Windows client. | -| [Overview of Windows as a service](waas-overview.md) | Explains the differences in building, deploying, and servicing Windows client; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. | -| [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. | -| [Assign devices to servicing branches for Windows client updates](waas-servicing-channels-windows-10-updates.md) | Explains how to assign devices to the General Availability Channel for feature and quality updates, and how to enroll devices in Windows Insider. | -| [Monitor Windows Updates with Windows Update for Business reports](wufb-reports-overview.md) | Explains how to use Windows Update for Business reports to monitor and manage Windows Updates on devices in your organization. | -| [Optimize update delivery](../do/waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. | -| [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. | -| [Deploy Windows client updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows client updates. | -| [Deploy Windows client updates using Microsoft Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | Explains how to use Configuration Manager to manage Windows client updates. | -| [Manage device restarts after updates](waas-restart.md) | Explains how to manage update related device restarts. | -| [Manage more Windows Update settings](waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update | -| [Windows Insider Program for Business](/windows-insider/business/register) | Explains how the Windows Insider Program for Business works and how to become an insider. | - ->[!TIP] ->For disaster recovery scenarios and bare-metal deployments of Windows client, you still can use traditional imaging software such as Microsoft Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows client images is similar to deploying previous versions of Windows. diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md deleted file mode 100644 index 06c5076a73..0000000000 --- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: Olympia Corp Retirement -description: Learn about the retirement of Olympia Corp and how to back up your data prior to October 31, 2022. -ms.author: lizlong -ms.topic: article -ms.prod: windows-client -author: lizgt2000 -manager: aaroncz -ms.technology: itpro-updates -ms.date: 12/31/2017 ---- - -# Olympia Corp - -**Applies to** - -- Windows 10 -- Windows 11 - -## Retirement of Olympia Corp - -Olympia Corp, a virtual corporation was set up to reflect the IT infrastructure of real world businesses.
-Olympia will be formally retired on October 31, 2022.
-We'll begin unassigning Olympia licenses and deleting the Olympia feedback path on Feedback Hub. Olympia Corp will no longer be a part of Windows Insider Lab for Enterprise. - -> [!WARNING] -> To prevent data loss, Olympia participants need to complete the following: -> - If you're using the provided Olympia licenses, make a back up of any data as you'll lose data once we unassign the licenses. -> - Please remove your device from Olympia before October 31, 2022. - -To remove the account from Azure Active Directory, follow the steps below: - - 1. Open the **Settings** app. - 1. Go to **Accounts** > **Access work or school**. - 1. Select the connected account that you want to remove, then select **Disconnect**. - 1. To confirm device removal, select **Yes**. - -- After removing your account from Olympia, log in to your device using your local account. - -- If you're looking for another program to join, the program we recommend is the Windows Insider Program for Business. Follow the instructions below to register: -[Register for the Windows 10 Insider Program for Business](/windows-insider/business/register) - -Thank you for your participation in Olympia and email Windows Insider Lab for Enterprise [olympia@microsoft.com](mailto:olympia@microsoft.com) with any questions. diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md deleted file mode 100644 index 641b7046a9..0000000000 --- a/windows/deployment/update/waas-morenews.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: Windows as a service news & resources -description: The latest news for Windows as a service with resources to help you learn more about them. -ms.prod: windows-client -ms.topic: article -author: mestew -ms.author: mstewart -manager: aaroncz -ms.localizationpriority: high -ms.technology: itpro-updates -ms.date: 12/31/2017 ---- -# Windows as a service - More news - -Here's more news about [Windows as a service](windows-as-a-service.md): - - diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md deleted file mode 100644 index 078c5cb3e0..0000000000 --- a/windows/deployment/update/windows-as-a-service.md +++ /dev/null @@ -1,106 +0,0 @@ ---- -title: Windows as a service -ms.prod: windows-client -ms.topic: article -author: mestew -ms.author: mstewart -description: Discover the latest news articles, videos, and podcasts about Windows as a service. Find resources for using Windows as a service within your organization. -manager: aaroncz -ms.localizationpriority: high -ms.technology: itpro-updates -ms.date: 12/31/2017 ---- - -# Windows as a service - -Find the tools and resources you need to help deploy and support Windows as a service in your organization. - -## Latest news, videos, & podcasts - -Find the latest and greatest news on Windows 10 deployment and servicing. - -**Discovering the Windows 10 Update history pages** -> [!VIDEO https://www.youtube-nocookie.com/embed/mTnAb9XjMPY] - -Everyone wins when transparency is a top priority. We want you to know when updates are available, as well as alert you to any potential issues you may encounter during or after you install an update. Bookmark the [Windows release health dashboard](/windows/release-health/) for near real-time information on known issues, workarounds, and resolutions--as well as the current status of the latest feature update rollout. - -The latest news: - -- [How to get Extended Security Updates for eligible Windows devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/How-to-get-Extended-Security-Updates-for-eligible-Windows/ba-p/917807) - October 17, 2019 -- [End of service reminders for Windows 10, versions 1703 and 1803](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/End-of-service-reminders-for-Windows-10-versions-1703-and-1803/ba-p/903715) - October 9, 2019 -- [Using machine learning to improve the Windows 10 update experience](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Using-machine-learning-to-improve-the-Windows-10-update/ba-p/877860) - September 26, 2019 -- [Publishing pre-release Windows 10 feature updates to WSUS](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Publishing-pre-release-Windows-10-feature-updates-to-WSUS/ba-p/845054) - September 24, 2019 -- [New extended support dates for MDOP tools](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/New-extended-support-dates-for-MDOP-tools/ba-p/837312) - September 4, 2019 -- [FastTrack for Windows 10 deployment and other migration resources](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/FastTrack-for-Windows-10-deployment-and-other-migration/ba-p/800406) - August 12, 2019 -- [Tactical considerations for creating Windows deployment rings](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Tactical-considerations-for-creating-Windows-deployment-rings/ba-p/746979) - July 10, 2019 -- [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Upgrading-Windows-10-devices-with-installation-media-different/ba-p/746126) - July 9, 2019 -- [Moving to the next Windows 10 feature update for commercial customers](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Moving-to-the-next-Windows-10-feature-update-for-commercial/ba-p/732968) - July 1, 2019 - - -[See more news](waas-morenews.md). You can also check out the [Windows 10 blog](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog). - -## IT pro champs corner -Written by IT pros for IT pros, sharing real world examples and scenarios for Windows 10 deployment and servicing. - -Champs - -[**NEW** Tactical considerations for creating Windows deployment rings](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Tactical-considerations-for-creating-Windows-deployment-rings/ba-p/746979) - -[**NEW** Windows 10 Enterprise vs. Windows 10 Pro: Modern management considerations for your organization](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-Enterprise-vs-Windows-10-Pro-Modern-management/ba-p/720445) - -[Deployment rings: The hidden [strategic] gem of Windows as a service](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Deployment-rings-The-hidden-strategic-gem-of-Windows-as-a/ba-p/659622) - -[Classifying Windows updates in common deployment tools](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Classifying-Windows-updates-in-common-deployment-tools/ba-p/331175) - -[Express updates for Windows Server 2016 re-enabled for November 2018 update](/windows-server/get-started/express-updates) - -[2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/) - -[What is Windows Update for Business?](waas-manage-updates-wufb.md) - -## Discover - -Learn more about Windows as a service and its value to your organization. - -Discover - -[Overview of Windows as a service](waas-overview.md) - -[Quick guide to Windows as a service](waas-quick-start.md) - - -[What's new in Windows 10 deployment](../deploy-whats-new.md) - -[Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios) - -## Plan - -Prepare to implement Windows as a service effectively using the right tools, products, and strategies. - -Plan - -[Simplified updates](https://www.microsoft.com/windowsforbusiness/simplified-updates) - -[Windows 10 end user readiness](https://www.microsoft.com/itpro/windows-10/end-user-readiness) - -[Ready for Windows](https://developer.microsoft.com/windows/ready-for-windows#/) - -[Manage Windows upgrades with Upgrade Readiness](/mem/configmgr/desktop-analytics/overview) - -[Preparing your organization for a seamless Windows 10 deployment](https://www.microsoft.com/itshowcase/windows10deployment) - -## Deploy - -Secure your organization's deployment investment. - -Deploy - -[Update Windows 10 in the enterprise](index.md) - -[Deploying as an in-place upgrade](https://www.microsoft.com/itshowcase/Article/Content/668/Deploying-Windows-10-at-Microsoft-as-an-inplace-upgrade) - -[Configure Windows Update for Business](waas-configure-wufb.md) - -[Express update delivery](../do/waas-optimize-windows-10-updates.md#express-update-delivery) - -[Windows 10 deployment considerations](../planning/windows-10-deployment-considerations.md) diff --git a/windows/deployment/windows-10-deployment-tools-reference.md b/windows/deployment/windows-10-deployment-tools-reference.md deleted file mode 100644 index 3ee6b7d8a5..0000000000 --- a/windows/deployment/windows-10-deployment-tools-reference.md +++ /dev/null @@ -1,25 +0,0 @@ ---- -title: Windows 10 deployment tools reference -description: Learn about the tools available to deploy Windows 10, like Volume Activation Management Tool (VAMT) and User State Migration Tool (USMT). -manager: aaroncz -ms.author: frankroj -author: frankroj -ms.prod: windows-client -ms.date: 10/31/2022 -ms.topic: article -ms.technology: itpro-deploy ---- - -# Windows 10 deployment tools reference - -Learn about the tools available to deploy Windows 10. - -|Article |Description | -|------|------------| -|[Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) |To successfully deploy the Windows 10 operating system and applications for your organization, it's essential that you know about the available tools to help with the process. In this article, you'll learn about the most commonly used tools for Windows 10 deployment. | -|[Convert MBR partition to GPT](mbr-to-gpt.md) |This article provides detailed instructions for using the MBR2GPT partition conversion tool. | -|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. | -|[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. | -|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This article helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you've reviewed the articles [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this article to start your Windows To Go deployment. | -|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. | -|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals | diff --git a/windows/deployment/windows-10-deployment-tools.md b/windows/deployment/windows-10-deployment-tools.md deleted file mode 100644 index b4187d65df..0000000000 --- a/windows/deployment/windows-10-deployment-tools.md +++ /dev/null @@ -1,25 +0,0 @@ ---- -title: Windows 10 deployment tools -description: Learn how to use Windows 10 deployment tools to successfully deploy Windows 10 to your organization. -manager: aaroncz -ms.author: frankroj -author: frankroj -ms.prod: windows-client -ms.date: 10/31/2022 -ms.topic: article -ms.technology: itpro-deploy ---- - -# Windows 10 deployment tools - -Learn about the tools available to deploy Windows 10. - -|Article |Description | -|------|------------| -|[Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) |To successfully deploy the Windows 10 operating system and applications for your organization, it's essential that you know about the available tools to help with the process. In this article, you'll learn about the most commonly used tools for Windows 10 deployment. | -|[Convert MBR partition to GPT](mbr-to-gpt.md) |This article provides detailed instructions for using the MBR2GPT partition conversion tool. | -|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. | -|[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. | -|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This article helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you've reviewed the articles [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this article to start your Windows To Go deployment. | -|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. | -|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals | From 53c5919beb0bd04f9eabf232f4326f171b985514 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Thu, 3 Aug 2023 17:00:21 -0400 Subject: [PATCH 052/110] Update Boot Image with CU Article 45 --- windows/deployment/update-boot-image.md | 78 ++++++++++++++++++++++--- 1 file changed, 69 insertions(+), 9 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index c1c4e632d5..9e52366828 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -250,7 +250,7 @@ Drivers are not affected by the cumulative update installed later in this walkth **Example**: ```powershell - Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-WMI.cab" -Path "C:\Mount" -Verbose + Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-Scripting.cab" -Path "C:\Mount" -Verbose ``` These examples assume a 64-bit boot image. If a different architecture is being used, then adjust the paths in the commands accordingly. @@ -390,18 +390,74 @@ For more information, see [Add or Remove Packages Offline Using DISM](/windows-h > > Make sure not to apply the cumulative update (CU) until all desired optional components have been installed. This will make sure that the optional components are also properly updated by the cumulative update. If in the future any additional optional components need to be added to the boot image, make sure to reapply the cumulative update. +### Servicing stack update (SSU) and error 0x800f0823 + +Sometimes when applying a cumulative update (CU) to a boot image, you may receive the following error: + +### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) + +```powershell +VERBOSE: Target Image Version +WARNING: Failed to add package \.msu +WARNING: Add-WindowsPackage failed. Error code = 0x800f0823 +Add-WindowsPackage : An error occurred applying the Unattend.xml file from the .msu package. +For more information, review the log file. +At line:1 char:1 ++ Add-WindowsPackage -PackagePath "\ ... ++ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + CategoryInfo : NotSpecified: (:) [Add-WindowsPackage], COMException + + FullyQualifiedErrorId : Microsoft.Dism.Commands.AddWindowsPackageCommand +``` + +### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) + +```cmd +Error: 0x800f0823 + +Package \.msu may have failed due to pending updates to servicing components in the image. Try the command again. +The DISM log file can be found at C:\Windows\Logs\DISM\dism.log +``` + +--- + +Inspecting the **DISM.log** will reveal the following error: + +```cmd +Package "Package_for_RollupFix~" requires Servicing Stack v but current Servicing Stack is v. [HRESULT = 0x800f0823 - CBS_E_NEW_SERVICING_STACK_REQUIRED] +Failed to initialize internal package [HRESULT = 0x800f0823 - CBS_E_NEW_SERVICING_STACK_REQUIRED] +Failed to create internal package [HRESULT = 0x800f0823 - CBS_E_NEW_SERVICING_STACK_REQUIRED] +Failed to create windows update package [HRESULT = 0x800f0823 - CBS_E_NEW_SERVICING_STACK_REQUIRED] +DISM Package Manager: PID=6020 TID=6112 Failed opening package. - CDISMPackageManager::Internal_CreatePackageByPath(hr:0x800f0823) +DISM Package Manager: PID=6020 TID=6112 Failed to get the underlying CBS package. - CDISMPackageManager::OpenPackageByPath(hr:0x800f0823) +DISM Package Manager: PID=6020 TID=6112 The specified package cannot be added to this Windows Image due to a version mismatch. - GetCbsErrorMsg +DISM Package Manager: PID=6020 TID=6112 Failed to open package at location [\.cab]. - CPackageManagerUnattendHandler::Internal_ProcessPackageFromSource(hr:0x800f0823) +DISM Package Manager: PID=6020 TID=6112 Failed to install package from source [0] - trying next source location. hr = [0x800F0823] - CPackageManagerUnattendHandler::Internal_UnattendInstallPackage +DISM Package Manager: PID=6020 TID=6112 Failed to Install the package [Multiple_Packages~~~~0.0.0.0]. - CPackageManagerUnattendHandler::Internal_UnattendInstallPackage(hr:0x800f0823) +DISM Package Manager: PID=6020 TID=6112 Package failed to install [Multiple_Packages~~~~0.0.0.0]. - CPackageManagerUnattendHandler::Internal_UnattendProcessPackage(hr:0x800f0823) +DISM Package Manager: PID=6020 TID=6112 Failed to process package at node . - CPackageManagerUnattendHandler::Apply(hr:0x800f0823) +DISM Package Manager: PID=6020 TID=6112 Failed to Apply the unattend. - CDISMPackageManager::Apply(hr:0x800f0823) +DISM Unattend Manager: PID=6020 TID=6112 "Error applying unattend for provider: DISM Package Manager" - CUnattendManager::Apply(hr:0x800f0823) +DISM Package Manager: PID=6020 TID=6112 Failed applying the unattend file from the MSU package. - CMsuPackage::ApplyMsuUnattend(hr:0x800f0823) +DISM Package Manager: PID=6020 TID=6112 Failed to apply the MSU unattend file to the image. - CMsuPackage::Install(hr:0x800f0823) +DISM Package Manager: PID=6020 TID=6112 Failed while processing command add-package. - CPackageManagerCLIHandler::ExecuteCmdLine(hr:0x800f0823) +``` + +The problem occurs when the WinPE boot image that is being serviced requires installation of a servicing stack update (SSU) before installation of the cumulative update (CU) can occur. The problem usually occurs when using older Windows ADKs and older versions of Windows PE. The suggested fix is to upgrade to the latest version of the Windows ADK and Windows PE which most likely won't need a servicing stack update (SSU) installed before installing the cumulative update (CU). + +For scenarios where an older version of the Windows ADK and Windows PE need to be used, for example when using Microsoft Deployment Toolkit (MDT), the servicing stack update needs to be installed before installing the cumulative update. The following steps outline how to install the servicing stack update (SSU) before installing the cumulative update (CU) to the boot image: + ## Step 8: Copy boot files from mounted boot image to ADK installation path Some cumulative updates will update the bootmgr boot files in the boot image. After these bootmgr boot files have been updated in the boot image, it's recommended to copy these updated bootmgr boot files from the boot image back to the Windows ADK. This will ensure that the Windows ADK has the updated bootmgr boot files. ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) -From an elevated **PowerShell** command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path: +From an elevated **PowerShell** command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands need confirmation to overwrite the existing bootmgr boot files: ```powershell -Copy-Item "\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" -Force +Copy-Item "\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" -Copy-Item "\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" -Force +Copy-Item "\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" ``` **Example**: @@ -412,24 +468,28 @@ Copy-Item "C:\Mount\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Window Copy-Item "C:\Mount\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" -Force ``` +To overwrite the bootmgr boot files without confirmation, for example in a script, add the `-Force` parameter to the end of the command line. + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) -From an elevated command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path: +From an elevated command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands need confirmation to overwrite the existing bootmgr boot files:: ```cmd -copy "\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" /Y +copy "\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" -copy "\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" /Y +copy "\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" ``` **Example**: ```cmd -copy "C:\Mount\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" /Y +copy "C:\Mount\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" -copy "C:\Mount\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" /Y +copy "C:\Mount\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" ``` +To overwrite the bootmgr boot files without confirmation, for example in a script, add the `/Y` parameter to the end of the command line. + --- This step doesn't update or change the boot image. However, it makes sure that the latest bootmgr boot files are available to the ADK when creating bootable media. This includes any product that uses the ADK to create bootable media. From 266f13bacba95c9b7a8dc30fe47cf53d51c0f645 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Thu, 3 Aug 2023 18:57:54 -0400 Subject: [PATCH 053/110] Update Boot Image with CU Article 46 --- windows/deployment/update-boot-image.md | 132 ++++++++++++++++++++---- 1 file changed, 114 insertions(+), 18 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 9e52366828..a4d3578cf5 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -357,7 +357,7 @@ Apply the cumulative update (CU) downloaded earlier in the walkthrough to the bo From an elevated **PowerShell** command prompt, run the following command to add the cumulative update (CU) to the boot image: ```powershell -Add-WindowsPackage -PackagePath "" -Path "" -Verbose +Add-WindowsPackage -PackagePath "\.msu" -Path "" -Verbose ``` **Example**: @@ -373,7 +373,7 @@ For more information, see [Add-WindowsPackage](/powershell/module/dism/add-windo From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to add the cumulative update (CU) to the boot image: ```cmd -DISM.exe /Image:"" /Add-Package /PackagePath:"" +DISM.exe /Image:"" /Add-Package /PackagePath:"\.msu" ``` **Example**: @@ -392,7 +392,7 @@ For more information, see [Add or Remove Packages Offline Using DISM](/windows-h ### Servicing stack update (SSU) and error 0x800f0823 -Sometimes when applying a cumulative update (CU) to a boot image, you may receive the following error: +Sometimes when applying a cumulative update (CU) to a boot image, you may receive error `0x800f0823`: ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) @@ -422,29 +422,125 @@ The DISM log file can be found at C:\Windows\Logs\DISM\dism.log Inspecting the **DISM.log** will reveal the following error: +### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) + +```powershell +Package "Package_for_RollupFix~" requires Servicing Stack v but current Servicing Stack is v. [HRESULT = 0x800f0823 - CBS_E_NEW_SERVICING_STACK_REQUIRED] +Failed to initialize internal package [HRESULT = 0x800f0823 - CBS_E_NEW_SERVICING_STACK_REQUIRED] +Failed to create internal package [HRESULT = 0x800f0823 - CBS_E_NEW_SERVICING_STACK_REQUIRED] +Failed to create windows update package [HRESULT = 0x800f0823 - CBS_E_NEW_SERVICING_STACK_REQUIRED] +DISM Package Manager: PID= TID= Failed opening package. - CDISMPackageManager::Internal_CreatePackageByPath(hr:0x800f0823) +DISM Package Manager: PID= TID= Failed to get the underlying CBS package. - CDISMPackageManager::OpenPackageByPath(hr:0x800f0823) +DISM Package Manager: PID= TID= The specified package cannot be added to this Windows Image due to a version mismatch. - GetCbsErrorMsg +DISM Package Manager: PID= TID= Failed to open package at location [\.cab]. - CPackageManagerUnattendHandler::Internal_ProcessPackageFromSource(hr:0x800f0823) +DISM Package Manager: PID= TID= Failed to install package from source [0] - trying next source location. hr = [0x800F0823] - CPackageManagerUnattendHandler::Internal_UnattendInstallPackage +DISM Package Manager: PID= TID= Failed to Install the package [Multiple_Packages~~~~0.0.0.0]. - CPackageManagerUnattendHandler::Internal_UnattendInstallPackage(hr:0x800f0823) +DISM Package Manager: PID= TID= Package failed to install [Multiple_Packages~~~~0.0.0.0]. - CPackageManagerUnattendHandler::Internal_UnattendProcessPackage(hr:0x800f0823) +DISM Package Manager: PID= TID= Failed to process package at node . - CPackageManagerUnattendHandler::Apply(hr:0x800f0823) +DISM Package Manager: PID= TID= Failed to Apply the unattend. - CDISMPackageManager::Apply(hr:0x800f0823) +DISM Unattend Manager: PID= TID= "Error applying unattend for provider: DISM Package Manager" - CUnattendManager::Apply(hr:0x800f0823) +DISM Package Manager: PID= TID= Failed applying the unattend file from the MSU package. - CMsuPackage::ApplyMsuUnattend(hr:0x800f0823) +DISM Package Manager: PID= TID= Failed to apply the MSU unattend file to the image. - CMsuPackage::Install(hr:0x800f0823) +API: PID= TID= Failed to install msu package \.msu - CAddPackageCommandObject::InternalExecute(hr:0x800f0823) +API: PID= TID= InternalExecute failed - CBaseCommandObject::Execute(hr:0x800f0823) +API: PID= TID= CAddPackageCommandObject internal execution failed - DismAddPackageInternal(hr:0x800f0823) +``` + +### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) + ```cmd Package "Package_for_RollupFix~" requires Servicing Stack v but current Servicing Stack is v. [HRESULT = 0x800f0823 - CBS_E_NEW_SERVICING_STACK_REQUIRED] Failed to initialize internal package [HRESULT = 0x800f0823 - CBS_E_NEW_SERVICING_STACK_REQUIRED] Failed to create internal package [HRESULT = 0x800f0823 - CBS_E_NEW_SERVICING_STACK_REQUIRED] Failed to create windows update package [HRESULT = 0x800f0823 - CBS_E_NEW_SERVICING_STACK_REQUIRED] -DISM Package Manager: PID=6020 TID=6112 Failed opening package. - CDISMPackageManager::Internal_CreatePackageByPath(hr:0x800f0823) -DISM Package Manager: PID=6020 TID=6112 Failed to get the underlying CBS package. - CDISMPackageManager::OpenPackageByPath(hr:0x800f0823) -DISM Package Manager: PID=6020 TID=6112 The specified package cannot be added to this Windows Image due to a version mismatch. - GetCbsErrorMsg -DISM Package Manager: PID=6020 TID=6112 Failed to open package at location [\.cab]. - CPackageManagerUnattendHandler::Internal_ProcessPackageFromSource(hr:0x800f0823) -DISM Package Manager: PID=6020 TID=6112 Failed to install package from source [0] - trying next source location. hr = [0x800F0823] - CPackageManagerUnattendHandler::Internal_UnattendInstallPackage -DISM Package Manager: PID=6020 TID=6112 Failed to Install the package [Multiple_Packages~~~~0.0.0.0]. - CPackageManagerUnattendHandler::Internal_UnattendInstallPackage(hr:0x800f0823) -DISM Package Manager: PID=6020 TID=6112 Package failed to install [Multiple_Packages~~~~0.0.0.0]. - CPackageManagerUnattendHandler::Internal_UnattendProcessPackage(hr:0x800f0823) -DISM Package Manager: PID=6020 TID=6112 Failed to process package at node . - CPackageManagerUnattendHandler::Apply(hr:0x800f0823) -DISM Package Manager: PID=6020 TID=6112 Failed to Apply the unattend. - CDISMPackageManager::Apply(hr:0x800f0823) -DISM Unattend Manager: PID=6020 TID=6112 "Error applying unattend for provider: DISM Package Manager" - CUnattendManager::Apply(hr:0x800f0823) -DISM Package Manager: PID=6020 TID=6112 Failed applying the unattend file from the MSU package. - CMsuPackage::ApplyMsuUnattend(hr:0x800f0823) -DISM Package Manager: PID=6020 TID=6112 Failed to apply the MSU unattend file to the image. - CMsuPackage::Install(hr:0x800f0823) -DISM Package Manager: PID=6020 TID=6112 Failed while processing command add-package. - CPackageManagerCLIHandler::ExecuteCmdLine(hr:0x800f0823) +DISM Package Manager: PID= TID= Failed opening package. - CDISMPackageManager::Internal_CreatePackageByPath(hr:0x800f0823) +DISM Package Manager: PID= TID= Failed to get the underlying CBS package. - CDISMPackageManager::OpenPackageByPath(hr:0x800f0823) +DISM Package Manager: PID= TID= The specified package cannot be added to this Windows Image due to a version mismatch. - GetCbsErrorMsg +DISM Package Manager: PID= TID= Failed to open package at location [\.cab]. - CPackageManagerUnattendHandler::Internal_ProcessPackageFromSource(hr:0x800f0823) +DISM Package Manager: PID= TID= Failed to install package from source [0] - trying next source location. hr = [0x800F0823] - CPackageManagerUnattendHandler::Internal_UnattendInstallPackage +DISM Package Manager: PID= TID= Failed to Install the package [Multiple_Packages~~~~0.0.0.0]. - CPackageManagerUnattendHandler::Internal_UnattendInstallPackage(hr:0x800f0823) +DISM Package Manager: PID= TID= Package failed to install [Multiple_Packages~~~~0.0.0.0]. - CPackageManagerUnattendHandler::Internal_UnattendProcessPackage(hr:0x800f0823) +DISM Package Manager: PID= TID= Failed to process package at node . - CPackageManagerUnattendHandler::Apply(hr:0x800f0823) +DISM Package Manager: PID= TID= Failed to Apply the unattend. - CDISMPackageManager::Apply(hr:0x800f0823) +DISM Unattend Manager: PID= TID= "Error applying unattend for provider: DISM Package Manager" - CUnattendManager::Apply(hr:0x800f0823) +DISM Package Manager: PID= TID= Failed applying the unattend file from the MSU package. - CMsuPackage::ApplyMsuUnattend(hr:0x800f0823) +DISM Package Manager: PID= TID= Failed to apply the MSU unattend file to the image. - CMsuPackage::Install(hr:0x800f0823) +DISM Package Manager: PID= TID= Failed while processing command add-package. - CPackageManagerCLIHandler::ExecuteCmdLine(hr:0x800f0823) ``` +--- + The problem occurs when the WinPE boot image that is being serviced requires installation of a servicing stack update (SSU) before installation of the cumulative update (CU) can occur. The problem usually occurs when using older Windows ADKs and older versions of Windows PE. The suggested fix is to upgrade to the latest version of the Windows ADK and Windows PE which most likely won't need a servicing stack update (SSU) installed before installing the cumulative update (CU). -For scenarios where an older version of the Windows ADK and Windows PE need to be used, for example when using Microsoft Deployment Toolkit (MDT), the servicing stack update needs to be installed before installing the cumulative update. The following steps outline how to install the servicing stack update (SSU) before installing the cumulative update (CU) to the boot image: +For scenarios where an older version of the Windows ADK and Windows PE need to be used, for example when using Microsoft Deployment Toolkit (MDT), the servicing stack update needs to be installed before installing the cumulative update. The servicing stack update (SSU) is contained within the cumulative update (CU). To obtain the servicing stack update (SSU) so that it can be applied, it can be extracted from the cumulative update (CU). + +The following steps outline how to extract and then install the servicing stack update (SSU) to the boot image. Once the before servicing stack update (SSU) has been installed, then the cumulative update (CU) should install to the boot image without error. These steps are only necessary if error 0x800f0823 occurs when installing the cumulative update (CU) to the boot image. If error 0x800f0823 isn't occur when installing the cumulative update (CU) to the boot image, then skip to the next step [Step 8: Copy boot files from mounted boot image to ADK installation path](#step-8-copy-boot-files-from-mounted-boot-image-to-adk-installation-path): + +1. Create a folder to extract the servicing stack update (SSU) into. For example, `C:\Updates\Extract`: + +1. Extract the contents of the cumulative update (CU) to the folder created in the previous step using the following command: + + ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) + + ```powershell + Start-Process "expand.exe" -ArgumentList " -f:* `"\.msu`" `"`"" -Wait -LoadUserProfile + ``` + + **Example**: + + ```powershell + Start-Process "expand.exe" -ArgumentList " -f:* `"C:\Updates\windows10.0-kb5028166-x64_fe3aa2fef685c0e76e1f5d34d529624294273f41.msu`" `"C:\Updates\Extract`"" -Wait -LoadUserProfile + ``` + + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) + + ```cmd + expand.exe -f:* "\.msu" "" + ``` + + **Example**: + + ```cmd + expand.exe -f:* "C:\Updates\windows10.0-kb5028166-x64_fe3aa2fef685c0e76e1f5d34d529624294273f41.msu" "C:\Updates\Extract" + ``` + + --- + +1. Inspect the contents of the extracted files in the extract folder and identify the servicing stack update (SSU) CAB file. One of the files should be called `SSU--.cab`. For example, `SSU-19041.3205-x64.cab`. Make a note of the name of the servicing stack update (SSU) CAB file. + +1. Apply the servicing stack update (SSU) CAB file to the boot image using the following command: + + ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) + + From an elevated **PowerShell** command prompt, run the following command to add the cumulative update (CU) to the boot image: + + ```powershell + Add-WindowsPackage -PackagePath "\.cab" -Path "" -Verbose + ``` + + **Example**: + + ```powershell + Add-WindowsPackage -PackagePath "C:\Updates\Extract\SSU-19041.3205-x64.cab" -Path "C:\Mount" -Verbose + ``` + + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) + + From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to add the cumulative update (CU) to the boot image: + + ```cmd + DISM.exe /Image:"" /Add-Package /PackagePath:"\.cab" + ``` + + **Example**: + + ```cmd + DISM.exe /Image:"C:\Mount" /Add-Package /PackagePath:"C:\Updates\Extract\SSU-19041.3205-x64.cab" + ``` + + --- + +1. Attempt to apply the cumulative update (CU) to the boot image again using the commands from [Step 7: Add cumulative update (CU) to boot image](#step-7-add-cumulative-update-cu-to-boot-image). ## Step 8: Copy boot files from mounted boot image to ADK installation path @@ -517,7 +613,7 @@ Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment **Example**: ```powershell -Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:"C:\Mount" /Cleanup-image /StartComponentCleanup /Resetbase /Defer" -Wait -LoadUserProfile +Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:`"C:\Mount`" /Cleanup-image /StartComponentCleanup /Resetbase /Defer" -Wait -LoadUserProfile Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:"C:\Mount" /Cleanup-image /StartComponentCleanup /Resetbase" -Wait -LoadUserProfile ``` From b36305450de619774699a9eeec43201a601e3eca Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Thu, 3 Aug 2023 21:07:15 -0400 Subject: [PATCH 054/110] Update Boot Image with CU Article 47 --- windows/deployment/update-boot-image.md | 105 +++++++++++++++++++++--- 1 file changed, 95 insertions(+), 10 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index a4d3578cf5..58dcc4dcaa 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -100,7 +100,7 @@ Adjust the above paths for 32-bit boot images (only available in Windows 10 ADKs The following commands will backup the 64-bit boot image included with the **Windows PE add-on for the Windows ADK**: ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) -From an elevated **PowerShell** command prompt, run the following command to create a backup copy of the 64-bit boot image included with the Windows ADK. This command won't automatically overwrite a backup of a boot image if one already exists: +From an elevated **PowerShell** command prompt, run the following command to create a backup copy of the 64-bit boot image included with the Windows ADK. This commands needs confirmation to overwrite an existing backed up boot image if one already exists: ```powershell Copy-Item "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.bak.wim" @@ -108,9 +108,11 @@ Copy-Item "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\ Adjust paths and file names accordingly to back up other boot images. +To overwrite an existing backed up boot image without confirmation, for example in a script, add the `-Force` parameter to the end of the command line. + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) -From an elevated command prompt, run the following command to create a backup copy of the 64-bit boot image included with the Windows ADK. This command won't automatically overwrite a backup of a boot image if one already exists: +From an elevated command prompt, run the following command to create a backup copy of the 64-bit boot image included with the Windows ADK. This commands needs confirmation to overwrite an existing backed up boot image if one already exist: ```cmd copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.bak.wim" @@ -118,6 +120,8 @@ copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windo Adjust paths and file names accordingly to back up other boot images. +To overwrite an existing backed up boot image without confirmation, for example in a script, add the `/Y` parameter to the end of the command line. + --- ## Step 4: Mount boot image to mount folder @@ -474,7 +478,11 @@ The problem occurs when the WinPE boot image that is being serviced requires ins For scenarios where an older version of the Windows ADK and Windows PE need to be used, for example when using Microsoft Deployment Toolkit (MDT), the servicing stack update needs to be installed before installing the cumulative update. The servicing stack update (SSU) is contained within the cumulative update (CU). To obtain the servicing stack update (SSU) so that it can be applied, it can be extracted from the cumulative update (CU). -The following steps outline how to extract and then install the servicing stack update (SSU) to the boot image. Once the before servicing stack update (SSU) has been installed, then the cumulative update (CU) should install to the boot image without error. These steps are only necessary if error 0x800f0823 occurs when installing the cumulative update (CU) to the boot image. If error 0x800f0823 isn't occur when installing the cumulative update (CU) to the boot image, then skip to the next step [Step 8: Copy boot files from mounted boot image to ADK installation path](#step-8-copy-boot-files-from-mounted-boot-image-to-adk-installation-path): +The following steps outline how to extract and then install the servicing stack update (SSU) to the boot image. Once the before servicing stack update (SSU) has been installed, then the cumulative update (CU) should install to the boot image without error: + +> [!IMPORTANT] +> +> These steps are only necessary if error `0x800f0823` occurs when installing the cumulative update (CU) to the boot image. If error `0x800f0823` didn't occur when installing the cumulative update (CU) to the boot image, then skip to the next step [Step 8: Copy boot files from mounted boot image to ADK installation path](#step-8-copy-boot-files-from-mounted-boot-image-to-adk-installation-path) 1. Create a folder to extract the servicing stack update (SSU) into. For example, `C:\Updates\Extract`: @@ -508,7 +516,7 @@ The following steps outline how to extract and then install the servicing stack 1. Inspect the contents of the extracted files in the extract folder and identify the servicing stack update (SSU) CAB file. One of the files should be called `SSU--.cab`. For example, `SSU-19041.3205-x64.cab`. Make a note of the name of the servicing stack update (SSU) CAB file. -1. Apply the servicing stack update (SSU) CAB file to the boot image using the following command: +1. Using the name of the servicing stack update (SSU) CAB file obtained in the previous step, apply the servicing stack update (SSU) CAB file to the boot image using the following command: ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) @@ -548,43 +556,59 @@ Some cumulative updates will update the bootmgr boot files in the boot image. Af ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) -From an elevated **PowerShell** command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands need confirmation to overwrite the existing bootmgr boot files: +From an elevated **PowerShell** command prompt, run the following commands to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands will also back up any existing bootmgr boot files its finds. The commands need confirmation to overwrite the existing bootmgr boot files and if they exist, any backed up bootmgr boot files: ```powershell +Copy-Item "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.bak.efi" + Copy-Item "\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" +Copy-Item "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.bak.efi" + Copy-Item "\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" ``` **Example**: ```powershell +Copy-Item "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.bak.efi" + Copy-Item "C:\Mount\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" -Force +Copy-Item "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.bak.efi" + Copy-Item "C:\Mount\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" -Force ``` -To overwrite the bootmgr boot files without confirmation, for example in a script, add the `-Force` parameter to the end of the command line. +To overwrite the bootmgr boot files and any backed up bootmgr boot file without confirmation, for example in a script, add the `-Force` parameter to the end of the command lines. ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) -From an elevated command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands need confirmation to overwrite the existing bootmgr boot files:: +From an elevated command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands will also back up any existing bootmgr boot files its finds. The commands need confirmation to overwrite the existing bootmgr boot files and if they exist, any backed up bootmgr boot files: ```cmd +copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.bak.efi" + copy "\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" +copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.bak.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" + copy "\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" ``` **Example**: ```cmd +copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.bak.efi" + copy "C:\Mount\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" +copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.bak.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" + copy "C:\Mount\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" ``` -To overwrite the bootmgr boot files without confirmation, for example in a script, add the `/Y` parameter to the end of the command line. +To overwrite the bootmgr boot files and any backed up bootmgr boot file without confirmation, for example in a script, add the `/Y` parameter to the end of the command lines. --- @@ -756,8 +780,69 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag 1. Once the export has completed: - 1. Delete the original updated boot image. - 1. Rename the exported boot image with the name of the original updated boot image. + 1. Delete the original updated boot image: + + ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) + + From an elevated **PowerShell** command prompt, run the following command to delete the original updated boot image: + + ```powershell + Remove-Item -Path "\.wim" -Force + ``` + + **Example**: + + ```powershell + Remove-Item - Path "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" -Force + ``` + + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) + + From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to delete the original updated boot image: + + ```cmd + del "\.wim" /Y + ``` + + **Example**: + + ```cmd + del "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" /Y + ``` + + --- + + 1. Rename the exported boot image with the name of the original boot image: + + ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) + + From an elevated **PowerShell** command prompt, run the following command to rename the exported boot image with the name of the original boot image: + + ```powershell + Rename-Item -Path "\.wim" -NewName ".wim" + ``` + + **Example**: + + ```powershell + Rename-Item -Path "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe-export.wim" -NewName "winpe.wim" + ``` + + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) + + From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to rename the exported boot image with the name of the original boot image: + + ```cmd + rename "\-export.wim" ".wim" + ``` + + **Example**: + + ```cmd + rename "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe-export.wim" "winpe.wim" + ``` + + --- ## Microsoft Configuration Manager considerations From be95ee4bb1087118c5195d4ecc86d19e9bf878fe Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Fri, 4 Aug 2023 09:21:45 -0400 Subject: [PATCH 055/110] meta aaron --- windows/application-management/add-apps-and-features.md | 6 +++--- windows/application-management/apps-in-windows-10.md | 6 +++--- .../enterprise-background-activity-controls.md | 7 ++++--- .../includes/app-v-end-life-statement.md | 6 +++--- .../includes/applies-to-windows-client-versions.md | 7 ++++--- windows/application-management/index.yml | 6 +++--- .../application-management/per-user-services-in-windows.md | 7 ++++--- ...private-app-repository-mdm-company-portal-windows-11.md | 6 +++--- .../remove-provisioned-apps-during-update.md | 7 ++++--- .../application-management/sideload-apps-in-windows-10.md | 6 +++--- .../application-management/svchost-service-refactoring.md | 7 ++++--- 11 files changed, 38 insertions(+), 33 deletions(-) diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md index 2ae9fdd4fd..889b326553 100644 --- a/windows/application-management/add-apps-and-features.md +++ b/windows/application-management/add-apps-and-features.md @@ -1,10 +1,10 @@ --- title: Add or hide optional apps and features on Windows devices | Microsoft Docs description: Learn how to add Windows 10 and Windows 11 optional features using the Apps & features page in the Settings app. Also see the group policy objects (GPO) and MDM policies that show or hide Apps and Windows Features in the Settings app. Use Windows PowerShell to show or hide specific features in Windows Features. -author: nicholasswhite -ms.author: nwhite +author: aczechowski +ms.author: aaroncz manager: aaroncz -ms.date: 08/30/2021 +ms.date: 08/04/2023 ms.topic: article ms.prod: windows-client ms.technology: itpro-apps diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index e54211075c..6387f6e388 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -1,10 +1,10 @@ --- title: Learn about the different app types in Windows 10/11 | Microsoft Docs description: Learn more and understand the different types of apps that run on Windows 10 and Windows 11. For example, learn more about UWP, WPF, Win32, and Windows Forms apps, including the best way to install these apps. -author: nicholasswhite -ms.author: nwhite +author: aczechowski +ms.author: aaroncz manager: aaroncz -ms.date: 02/09/2023 +ms.date: 08/04/2023 ms.topic: article ms.prod: windows-client ms.technology: itpro-apps diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index 19c8ec6649..0e22c4f696 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -1,10 +1,11 @@ --- title: Remove background task resource restrictions description: Allow enterprise background tasks unrestricted access to computer resources. -author: nicholasswhite -ms.author: nwhite +author: aczechowski +ms.author: aaroncz +manager: aaroncz +ms.date: 08/04/2023 manager: aaroncz -ms.date: 10/03/2017 ms.topic: article ms.prod: windows-client ms.technology: itpro-apps diff --git a/windows/application-management/includes/app-v-end-life-statement.md b/windows/application-management/includes/app-v-end-life-statement.md index 14de444ad4..faa562b953 100644 --- a/windows/application-management/includes/app-v-end-life-statement.md +++ b/windows/application-management/includes/app-v-end-life-statement.md @@ -1,8 +1,8 @@ --- -author: nicholasswhite -ms.author: nwhite +author: aczechowski +ms.author: aaroncz manager: aaroncz -ms.date: 09/20/2021 +ms.date: 08/04/2023 ms.topic: include ms.prod: w10 ms.collection: tier1 diff --git a/windows/application-management/includes/applies-to-windows-client-versions.md b/windows/application-management/includes/applies-to-windows-client-versions.md index 13ec789f1d..2bde1c4e62 100644 --- a/windows/application-management/includes/applies-to-windows-client-versions.md +++ b/windows/application-management/includes/applies-to-windows-client-versions.md @@ -1,8 +1,9 @@ --- -author: nicholasswhite -ms.author: nwhite +author: aczechowski +ms.author: aaroncz +manager: aaroncz +ms.date: 08/04/2023 manager: aaroncz -ms.date: 09/28/2021 ms.topic: include ms.prod: windows-client ms.technology: itpro-apps diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index da969d420b..5705397c60 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -6,10 +6,10 @@ summary: Learn about managing applications in Windows client, including how to r metadata: title: Windows application management description: Learn about managing applications in Windows 10 and Windows 11. - author: nicholasswhite - ms.author: nwhite + author: aczechowski + ms.author: aaroncz manager: aaroncz - ms.date: 08/24/2021 + ms.date: 08/04/2023 ms.topic: landing-page ms.prod: windows-client ms.collection: diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md index d094fba726..d1c1ee2688 100644 --- a/windows/application-management/per-user-services-in-windows.md +++ b/windows/application-management/per-user-services-in-windows.md @@ -1,10 +1,11 @@ --- title: Per-user services in Windows 10 and Windows Server description: Learn about per-user services, how to change the template service Startup Type, and manage per-user services through Group Policy and security templates. -author: nicholasswhite -ms.author: nwhite +author: aczechowski +ms.author: aaroncz +manager: aaroncz +ms.date: 08/04/2023 manager: aaroncz -ms.date: 09/14/2017 ms.topic: article ms.prod: windows-client ms.technology: itpro-apps diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md index 926cb18f47..2d103039b2 100644 --- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md +++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md @@ -1,10 +1,10 @@ --- title: Use the Company Portal app for your private app repo on Windows 11 devices | Microsoft Docs description: Use the Company Portal app in Windows 11 devices to access the private app repository for your organization or company apps. Add apps to an MDM/MAM provider, and deploy the apps to Windows devices using policies. The Company Portal app replaces Microsoft Store for Business private store on Windows 11 devices. -author: nicholasswhite -ms.author: nwhite +author: aczechowski +ms.author: aaroncz manager: aaroncz -ms.date: 04/04/2023 +ms.date: 08/04/2023 ms.topic: article ms.prod: windows-client ms.technology: itpro-apps diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md index 195ee09977..7868796168 100644 --- a/windows/application-management/remove-provisioned-apps-during-update.md +++ b/windows/application-management/remove-provisioned-apps-during-update.md @@ -1,10 +1,11 @@ --- title: How to keep apps removed from Windows 10 from returning during an update description: How to keep provisioned apps that were removed from your machine from returning during an update. -author: nicholasswhite -ms.author: nwhite +author: aczechowski +ms.author: aaroncz +manager: aaroncz +ms.date: 08/04/2023 manager: aaroncz -ms.date: 05/25/2018 ms.topic: article ms.prod: windows-client ms.technology: itpro-apps diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md index 30203efdaf..cacafd251f 100644 --- a/windows/application-management/sideload-apps-in-windows-10.md +++ b/windows/application-management/sideload-apps-in-windows-10.md @@ -1,10 +1,10 @@ --- title: Sideload LOB apps in Windows client OS | Microsoft Docs description: Learn how to sideload line-of-business (LOB) apps in Windows client operating systems, including Windows 10/11. When you sideload an app, you deploy a signed app package to a device. -author: nicholasswhite -ms.author: nwhite +author: aczechowski +ms.author: aaroncz manager: aaroncz -ms.date: 12/07/2017 +ms.date: 08/04/2023 ms.topic: article ms.prod: windows-client ms.technology: itpro-apps diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md index f5c9589209..dbffee401e 100644 --- a/windows/application-management/svchost-service-refactoring.md +++ b/windows/application-management/svchost-service-refactoring.md @@ -1,10 +1,11 @@ --- title: Service Host service refactoring in Windows 10 version 1703 description: Learn about the SvcHost Service Refactoring introduced in Windows 10 version 1703. -author: nicholasswhite -ms.author: nwhite +author: aczechowski +ms.author: aaroncz +manager: aaroncz +ms.date: 08/04/2023 manager: aaroncz -ms.date: 07/20/2017 ms.topic: article ms.prod: windows-client ms.technology: itpro-apps From 50ac378bbb5d77947fffddaffaf5ba961a5d6fbe Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Fri, 4 Aug 2023 09:41:31 -0400 Subject: [PATCH 056/110] Update enterprise-background-activity-controls.md --- .../enterprise-background-activity-controls.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index 0e22c4f696..d59d548da5 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -5,7 +5,6 @@ author: aczechowski ms.author: aaroncz manager: aaroncz ms.date: 08/04/2023 -manager: aaroncz ms.topic: article ms.prod: windows-client ms.technology: itpro-apps From 5e8ba5ed9273e8876258dba848835c5a8966e70f Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Fri, 4 Aug 2023 09:42:18 -0400 Subject: [PATCH 057/110] Update per-user-services-in-windows.md --- windows/application-management/per-user-services-in-windows.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md index d1c1ee2688..ed038c7e0d 100644 --- a/windows/application-management/per-user-services-in-windows.md +++ b/windows/application-management/per-user-services-in-windows.md @@ -5,7 +5,6 @@ author: aczechowski ms.author: aaroncz manager: aaroncz ms.date: 08/04/2023 -manager: aaroncz ms.topic: article ms.prod: windows-client ms.technology: itpro-apps From 88b0b828440ee1d6e2b6fb5464a56aa302041eff Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Fri, 4 Aug 2023 09:42:59 -0400 Subject: [PATCH 058/110] Update remove-provisioned-apps-during-update.md --- .../remove-provisioned-apps-during-update.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md index 7868796168..24e4b5076d 100644 --- a/windows/application-management/remove-provisioned-apps-during-update.md +++ b/windows/application-management/remove-provisioned-apps-during-update.md @@ -5,7 +5,6 @@ author: aczechowski ms.author: aaroncz manager: aaroncz ms.date: 08/04/2023 -manager: aaroncz ms.topic: article ms.prod: windows-client ms.technology: itpro-apps From 465396aec7a64ba4743ef502003bb0480f2aee6f Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Fri, 4 Aug 2023 09:44:28 -0400 Subject: [PATCH 059/110] Update svchost-service-refactoring.md --- windows/application-management/svchost-service-refactoring.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md index dbffee401e..cdcf69903a 100644 --- a/windows/application-management/svchost-service-refactoring.md +++ b/windows/application-management/svchost-service-refactoring.md @@ -5,7 +5,6 @@ author: aczechowski ms.author: aaroncz manager: aaroncz ms.date: 08/04/2023 -manager: aaroncz ms.topic: article ms.prod: windows-client ms.technology: itpro-apps From efc368cea89b9203cc88f72afbd8b633191a8db8 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Fri, 4 Aug 2023 08:46:45 -0700 Subject: [PATCH 060/110] Renamed Deregister a device to Exclude a device --- windows/deployment/windows-autopatch/TOC.yml | 4 +- .../windows-autopatch-deregister-devices.md | 51 ----------------- .../windows-autopatch-exclude-device.md | 56 +++++++++++++++++++ .../windows-autopatch-unenroll-tenant.md | 8 +-- .../overview/windows-autopatch-overview.md | 2 +- ...indows-autopatch-roles-responsibilities.md | 6 +- 6 files changed, 66 insertions(+), 61 deletions(-) delete mode 100644 windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md create mode 100644 windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index c289d933cc..ad017e7f92 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -107,8 +107,8 @@ href: operate/windows-autopatch-manage-driver-and-firmware-updates.md - name: Submit a support request href: operate/windows-autopatch-support-request.md - - name: Deregister a device - href: operate/windows-autopatch-deregister-devices.md + - name: Exclude a device + href: operate/windows-autopatch-exclude-device.md - name: Unenroll your tenant href: operate/windows-autopatch-unenroll-tenant.md - name: References diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md deleted file mode 100644 index fa0d5b2cae..0000000000 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: Deregister a device -description: This article explains how to deregister devices -ms.date: 06/15/2022 -ms.prod: windows-client -ms.technology: itpro-updates -ms.topic: how-to -ms.localizationpriority: medium -author: tiaraquan -ms.author: tiaraquan -manager: dougeby -ms.reviewer: andredm7 -ms.collection: - - tier2 ---- - -# Deregister a device - -To avoid end-user disruption, device deregistration in Windows Autopatch only deletes the Windows Autopatch device record itself. Device deregistration can't delete Microsoft Intune and/or the Azure Active Directory device records. Microsoft assumes you'll keep managing those devices yourself in some capacity. - -**To deregister a device:** - -1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Select **Windows Autopatch** in the left navigation menu. -1. Select **Devices**. -1. In either **Ready** or **Not ready** tab, select the device(s) you want to deregister. -1. Once a device or multiple devices are selected, select **Device actions**, then select **Deregister device**. - -> [!WARNING] -> Removing devices from the Windows Autopatch Device Registration Azure AD group doesn't deregister devices from the Windows Autopatch service. - -## Excluded devices - -When you deregister a device from the Windows Autopatch service, the device is flagged as "excluded" so Windows Autopatch doesn't try to reregister the device into the service again, since the deregistration command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** Azure Active Directory group. - -> [!IMPORTANT] -> The Azure AD team doesn't recommend appending query statements to remove specific device from a dynamic query due to dynamic query performance issues. - -If you want to reregister a device that was previously deregistered from Windows Autopatch, you must [submit a support request](../operate/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team to request the removal of the "excluded" flag set during the deregistration process. After the Windows Autopatch Service Engineering Team removes the flag, you can reregister a device or a group of devices. - -## Hiding unregistered devices - -You can hide unregistered devices you don't expect to be remediated anytime soon. - -**To hide unregistered devices:** - -1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Select **Windows Autopatch** in the left navigation menu. -1. Select **Devices**. -1. In the **Not ready** tab, select an unregistered device or a group of unregistered devices you want to hide then select **Status == All**. -1. Unselect the **Registration failed** status checkbox from the list. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md new file mode 100644 index 0000000000..c1acd3c8bf --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md @@ -0,0 +1,56 @@ +--- +title: Exclude a device +description: This article explains how to exclude a device from the Windows Autopatch service +ms.date: 08/04/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: andredm7 +ms.collection: + - tier2 +--- + +# Exclude a device + +To avoid end-user disruption, excluding a device in Windows Autopatch only deletes the Windows Autopatch device record itself. Excluding a device can't delete the Microsoft Intune and/or the Azure Active Directory device records. Microsoft assumes you'll keep managing those devices yourself in some capacity. + +When you exclude a device from the Windows Autopatch service, the device is flagged as "excluded" so Windows Autopatch doesn't try to restore the device into the service again, since the exclusion command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** group, or any other Azure AD group, used with Autopatch groups. + +> [!IMPORTANT] +> The Azure AD team doesn't recommend appending query statements to remove specific device from a dynamic query due to dynamic query performance issues. + +**To exclude a device:** + +1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Windows Autopatch** in the left navigation menu. +1. Select **Devices**. +1. In either the **Ready** or **Not ready** tab, select the device(s) you want to exclude. +1. Once a device or multiple devices are selected, select **Device actions**. Then, select **Exclude device**. + +> [!WARNING] +> Excluding devices from the Windows Autopatch Device Registration group, or any other Azure AD group, used with Autopatch groups doesn't exclude devices from the Windows Autopatch service. + +## Only view excluded devices + +You can view the excluded devices in the **Not registered** tab to make it easier for you to bulk restore devices that were previously excluded from the Windows Autopatch service. + +**To view only excluded devices:** + +1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Windows Autopatch** in the left navigation menu. +1. Select **Devices**. +1. In the **Not registered** tab, select **Excluded** from the filter list. Leave all other filter options unselected. + +## Restore a device or multiple devices previously excluded + +**To restore a device or multiple devices previously excluded:** + +1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Windows Autopatch** in the left navigation menu. +1. Select **Devices**. +1. In the **Not registered** tab, select the device(s) you want to restore. +1. Once a device or multiple devices are selected, select **Device actions**. Then, select **Restore device**. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md index 1269f66d0f..f39f8c2f8f 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md @@ -1,7 +1,7 @@ --- title: Unenroll your tenant description: This article explains what unenrollment means for your organization and what actions you must take. -ms.date: 07/27/2022 +ms.date: 08/04/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to @@ -25,7 +25,7 @@ If you're looking to unenroll your tenant from Windows Autopatch, this article d Unenrolling from Windows Autopatch requires manual actions from both you and from the Windows Autopatch Service Engineering Team. The Windows Autopatch Service Engineering Team will: - Remove Windows Autopatch access to your tenant. -- Deregister your devices from the Windows Autopatch service. Deregistering your devices from Windows Autopatch won't remove your devices from Intune, Azure AD or Configuration Manager. The Windows Autopatch Service Engineering Team follows the same process and principles as laid out in [Deregister a device](/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices). +- Exclude your devices from the Windows Autopatch service. Excluding your devices from Windows Autopatch won't remove your devices from Intune, Azure AD or Configuration Manager. The Windows Autopatch Service Engineering Team follows the same process and principles as laid out in [Exclude a device](../operate/windows-autopatch-exclude-device.md). - Delete all data that we've stored in the Windows Autopatch data storage. > [!NOTE] @@ -36,7 +36,7 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro | Responsibility | Description | | ----- | ----- | | Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We won’t make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../overview/windows-autopatch-privacy.md). | -| Deregistering devices | Windows Autopatch will deregister all devices previously registered with the service. Only the Windows Autopatch device record will be deleted. We won't delete Microsoft Intune and/or Azure Active Directory device records. For more information, see [Deregister a device](/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices). | +| Excluding devices | Windows Autopatch will exclude all devices previously registered with the service. Only the Windows Autopatch device record will be deleted. We won't delete Microsoft Intune and/or Azure Active Directory device records. For more information, see [Exclude a device](../operate/windows-autopatch-exclude-device.md). | ## Your responsibilities after unenrolling your tenant @@ -50,7 +50,7 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro **To unenroll from Windows Autopatch:** -1. [Submit a support request](windows-autopatch-support-request.md) and request to unenroll from the Windows Autopatch service. +1. [Submit a support request](../operate/windows-autopatch-support-request.md) and request to unenroll from the Windows Autopatch service. 1. The Windows Autopatch Service Engineering Team will communicate with your IT Administrator to confirm your intent to unenroll from the service. 1. You'll have 14 days to review and confirm the communication sent by the Windows Autopatch Service Engineering Team. 2. The Windows Autopatch Service Engineering Team can proceed sooner than 14 days if your confirmation arrives sooner. diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md index a071f7e68d..5040b8ad68 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md @@ -64,7 +64,7 @@ Microsoft remains committed to the security of your data and the [accessibility] | ----- | ----- | | Prepare | The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch:
  • [Prerequisites](../prepare/windows-autopatch-prerequisites.md)
  • [Configure your network](../prepare/windows-autopatch-configure-network.md)
  • [Enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md)
  • [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md)
  • [Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)
| | Deploy | Once you've enrolled your tenant, this section instructs you to:
  • [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)
  • [Register your devices](../deploy/windows-autopatch-register-devices.md)
  • [Manage Windows Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md)
| -| Operate | This section includes the following information about your day-to-day life with the service:
  • [Update management](../operate/windows-autopatch-groups-update-management.md)
  • [Windows quality and feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md)
  • [Maintain your Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md)
  • [Submit a support request](../operate/windows-autopatch-support-request.md)
  • [Deregister a device](../operate/windows-autopatch-deregister-devices.md)
+| Operate | This section includes the following information about your day-to-day life with the service:
  • [Update management](../operate/windows-autopatch-groups-update-management.md)
  • [Windows quality and feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md)
  • [Maintain your Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md)
  • [Submit a support request](../operate/windows-autopatch-support-request.md)
  • [Exclude a device](../operate/windows-autopatch-exclude-device.md)
| References | This section includes the following articles:
  • [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md)
  • [Windows update policies](../references/windows-autopatch-windows-update-unsupported-policies.md)
  • [Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md)
| ### Have feedback or would like to start a discussion? diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md index 816790a4c7..851207d167 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md @@ -86,10 +86,10 @@ This article outlines your responsibilities and Windows Autopatch's responsibili | Maintain existing configurations
  • Remove your devices from existing and unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies
| :heavy_check_mark: | :x: | | Understand the health of [Up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices and investigate devices that are
  • [Not up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices)
  • [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-ready-devices)
  • have [Device alerts](../operate/windows-autopatch-device-alerts.md)
| [Raise, manage and resolve a service incident if an update management area isn't meeting the service level objective](windows-autopatch-overview.md#update-management) | :x: | :heavy_check_mark: | -| [Deregister devices](../operate/windows-autopatch-deregister-devices.md) | :heavy_check_mark: | :x: | -| [Register a device that was previously deregistered (upon customers request)](../operate/windows-autopatch-deregister-devices.md#excluded-devices) | :x: | :heavy_check_mark: | +| [Exclude a device](../operate/windows-autopatch-exclude-device.md) | :heavy_check_mark: | :x: | +| [Register a device that was previously excluded (upon customers request)](../operate/windows-autopatch-exclude-devie.md) | :x: | :heavy_check_mark: | | [Request unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md) | :heavy_check_mark: | :x: | -| [Remove Windows Autopatch data from the service and deregister devices](../operate/windows-autopatch-unenroll-tenant.md#microsofts-responsibilities-during-unenrollment) | :x: | :heavy_check_mark: | +| [Remove Windows Autopatch data from the service and exclude devices](../operate/windows-autopatch-unenroll-tenant.md#microsofts-responsibilities-during-unenrollment) | :x: | :heavy_check_mark: | | [Maintain update configuration & update devices post unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md#your-responsibilities-after-unenrolling-your-tenant) | :heavy_check_mark: | :x: | | Review and respond to Message Center and Service Health Dashboard notifications
  • [Windows quality update communications](../operate/windows-autopatch-groups-windows-quality-update-communications.md)
  • [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)
| :heavy_check_mark: | :x: | | Highlight Windows Autopatch management alerts that require customer action
  • [Tenant management alerts](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions)
  • [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md)
| :x: | :heavy_check_mark: | From b9db66f6e46b5fc27ee542ee521bc62b4fb559d4 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Fri, 4 Aug 2023 08:53:58 -0700 Subject: [PATCH 061/110] Fixed broken link --- .../overview/windows-autopatch-roles-responsibilities.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md index 851207d167..adfb109577 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md @@ -1,7 +1,7 @@ --- title: Roles and responsibilities description: This article describes the roles and responsibilities provided by Windows Autopatch and what the customer must do -ms.date: 07/31/2023 +ms.date: 08/04/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -87,7 +87,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili | Understand the health of [Up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices and investigate devices that are
  • [Not up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices)
  • [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-ready-devices)
  • have [Device alerts](../operate/windows-autopatch-device-alerts.md)
| [Raise, manage and resolve a service incident if an update management area isn't meeting the service level objective](windows-autopatch-overview.md#update-management) | :x: | :heavy_check_mark: | | [Exclude a device](../operate/windows-autopatch-exclude-device.md) | :heavy_check_mark: | :x: | -| [Register a device that was previously excluded (upon customers request)](../operate/windows-autopatch-exclude-devie.md) | :x: | :heavy_check_mark: | +| [Register a device that was previously excluded (upon customers request)](../operate/windows-autopatch-exclude-device.md) | :x: | :heavy_check_mark: | | [Request unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md) | :heavy_check_mark: | :x: | | [Remove Windows Autopatch data from the service and exclude devices](../operate/windows-autopatch-unenroll-tenant.md#microsofts-responsibilities-during-unenrollment) | :x: | :heavy_check_mark: | | [Maintain update configuration & update devices post unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md#your-responsibilities-after-unenrolling-your-tenant) | :heavy_check_mark: | :x: | From bda992a4426e81d7555b91d0bf63a97ae8963e52 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Fri, 4 Aug 2023 10:18:11 -0700 Subject: [PATCH 062/110] Changed date for 080823 --- .../operate/windows-autopatch-exclude-device.md | 2 +- .../operate/windows-autopatch-unenroll-tenant.md | 2 +- .../windows-autopatch/overview/windows-autopatch-overview.md | 2 +- .../overview/windows-autopatch-roles-responsibilities.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md index c1acd3c8bf..e8002779df 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md @@ -1,7 +1,7 @@ --- title: Exclude a device description: This article explains how to exclude a device from the Windows Autopatch service -ms.date: 08/04/2023 +ms.date: 08/08/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md index f39f8c2f8f..168bccb66d 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md @@ -1,7 +1,7 @@ --- title: Unenroll your tenant description: This article explains what unenrollment means for your organization and what actions you must take. -ms.date: 08/04/2023 +ms.date: 08/08/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md index 5040b8ad68..62ac288ad4 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md @@ -1,7 +1,7 @@ --- title: What is Windows Autopatch? description: Details what the service is and shortcuts to articles. -ms.date: 07/11/2023 +ms.date: 08/08/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md index adfb109577..1a0e660f16 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md @@ -1,7 +1,7 @@ --- title: Roles and responsibilities description: This article describes the roles and responsibilities provided by Windows Autopatch and what the customer must do -ms.date: 08/04/2023 +ms.date: 08/08/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual From 336a4c34239464b3066942eaad2a6aeaab67e489 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 4 Aug 2023 15:35:50 -0400 Subject: [PATCH 063/110] Update Boot Image with CU Article 48 --- windows/deployment/update-boot-image.md | 40 +++++++++++++++++-------- 1 file changed, 28 insertions(+), 12 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 58dcc4dcaa..18b6a6f419 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -44,6 +44,7 @@ Microsoft recommends updating Windows PE (WinPE) boot images with the latest cum - [Step 10: Verify all desired packages have been added to boot image](#step-10-verify-all-desired-packages-have-been-added-to-boot-image) - [Step 11: Unmount boot image and save changes](#step-11-unmount-boot-image-and-save-changes) - [Step 12: Export boot image to reduce size](#step-12-export-boot-image-to-reduce-size) +- [Step 13: Update boot images in products that utilize the boot images (optional)](#step-13-update-boot-image-in-products-that-utilize-the-boot-image-if-applicable) ## Step 1: Download and install ADK @@ -844,6 +845,16 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag --- +## Step 13: Update boot image in products that utilize the boot image (if applicable) + +After the default `winpe.wim` boot image from the Windows ADK has been updated, additional steps usually need to take place in the product(s) that utilize the boot image . The following links contain information on how to update the boot image for several popular products that utilize boot images: + +- [Microsoft Configuration Manager](#updating-the-boot-image-in-configuration-manager) +- [Microsoft Deployment Toolkit (MDT)](#updating-the-boot-image-in-mdt) +- Windows Deployment Services + +For any other products that utilize boot images, please consult their documentation on how to finish updating the boot image. + ## Microsoft Configuration Manager considerations ### How Microsoft Configuration Manager creates boot images @@ -884,6 +895,8 @@ When adding a cumulative update to a Configuration Manager boot image, it's reco By updating `winpe.wim` from the Windows ADK, this will ensure that the cumulative update will stay applied regardless of what changes are made to the `boot.wim` boot image via Configuration Manager. +### Updating the boot image in Configuration Manager + After updating the `winpe.wim` boot image from the Windows ADK, generate a new `boot.wim` boot image for Configuration Manager that contains the cumulative update by using the following steps: 1. Open the Microsoft Configuration manager console. @@ -904,7 +917,11 @@ After updating the `winpe.wim` boot image from the Windows ADK, generate a new ` 1. Once the boot image finishes building, the **Completion**/**The task "Update Distribution Points Wizard" completed successfully** page will appear. Select the **Close** button. -This process in addition to updating the boot image used by Configuration Manager will also update the boot images and the boot files used by any PXE enabled distribution points. +This process updates the boot image used by Configuration Manager. It will also update the boot image and the boot files used by any PXE enabled distribution points. + +> [!IMPORTANT] +> +> If there are multiple boot images used in the environment for PXE enabled distribution points, make sure to update all of the PXE enabled boot images with the same cumulative update. This will ensure that the PXE enabled distribution points all use the latest version of the bootmgr boot files extracted from the boot images (if applicable). ### Add optional components manually to Configuration Manager boot images @@ -938,27 +955,26 @@ After completing the walkthrough, update any Configuration Manager boot media to When adding a cumulative update to a Microsoft Deployment Toolkit (MDT) boot image, it's recommended to update the `winpe.wim` boot image from the Windows ADK instead of directly updating the `LiteTouchPE_.wim` boot image in the MDT Deployment Share. The `winpe.wim` boot image from the Windows ADK should be updated instead of the `LiteTouchPE_.wim` boot image from the MDT Deployment Share because if `LiteTouchPE_.wim` is updated, then the next time the MDT Deployment Share is updated, the changes made to `LiteTouchPE_.wim`, including the applied cumulative update, may be lost. If the `winpe.wim` boot image from the Windows ADK is updated instead, then the changes to the MDT boot image including the applied cumulative update will persist and be preserved when the MDT Deployment Share is updated. + +### Updating the boot image in MDT + After updating the `winpe.wim` boot image from the Windows ADK, generate a new `LiteTouchPE_.wim` boot image for MDT that contains the cumulative update by using the following steps: -1. Open the Microsoft Configuration manager console. +1. Open the Microsoft Deployment Toolkit (MDT) Deployment Workbench console. -1. In the Microsoft Configuration manager console, navigate to **Software Library** > **Overview** > **Operating Systems** > **Boot Images**. +1. In the Deployment Workbench console, navigate to **Deployment Workbench** > **Deployment Shares** > **MDT Deployment Share**. -1. In the **Boot Images** pane, select the desired boot image. +1. Right click on **MDT Deployment Share** and select **Update Deployment Share**. -1. In the toolbar, select **Update Distribution Points**. +1. In the **Update Deployment Share Wizard** window that appears: -1. In the **Update Distribution Points Wizard** window that appears: - - 1. In the **General**/**Update distribution points with this image** page, select the **Reload this boot image with the current Windows PE version from the Windows ADK** option, and then select the **Next >** button. + 1. In the **Options** page, select the **Completely regenerate the boot images** option, and then select the **Next >** button. 1. In the **Summary** page, select the **Next >** button. - 1. The **Progress** page will appears while the boot image builds. + 1. The **Progress** page will appears while the boot image and deployment share builds. - 1. Once the boot image finishes building, the **Completion**/**The task "Update Distribution Points Wizard" completed successfully** page will appear. Select the **Close** button. - -This process in addition to updating the boot image used by Configuration Manager will also update the boot images and the boot files used by any PXE enabled distribution points. + 1. Once the boot image and deployment share finishes building, the **Confirmation**/**The process completed successfully** page will appear. Select the **Finish** button. ### MDT and Windows ADK versions From b80c8c5a3a082d86b64155de32c39f2097456317 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 4 Aug 2023 17:14:05 -0400 Subject: [PATCH 064/110] Update Boot Image with CU Article 49 --- windows/deployment/update-boot-image.md | 41 ++++++++++++------------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 18b6a6f419..f23f720da4 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -515,7 +515,7 @@ The following steps outline how to extract and then install the servicing stack --- -1. Inspect the contents of the extracted files in the extract folder and identify the servicing stack update (SSU) CAB file. One of the files should be called `SSU--.cab`. For example, `SSU-19041.3205-x64.cab`. Make a note of the name of the servicing stack update (SSU) CAB file. +1. Inspect the extracted files in the extract folder and identify the servicing stack update (SSU) CAB file. One of the files should be called `SSU--.cab`. For example, `SSU-19041.3205-x64.cab`. Make a note of the name of the servicing stack update (SSU) CAB file. 1. Using the name of the servicing stack update (SSU) CAB file obtained in the previous step, apply the servicing stack update (SSU) CAB file to the boot image using the following command: @@ -783,35 +783,35 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag 1. Delete the original updated boot image: - ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) + ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) - From an elevated **PowerShell** command prompt, run the following command to delete the original updated boot image: + From an elevated **PowerShell** command prompt, run the following command to delete the original updated boot image: - ```powershell - Remove-Item -Path "\.wim" -Force - ``` + ```powershell + Remove-Item -Path "\.wim" -Force + ``` - **Example**: + **Example**: - ```powershell - Remove-Item - Path "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" -Force - ``` + ```powershell + Remove-Item - Path "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" -Force + ``` - ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) - From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to delete the original updated boot image: + From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to delete the original updated boot image: - ```cmd - del "\.wim" /Y - ``` + ```cmd + del "\.wim" /Y + ``` - **Example**: + **Example**: - ```cmd - del "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" /Y - ``` + ```cmd + del "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" /Y + ``` - --- + --- 1. Rename the exported boot image with the name of the original boot image: @@ -955,7 +955,6 @@ After completing the walkthrough, update any Configuration Manager boot media to When adding a cumulative update to a Microsoft Deployment Toolkit (MDT) boot image, it's recommended to update the `winpe.wim` boot image from the Windows ADK instead of directly updating the `LiteTouchPE_.wim` boot image in the MDT Deployment Share. The `winpe.wim` boot image from the Windows ADK should be updated instead of the `LiteTouchPE_.wim` boot image from the MDT Deployment Share because if `LiteTouchPE_.wim` is updated, then the next time the MDT Deployment Share is updated, the changes made to `LiteTouchPE_.wim`, including the applied cumulative update, may be lost. If the `winpe.wim` boot image from the Windows ADK is updated instead, then the changes to the MDT boot image including the applied cumulative update will persist and be preserved when the MDT Deployment Share is updated. - ### Updating the boot image in MDT After updating the `winpe.wim` boot image from the Windows ADK, generate a new `LiteTouchPE_.wim` boot image for MDT that contains the cumulative update by using the following steps: From fd98ad8e2bde0d9ae8bf97f0140025f3cb67b2e5 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 4 Aug 2023 19:24:32 -0400 Subject: [PATCH 065/110] Update Boot Image with CU Article 50 --- windows/deployment/update-boot-image.md | 173 ++++++++++++++---------- 1 file changed, 98 insertions(+), 75 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index f23f720da4..f8a82b38de 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -27,7 +27,7 @@ Microsoft recommends updating Windows PE (WinPE) boot images with the latest cum - [Windows Assessment and Deployment Kit (Windows ADK)](/windows-hardware/get-started/adk-install) - It's recommended to use the latest version of the ADK. - [Windows PE add-on for the Windows ADK](/windows-hardware/get-started/adk-install). Make sure the version of Windows PE matches the version of Windows ADK that is being used. -- Windows PE boot image +- Windows PE boot image. - Latest cumulative update downloaded from the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site. ## Steps @@ -50,9 +50,11 @@ Microsoft recommends updating Windows PE (WinPE) boot images with the latest cum 1. Download and install the **Windows Assessment and Deployment Kit (Windows ADK)** from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). - When installing the Windows ADK, for the purpose of this walk-through, it's only necessary to install the **Deployment Tools**. One of the tools installed will be the **Deployment and Imaging Tools Environment** command prompt. When using the **Command Line** option instead of the **PowerShell** option to run the commands in this walk-through, make sure to run the commands from the **Deployment and Imaging Tools Environment** command prompt. The **Deployment and Imaging Tools Environment** command prompt can be found in the Start Menu under **Windows Kits** > **Deployment and Imaging Tools Environment**. + When installing the Windows ADK, for the purpose of this walk-through, it's only necessary to install the **Deployment Tools**. Other products, such as Microsoft Configuration Manager and Microsoft Deployment Toolkit (MDT), may require additional features installed, such as the **User State Migration Tool (USMT)**. - The paths in this article assume the Windows ADK was installed to the default location of `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit`. If the Windows ADK was installed to a different location, then adjust the paths during the walk-through accordingly. + One of the tools installed when installing the the **Deployment Tools** feature will be the **Deployment and Imaging Tools Environment** command prompt. When using the **Command Line** option to run the commands in this walk-through, make sure to run the commands from an elevated **Deployment and Imaging Tools Environment** command prompt. The **Deployment and Imaging Tools Environment** command prompt can be found in the Start Menu under **Windows Kits** > **Deployment and Imaging Tools Environment**. + + The paths in this article assume the Windows ADK was installed at the default location of `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit`. If the Windows ADK was installed to a different location, then adjust the paths during the walk-through accordingly. 1. Download and install the **Windows PE add-on for the Windows ADK** from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). The **Windows PE add-on for the Windows ADK** is a separate download and install from the **Windows Assessment and Deployment Kit (Windows ADK)**. Make sure to individually download and install both. @@ -60,13 +62,15 @@ Microsoft recommends updating Windows PE (WinPE) boot images with the latest cum > > It's strongly recommended to download and install the latest version of the Windows ADK and the Windows PE add-on for the Windows ADK. > -> However, the Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Windows ADK beyond Windows 10. If using MDT, the recommendation is to instead use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version was the last version of the Windows ADK supported by MDT. +> In certain instances, older versions of the Windows ADK and Windows PE add-on may need to be used instead of the latest version. For example: > -> Additionally, the latest versions of the **Windows PE add-on for the Windows ADK** only includes 64-bit boot images. If a 32-bit boot image is required, then the recommendation in this scenario is to also use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version of the Windows ADK was the last version to include both 32-bit and 64-bit boot images. +> - Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Windows ADK beyond Windows 10. If using MDT, the recommendation is to instead use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version was the last version of the Windows ADK supported by MDT. +> +> - The latest versions of the **Windows PE add-on for the Windows ADK** only includes 64-bit boot images. If a 32-bit boot image is required, then the recommendation in this scenario is to also use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version of the Windows ADK was the last version to include both 32-bit and 64-bit boot images. ## Step 2: Download cumulative update (CU) -1. Go to the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site and search for the latest cumulative update for the version of Windows that matches the version of Windows PE that was downloaded in [Step 1](#step-1-download-and-install-adk) or the version of the Windows PE boot image that will be updated. +1. Go to the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site and search for the latest cumulative update for the version of Windows that matches the version of the Windows PE boot image that is being updated. 1. When searching the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site, use the search term `"- cumulative update for windows "` where `year` is the four digit current year, `` is the two digit current month, and `` is the version of Windows that Windows PE is based on. Make sure to include the quotes (`"`). For example, to search for the latest cumulative update for Windows 11 in July 2023, use the search term `"2023-07 cumulative update for windows 11"`, again making sure to include the quotes. If the cumulative update hasn't been released yet for the current month, then search on the previous month. @@ -88,20 +92,20 @@ Before modifying the desired boot image, make a backup copy of the boot image th - For the default 64-bit boot image that is generated by **Microsoft Configuration Manager**, the boot image is located at `\OSD\boot\x64\boot.wim`. For other boot images in Configuration Manager, the path to the boot image will be displayed in the **Image path:** field under the **Data Source** tab in the **Properties** of the boot image. - However, for **Microsoft Configuration Manager** it's recommended to modify the `winpe.wim` boot image included with the **Windows PE add-on for the Windows ADK**. For more information, see [Microsoft Configuration Manager considerations](#microsoft-configuration-manager-considerations). + However, for **Microsoft Configuration Manager** it's recommended to instead modify the `winpe.wim` boot image included with the **Windows PE add-on for the Windows ADK**. For more information, see [Microsoft Configuration Manager considerations](#microsoft-configuration-manager-considerations). - For the default 64-bit boot image that is generated by the **Microsoft Deployment Toolkit (MDT)**, the boot image is located at `\Boot\LiteTouchPE_x64.wim`. - However, for **Microsoft Deployment Toolkit (MDT)** it's recommended to modify the `winpe.wim` boot image included with the **Windows PE add-on for the Windows ADK**. For more information, see [Microsoft Deployment Toolkit (MDT) considerations](#microsoft-deployment-toolkit-mdt-considerations). + However, for **Microsoft Deployment Toolkit (MDT)** it's recommended to instead modify the `winpe.wim` boot image included with the **Windows PE add-on for the Windows ADK**. For more information, see [Microsoft Deployment Toolkit (MDT) considerations](#microsoft-deployment-toolkit-mdt-considerations). - For 64-bit boot images in **Windows Deployment Services (WDS)**, the boot images are located at `\Boot\x64\Images`. -Adjust the above paths for 32-bit boot images (only available in Windows 10 ADKs). +Adjust the above paths for 32-bit boot images (only available with Windows 10 ADKs). The following commands will backup the 64-bit boot image included with the **Windows PE add-on for the Windows ADK**: ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) -From an elevated **PowerShell** command prompt, run the following command to create a backup copy of the 64-bit boot image included with the Windows ADK. This commands needs confirmation to overwrite an existing backed up boot image if one already exists: +From an elevated **PowerShell** command prompt, run the following command to create a backup copy of the 64-bit boot image included with the Windows ADK. If a backed up boot image already exists, this command needs confirmation before it overwrites the existing backed up boot image: ```powershell Copy-Item "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.bak.wim" @@ -109,11 +113,11 @@ Copy-Item "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\ Adjust paths and file names accordingly to back up other boot images. -To overwrite an existing backed up boot image without confirmation, for example in a script, add the `-Force` parameter to the end of the command line. +To automatically overwrite an existing backed up boot image without confirmation, for example in a script, add the `-Force` parameter to the end of the command line. ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) -From an elevated command prompt, run the following command to create a backup copy of the 64-bit boot image included with the Windows ADK. This commands needs confirmation to overwrite an existing backed up boot image if one already exist: +From an elevated command prompt, run the following command to create a backup copy of the 64-bit boot image included with the Windows ADK. If a backed up boot image already exists, this command needs confirmation before it overwrites the existing backed up boot image: ```cmd copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.bak.wim" @@ -121,13 +125,17 @@ copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windo Adjust paths and file names accordingly to back up other boot images. -To overwrite an existing backed up boot image without confirmation, for example in a script, add the `/Y` parameter to the end of the command line. +To automatically overwrite an existing backed up boot image without confirmation, for example in a script, add the `/Y` parameter to the end of the command line. --- +> [!IMPORTANT] +> +> When using the default `winpe.wim` boot image from the **Windows PE add-on for the Windows ADK**, it's recommended to always have a backed copy of the original unmodified boot image. This allows reverting back to the pristine untouched original boot image in case any issues occur with any iteration of an updated boot image. Additionally, whenever a new cumulative update needs to be applied to a boot image, it's recommended to always start fresh and update from the original boot image with no updates instead of updating a previously updated boot image. + ## Step 4: Mount boot image to mount folder -1. Create a new empty empty folder to mount the boot image to. For example, `C:\Mount`. +1. Create a new empty empty folder to mount the boot image to. For example, `C:\Mount`. If using a previously created mount folder, ensure that it is empty and doesn't have any previously mounted images in it. 1. Mount the boot image to the mount folder using one of the following methods: @@ -284,9 +292,13 @@ Drivers are not affected by the cumulative update installed later in this walkth --- -1. Make sure that after adding the optional component to also add the language specific component for that optional component. This needs to be done for every optional component that is added to the boot image. +1. After adding an optional component to the boot image, make sure to also add the language specific component for that optional component. - For example, for English United States (en-us), add the following: + Not all optional components have the language specific component. However, for optional components that do have a language specific component, make sure that the language specific component is installed. + + To check if an optional component has a language component, check the `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\\` directory to see if there is a matching language component for that optional component. + + For example, to install the English United States (en-us) language component for an optional component, use the following command line: ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) @@ -355,7 +367,7 @@ For a full list of all available WinPE optional components including description ## Step 7: Add cumulative update (CU) to boot image -Apply the cumulative update (CU) downloaded earlier in the walkthrough to the boot image: +Apply the cumulative update (CU) downloaded during the [Step 2: Download cumulative update (CU)](#step-2-download-cumulative-update-cu) step to the boot image: ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) @@ -393,7 +405,7 @@ For more information, see [Add or Remove Packages Offline Using DISM](/windows-h > [!IMPORTANT] > -> Make sure not to apply the cumulative update (CU) until all desired optional components have been installed. This will make sure that the optional components are also properly updated by the cumulative update. If in the future any additional optional components need to be added to the boot image, make sure to reapply the cumulative update. +> Make sure not to apply the cumulative update (CU) until all desired optional components have been installed via the [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) step. Waiting to install the cumulative update (CU) until all optional components are installed makes sure that the optional components are also properly updated by the cumulative update. If in the future any additional optional components need to be added to the boot image, make sure to reapply the cumulative update. ### Servicing stack update (SSU) and error 0x800f0823 @@ -479,7 +491,7 @@ The problem occurs when the WinPE boot image that is being serviced requires ins For scenarios where an older version of the Windows ADK and Windows PE need to be used, for example when using Microsoft Deployment Toolkit (MDT), the servicing stack update needs to be installed before installing the cumulative update. The servicing stack update (SSU) is contained within the cumulative update (CU). To obtain the servicing stack update (SSU) so that it can be applied, it can be extracted from the cumulative update (CU). -The following steps outline how to extract and then install the servicing stack update (SSU) to the boot image. Once the before servicing stack update (SSU) has been installed, then the cumulative update (CU) should install to the boot image without error: +The following steps outline how to extract and then install the servicing stack update (SSU) to the boot image. Once the servicing stack update (SSU) has been installed in the boot image, then the cumulative update (CU) should install to the boot image without error: > [!IMPORTANT] > @@ -492,7 +504,7 @@ The following steps outline how to extract and then install the servicing stack ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) ```powershell - Start-Process "expand.exe" -ArgumentList " -f:* `"\.msu`" `"`"" -Wait -LoadUserProfile + Start-Process "expand.exe" -ArgumentList " -f:* `"\.msu`" `"`"" -Wait -LoadUserProfile ``` **Example**: @@ -504,7 +516,7 @@ The following steps outline how to extract and then install the servicing stack ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) ```cmd - expand.exe -f:* "\.msu" "" + expand.exe -f:* "\.msu" "" ``` **Example**: @@ -557,7 +569,7 @@ Some cumulative updates will update the bootmgr boot files in the boot image. Af ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) -From an elevated **PowerShell** command prompt, run the following commands to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands will also back up any existing bootmgr boot files its finds. The commands need confirmation to overwrite the existing bootmgr boot files and if they exist, any backed up bootmgr boot files: +From an elevated **PowerShell** command prompt, run the following commands to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands will also back up any existing bootmgr boot files its finds. When applicable, the commands need confirmation to overwrite any existing files: ```powershell Copy-Item "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.bak.efi" @@ -585,7 +597,7 @@ To overwrite the bootmgr boot files and any backed up bootmgr boot file without ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) -From an elevated command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands will also back up any existing bootmgr boot files its finds. The commands need confirmation to overwrite the existing bootmgr boot files and if they exist, any backed up bootmgr boot files: +From an elevated command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands will also back up any existing bootmgr boot files its finds. When applicable, the commands need confirmation to overwrite any existing files: ```cmd copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.bak.efi" @@ -613,7 +625,7 @@ To overwrite the bootmgr boot files and any backed up bootmgr boot file without --- -This step doesn't update or change the boot image. However, it makes sure that the latest bootmgr boot files are available to the ADK when creating bootable media. This includes any product that uses the ADK to create bootable media. +This step doesn't update or change the boot image. However, it makes sure that the latest bootmgr boot files are available to the Windows ADK when creating bootable media via the Windows ADK. This may include any product that uses the Windows ADK to create bootable media. In particular, this step is needed when addressing the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932). @@ -643,6 +655,8 @@ Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:"C:\Mount" /Cleanup-image /StartComponentCleanup /Resetbase" -Wait -LoadUserProfile ``` +For more information, see [Modify a Windows image using DISM: Reduce the size of an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#reduce-the-size-of-an-image) and [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Cleanup-Image](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#cleanup-image). + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to clean up the mounted boot image and help reduce its size: @@ -815,37 +829,37 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag 1. Rename the exported boot image with the name of the original boot image: - ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) + ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) - From an elevated **PowerShell** command prompt, run the following command to rename the exported boot image with the name of the original boot image: + From an elevated **PowerShell** command prompt, run the following command to rename the exported boot image with the name of the original boot image: - ```powershell - Rename-Item -Path "\.wim" -NewName ".wim" - ``` + ```powershell + Rename-Item -Path "\.wim" -NewName ".wim" + ``` - **Example**: + **Example**: - ```powershell - Rename-Item -Path "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe-export.wim" -NewName "winpe.wim" - ``` + ```powershell + Rename-Item -Path "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe-export.wim" -NewName "winpe.wim" + ``` - ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) - From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to rename the exported boot image with the name of the original boot image: + From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to rename the exported boot image with the name of the original boot image: - ```cmd - rename "\-export.wim" ".wim" - ``` + ```cmd + rename "\-export.wim" ".wim" + ``` - **Example**: + **Example**: - ```cmd - rename "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe-export.wim" "winpe.wim" - ``` + ```cmd + rename "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe-export.wim" "winpe.wim" + ``` - --- + --- -## Step 13: Update boot image in products that utilize the boot image (if applicable) +## Step 13: Update boot image in products that utilize it (if applicable) After the default `winpe.wim` boot image from the Windows ADK has been updated, additional steps usually need to take place in the product(s) that utilize the boot image . The following links contain information on how to update the boot image for several popular products that utilize boot images: @@ -859,23 +873,25 @@ For any other products that utilize boot images, please consult their documentat ### How Microsoft Configuration Manager creates boot images -Microsoft Configuration Manager creates its own boot images by taking the `winpe.wim` from the Windows ADK, adding some [optional components it requires](#configuration-manager-boot-image-required-components) to function correctly, and then saving the boot image as `boot.wim` in the directory `\OSD\boot\\boot.wim`. This `boot.wim` boot image is considered the pristine authoritative copy of the boot image by Configuration Manager and is never touched, modified, or updated by Configuration Manager except in some very specific scenarios. Instead, when changes such as: +Microsoft Configuration Manager creates its own boot images by taking the `winpe.wim` from the Windows ADK, adding some [optional components it requires](#configuration-manager-boot-image-required-components) to function correctly, and then saving the boot image as `boot.wim` in the directory `\OSD\boot\\boot.wim`. This `boot.wim` boot image is considered the pristine authoritative copy of the boot image by Configuration Manager and is never touched, modified, or updated by Configuration Manager except in some very specific scenarios. Instead, when changes are done in the properties of the boot image in Configuration Manager such as: - Adding drivers - Adding optional components - Enabling the command prompt -are done in the properties of the boot image in Configuration Manager, Configuration Manager makes a copy of `boot.wim`, applies the changes to the copy, and then saves the new boot image as `boot..wim`. If any additional changes are done to the boot image, Configuration Manager discards the previously created `boot..wim` boot image, makes a new copy of `boot.wim`, applies the changes to the copy, and then saves the new boot image as `boot..wim`. In other words, `boot.wim` is never touched. Any time any changes are made to a boot image, both the new changes and any changes done in the past are all reapplied to a new copy of `boot.wim`. +Configuration Manager makes a copy of `boot.wim`, applies the changes to the copy, and then saves the new boot image as `boot..wim`. -This process makes has the following advantages: +If in the future any additional changes are done to the boot image, Configuration Manager discards the previously created `boot..wim` boot image, makes a new copy of `boot.wim`, applies the changes to the copy, and then saves the new boot image as `boot..wim`. In other words, `boot.wim` is never touched. Any time any changes are made to a boot image, both the new changes and any changes done in the past are all reapplied to a new copy of `boot.wim`. + +This process has the following advantages: 1. Keeps `boot.wim` pristine. -1. Makes sure that when changes are made to a boot image, they are being done to a copy of a pristine version of the boot image that hasn't had been modified in the past. This helps avoid corruption and/or corrects issues with existing boot images. +1. Makes sure that when changes are made to a boot image, they are being done to a copy of a pristine version of the boot image that hasn't had been modified in the past. This helps avoid corruption when a boot image is updated multiple times. I can also correct issues with existing boot images. -1. Helps manage components in the boot image. The process doesn't need to know what components it might need to remove from the boot image each time the boot image is rebuilt. Instead, it just needs to know what components to add to the boot image. +1. Helps manage components in the boot image. The process doesn't need to know what components may need to be removed from the boot image each time the boot image is rebuilt. Instead, it just needs to know what components need to be added to the boot image. -1. Reduces the size of the boot image that can occur when components are removed from the boot image. +1. Reduces the size of the boot image that can occur when components are repeatedly added to and removed from the boot image. There are two scenarios when the `boot.wim` boot image is updated by Configuration Manager: @@ -887,17 +903,23 @@ In theses scenarios, the `boot.wim` boot image is updated using the `winpe.wim` ### Which boot image should be updated with the cumulative update? -When adding a cumulative update to a Configuration Manager boot image, it's recommended to update the `winpe.wim` boot image from the Windows ADK instead of directly updating the `boot.wim` boot image generated by Configuration Manager. The `winpe.wim` boot image from the Windows ADK should be updated instead of the `boot.wim` boot image generated by Configuration Manager for the following reasons: +When manually adding a cumulative update to a Configuration Manager boot image, it's recommended to update the `winpe.wim` boot image from the Windows ADK instead of directly updating the `boot.wim` boot image generated by Configuration Manager. -1. If `boot.wim` is updated, then the next time `boot.wim` is updated via a Configuration Manager upgrade or the **Reload this boot image with the current Windows PE version from the Windows ADK** option, the changes made to `boot.wim` including the applied cumulative update will be lost. If the `winpe.wim` boot image from the Windows ADK is updated instead, then the changes to the Configuration Manager boot image including the applied cumulative update will persist and be preserved when Configuration Manager does update the `boot.wim` boot image. +The `winpe.wim` boot image from the Windows ADK should be updated because if `boot.wim` generated by Configuration Manager is updated instead, then the next time `boot.wim` is updated via a Configuration Manager upgrade or the **Reload this boot image with the current Windows PE version from the Windows ADK** option, then changes made to `boot.wim`, including the applied cumulative update, will be lost. If the `winpe.wim` boot image from the Windows ADK is updated instead, then changes boot image, including the applied cumulative update, will persist and be preserved even when Configuration Manager does update the `boot.wim` boot image. -1. If `boot..wim` is updated, then it will not only face the issues when `boot.wim` is updated, but it will also lose any changes, including the applied cumulative update, when any changes are done to the boot image (e.g. adding drivers, enabling the command prompt, etc.). Additionally, it will change the hash value of the boot image which can lead to download failures when downloading the boot image from a distribution point. +> [!IMPORTANT] +> +> Never manually update the `boot..wim` boot image. In addition to facing the same issues when manually updating the `boot.wim` boot image, the `boot..wim` boot image will also face additional issues such as: +> +> - Any time any changes are done to the boot image, such as adding drivers, enabling the command prompt. etc, any manual changes done to the boot image, including the cumulative update, will be lost. +> +> - Manually changing the `boot..wim` boot image changes the hash value of the boot image. A change in the hash value of the boot image can lead to download failures when downloading the boot image from a distribution point. By updating `winpe.wim` from the Windows ADK, this will ensure that the cumulative update will stay applied regardless of what changes are made to the `boot.wim` boot image via Configuration Manager. ### Updating the boot image in Configuration Manager -After updating the `winpe.wim` boot image from the Windows ADK, generate a new `boot.wim` boot image for Configuration Manager that contains the cumulative update by using the following steps: +After updating the `winpe.wim` boot image from the Windows ADK, generate a new `boot.wim` boot image for Configuration Manager so that it contains the cumulative update. A new `boot.wim` boot image can be generated by using the following steps: 1. Open the Microsoft Configuration manager console. @@ -907,30 +929,35 @@ After updating the `winpe.wim` boot image from the Windows ADK, generate a new ` 1. In the toolbar, select **Update Distribution Points**. -1. In the **Update Distribution Points Wizard** window that appears: +1. When the **Update Distribution Points Wizard** window that appears: 1. In the **General**/**Update distribution points with this image** page, select the **Reload this boot image with the current Windows PE version from the Windows ADK** option, and then select the **Next >** button. 1. In the **Summary** page, select the **Next >** button. - 1. The **Progress** page will appears while the boot image builds. + 1. The **Progress** page appears while the boot image builds. - 1. Once the boot image finishes building, the **Completion**/**The task "Update Distribution Points Wizard" completed successfully** page will appear. Select the **Close** button. + 1. Once the boot image finishes building, the **The task "Update Distribution Points Wizard" completed successfully**/**Completion** page will appear. Select the **Close** button. -This process updates the boot image used by Configuration Manager. It will also update the boot image and the boot files used by any PXE enabled distribution points. +This process updates the boot image used by Configuration Manager. It will also update the boot image and the bootmgr boot files used by any PXE enabled distribution points. > [!IMPORTANT] > -> If there are multiple boot images used in the environment for PXE enabled distribution points, make sure to update all of the PXE enabled boot images with the same cumulative update. This will ensure that the PXE enabled distribution points all use the latest version of the bootmgr boot files extracted from the boot images (if applicable). +> If there are multiple boot images used in the environment for PXE enabled distribution points, make sure to update all of the PXE enabled boot images with the same cumulative update. This will ensure that the PXE enabled distribution points all use the version of the bootmgr boot files extracted from the boot images (if applicable). ### Add optional components manually to Configuration Manager boot images -For Microsoft Configuration Manager boot images, when applying a cumulative update to a boot image, make sure to add any desired optional components manually using the above command lines instead of adding them through Configuration Manager via the **Optional Components** tab in the **Properties** of the boot image. Optional components need to be added to the boot image manually instead of via Configuration Manager because: +For Microsoft Configuration Manager boot images, when applying a cumulative update to a boot image, make sure to add any desired optional components manually using the command lines from the walkthrough instead of adding them through Configuration Manager. Optional components are usually added to boot images in Configuration Manager via the **Optional Components** tab in the **Properties** of the boot image. + +Optional components need to be added to the boot image manually instead of via Configuration Manager because: - When the cumulative update is applied, it will also update any optional components as needed. -- If the optional components are instead added through Configuration Manager after a cumulative update has been applied to the boot image, then the optional components will not be updated with the cumulative update. This could lead to unexpected behaviors and problems. -Once any optional components has been manually added to a boot image, if that optional component is attempted to be added via the **Optional Components** tab in the **Properties** of the boot image in Configuration Manager, Configuration Manager will detect that the optional component has already been added and it will not try to add the optional component again. +- If optional components are added through Configuration Manager on a boot image that has a cumulative update, then the optional components will not be updated with the cumulative update. This could lead to unexpected behaviors and problems. The cumulative update needs to be added after the optional components have been added to the boot image for the optional components to be updated properly with the cumulative update. + +> [!NOTE] +> +> If an optional component is attempted to be added via the **Optional Components** tab in the **Properties** of the boot image in Configuration Manager but the optional component has already been manually added to the boot image, Configuration Manager won't add that optional component again. Instead, Configuration Manager detects that the optional component has already been added and it won't try to add the optional component again. ### Configuration Manager boot image required components @@ -949,13 +976,15 @@ For a list of all available WinPE optional components including descriptions for ### Updating Configuration Manager boot media -After completing the walkthrough, update any Configuration Manager boot media to ensure that the boot media has both the updated boot image and if applicable, updated boot files. +After completing the walkthrough, including updating boot images in Configuration Manager, update any Configuration Manager task sequence media to ensure that the task sequence media has both the updated boot image and if applicable, updated boot files. ## Microsoft Deployment Toolkit (MDT) considerations -When adding a cumulative update to a Microsoft Deployment Toolkit (MDT) boot image, it's recommended to update the `winpe.wim` boot image from the Windows ADK instead of directly updating the `LiteTouchPE_.wim` boot image in the MDT Deployment Share. The `winpe.wim` boot image from the Windows ADK should be updated instead of the `LiteTouchPE_.wim` boot image from the MDT Deployment Share because if `LiteTouchPE_.wim` is updated, then the next time the MDT Deployment Share is updated, the changes made to `LiteTouchPE_.wim`, including the applied cumulative update, may be lost. If the `winpe.wim` boot image from the Windows ADK is updated instead, then the changes to the MDT boot image including the applied cumulative update will persist and be preserved when the MDT Deployment Share is updated. +When adding a cumulative update to a Microsoft Deployment Toolkit (MDT) boot image, it's recommended to update the `winpe.wim` boot image from the Windows ADK instead of directly updating the `LiteTouchPE_.wim` boot image in the MDT Deployment Share. -### Updating the boot image in MDT +The `winpe.wim` boot image from the Windows ADK should be updated because if `LiteTouchPE_.wim` is updated instead, then the next time the MDT Deployment Share is updated, the changes made to `LiteTouchPE_.wim`, including the applied cumulative update, will be lost. If the `winpe.wim` boot image from the Windows ADK is updated instead, then the changes to the boot image, including the applied cumulative update, will persist and be preserved when the MDT Deployment Share is updated. + +### Updating the boot image and boot media in MDT After updating the `winpe.wim` boot image from the Windows ADK, generate a new `LiteTouchPE_.wim` boot image for MDT that contains the cumulative update by using the following steps: @@ -971,9 +1000,11 @@ After updating the `winpe.wim` boot image from the Windows ADK, generate a new ` 1. In the **Summary** page, select the **Next >** button. - 1. The **Progress** page will appears while the boot image and deployment share builds. + 1. The **Progress** page appears while the boot image and deployment share builds. - 1. Once the boot image and deployment share finishes building, the **Confirmation**/**The process completed successfully** page will appear. Select the **Finish** button. + 1. Once the boot image and deployment share finishes building, the **The process completed successfully**/**Confirmation** page appears. Select the **Finish** button. + +These steps also update the MDT boot media in the MDT Deployment Share. After following the above steps, use the newly updated ISO files in the `\Boot` folder to create new MDT boot media. ### MDT and Windows ADK versions @@ -995,14 +1026,6 @@ When adding optional components to any boot image used by MDT during the [Step 6 For a list of all available WinPE optional components including descriptions for each component, see [WinPE Optional Components (OC) Reference: WinPE Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#winpe-optional-components). -### Update MDT boot image - -After completing the walkthrough, . - -### Updating MDT boot media - -After completing the walkthrough and updating the Deployment Share, update any MDT boot media to ensure that the boot media has both the updated boot image and if applicable, updated boot files. - ## Windows Deployment Services (WDS) considerations The **boot.wim** that is part of Windows installation media isn't supported for deploying Windows 11 with Windows Deployment Services (WDS). Additionally, the **boot.wim** from Windows 11 installation media isn't supported for deploying any version of Windows with Windows Deployment Services (WDS). For more information, see [Windows Deployment Services (WDS) boot.wim support](wds-boot-support.md). From 169e4273841cc64562387a4b3b1caf4b06a9b500 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Sat, 5 Aug 2023 20:38:44 -0400 Subject: [PATCH 066/110] Update Boot Image with CU Article 51 --- windows/deployment/update-boot-image.md | 100 ++++++++++++------------ 1 file changed, 52 insertions(+), 48 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index f8a82b38de..a4dc9573ea 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -50,9 +50,9 @@ Microsoft recommends updating Windows PE (WinPE) boot images with the latest cum 1. Download and install the **Windows Assessment and Deployment Kit (Windows ADK)** from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). - When installing the Windows ADK, for the purpose of this walk-through, it's only necessary to install the **Deployment Tools**. Other products, such as Microsoft Configuration Manager and Microsoft Deployment Toolkit (MDT), may require additional features installed, such as the **User State Migration Tool (USMT)**. + For this walk-through, when the Windows ADK is installed, it's only necessary to install the **Deployment Tools**. Other products, such as Microsoft Configuration Manager and Microsoft Deployment Toolkit (MDT), may require additional features installed, such as the **User State Migration Tool (USMT)**. - One of the tools installed when installing the the **Deployment Tools** feature will be the **Deployment and Imaging Tools Environment** command prompt. When using the **Command Line** option to run the commands in this walk-through, make sure to run the commands from an elevated **Deployment and Imaging Tools Environment** command prompt. The **Deployment and Imaging Tools Environment** command prompt can be found in the Start Menu under **Windows Kits** > **Deployment and Imaging Tools Environment**. + One of the tools installed when installing the the **Deployment Tools** feature is the **Deployment and Imaging Tools Environment** command prompt. When using the **Command Line** option to run the commands in this walk-through, make sure to run the commands from an elevated **Deployment and Imaging Tools Environment** command prompt. The **Deployment and Imaging Tools Environment** command prompt can be found in the Start Menu under **Windows Kits** > **Deployment and Imaging Tools Environment**. The paths in this article assume the Windows ADK was installed at the default location of `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit`. If the Windows ADK was installed to a different location, then adjust the paths during the walk-through accordingly. @@ -70,7 +70,7 @@ Microsoft recommends updating Windows PE (WinPE) boot images with the latest cum ## Step 2: Download cumulative update (CU) -1. Go to the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site and search for the latest cumulative update for the version of Windows that matches the version of the Windows PE boot image that is being updated. +1. Go to the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site and search for the latest cumulative update. The Windows version of the cumulative update should match the version of the Windows PE boot image that is being updated. 1. When searching the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site, use the search term `"- cumulative update for windows "` where `year` is the four digit current year, `` is the two digit current month, and `` is the version of Windows that Windows PE is based on. Make sure to include the quotes (`"`). For example, to search for the latest cumulative update for Windows 11 in July 2023, use the search term `"2023-07 cumulative update for windows 11"`, again making sure to include the quotes. If the cumulative update hasn't been released yet for the current month, then search on the previous month. @@ -90,7 +90,7 @@ Before modifying the desired boot image, make a backup copy of the boot image th - For the 64-bit boot image included with the **Windows PE add-on for the Windows ADK**, the boot image is located at `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim`. -- For the default 64-bit boot image that is generated by **Microsoft Configuration Manager**, the boot image is located at `\OSD\boot\x64\boot.wim`. For other boot images in Configuration Manager, the path to the boot image will be displayed in the **Image path:** field under the **Data Source** tab in the **Properties** of the boot image. +- For the default 64-bit boot image that is generated by **Microsoft Configuration Manager**, the boot image is located at `\OSD\boot\x64\boot.wim`. For other boot images in Configuration Manager, the path to the boot image is displayed in the **Image path:** field under the **Data Source** tab in the **Properties** of the boot image. However, for **Microsoft Configuration Manager** it's recommended to instead modify the `winpe.wim` boot image included with the **Windows PE add-on for the Windows ADK**. For more information, see [Microsoft Configuration Manager considerations](#microsoft-configuration-manager-considerations). @@ -102,10 +102,10 @@ Before modifying the desired boot image, make a backup copy of the boot image th Adjust the above paths for 32-bit boot images (only available with Windows 10 ADKs). -The following commands will backup the 64-bit boot image included with the **Windows PE add-on for the Windows ADK**: +The following commands backs up the 64-bit boot image included with the **Windows PE add-on for the Windows ADK**: ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) -From an elevated **PowerShell** command prompt, run the following command to create a backup copy of the 64-bit boot image included with the Windows ADK. If a backed up boot image already exists, this command needs confirmation before it overwrites the existing backed up boot image: +From an elevated **PowerShell** command prompt, run the following command to create a backup copy of the 64-bit boot image included with the Windows ADK. If a backed-up boot image already exists, this command needs confirmation before it overwrites the existing backed up boot image: ```powershell Copy-Item "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.bak.wim" @@ -117,7 +117,7 @@ To automatically overwrite an existing backed up boot image without confirmation ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) -From an elevated command prompt, run the following command to create a backup copy of the 64-bit boot image included with the Windows ADK. If a backed up boot image already exists, this command needs confirmation before it overwrites the existing backed up boot image: +From an elevated command prompt, run the following command to create a backup copy of the 64-bit boot image included with the Windows ADK. If a backed-up boot image already exists, this command needs confirmation before it overwrites the existing backed up boot image: ```cmd copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.bak.wim" @@ -135,7 +135,7 @@ To automatically overwrite an existing backed up boot image without confirmation ## Step 4: Mount boot image to mount folder -1. Create a new empty empty folder to mount the boot image to. For example, `C:\Mount`. If using a previously created mount folder, ensure that it is empty and doesn't have any previously mounted images in it. +1. Create a new empty folder to mount the boot image to. For example, `C:\Mount`. If using a previously created mount folder, ensure that it's empty and doesn't have any previously mounted images in it. 1. Mount the boot image to the mount folder using one of the following methods: @@ -233,7 +233,7 @@ For more information, see [Add and Remove Driver packages to an offline Windows --- -Drivers are not affected by the cumulative update installed later in this walkthrough. Once a driver is added to a boot image, it does not need to be added again if a newer cumulative update is applied to the boot image at a later point in time. +The cumulative update installed later in this walkthrough doesn't affect drivers. Once a driver is added to a boot image, it doesn't need to be added again if a newer cumulative update is applied to the boot image. > [!TIP] > @@ -284,7 +284,7 @@ Drivers are not affected by the cumulative update installed later in this walkth DISM.exe /Image:"C:\Mount" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-Scripting.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-WMI.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-WDS-Tools.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-SecureStartup.cab" ``` - These examples assume a 64-bit boot image image. If a different architecture is being used, then adjust the paths in the commands accordingly. + These examples assume a 64-bit boot image. If a different architecture is being used, then adjust the paths in the commands accordingly. You can add as many desired optional components as needed on a single **DISM.exe** command line. @@ -296,7 +296,7 @@ Drivers are not affected by the cumulative update installed later in this walkth Not all optional components have the language specific component. However, for optional components that do have a language specific component, make sure that the language specific component is installed. - To check if an optional component has a language component, check the `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\\` directory to see if there is a matching language component for that optional component. + To check if an optional component has a language component, check the `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\\` directory to see if there's a matching language component for that optional component. For example, to install the English United States (en-us) language component for an optional component, use the following command line: @@ -338,17 +338,21 @@ Drivers are not affected by the cumulative update installed later in this walkth > [!IMPORTANT] > -> When adding optional components, make sure to check if an optional component has a prerequisite for another optional component. When an optional component does have a prerequisite, make sure that the prerequisite component is installed first. For more information on adding optional components, see [WinPE Optional Components (OC) Reference: How to add Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#how-to-add-optional-components). +> When adding optional components, make sure to check if an optional component has a prerequisite for another optional component. When an optional component does have a prerequisite, make sure that the prerequisite component is installed first. For more information, see [WinPE Optional Components (OC) Reference: How to add Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#how-to-add-optional-components). > [!IMPORTANT] > -> Both **Microsoft Configuration Manager** and **Microsoft Deployment Toolkit (MDT)** boot images require certain optional components to work properly. Make sure to add these required components when using either **Microsoft Configuration Manager** and **Microsoft Deployment Toolkit (MDT)** +> Cumulative updates always need to be applied or reapplied after adding optional components to the boot image. If additional optional components are added to a boot image after a cumulative update has been applied, then the cumulative update needs to be reapplied. + +> [!IMPORTANT] > -> Additionally, when adding any optional component for either **Microsoft Configuration Manager** or **Microsoft Deployment Toolkit (MDT)** boot images, make sure to add the components manually using the above command lines instead of adding them through **Configuration Manager** or **MDT**. For more information, see [Microsoft Configuration Manager considerations](#microsoft-configuration-manager-considerations) or [Microsoft Deployment Toolkit (MDT) considerations](#microsoft-deployment-toolkit-mdt-considerations). +> Both **Microsoft Configuration Manager** and **Microsoft Deployment Toolkit (MDT)** boot images require certain optional components to work properly. Make sure to add these required components when using either **Microsoft Configuration Manager** and **Microsoft Deployment Toolkit (MDT)**. For more information, see [Configuration Manager boot image required components](#configuration-manager-boot-image-required-components) or [MDT boot image required components](#mdt-boot-image-required-components). +> +> Additionally, when adding any optional component for either **Microsoft Configuration Manager** or **Microsoft Deployment Toolkit (MDT)** boot images, make sure to manually add the optional components using this walkthrough instead of adding them through **Configuration Manager** or **MDT**. For more information and reasons why, see [Microsoft Configuration Manager considerations](#microsoft-configuration-manager-considerations) or [Microsoft Deployment Toolkit (MDT) considerations](#microsoft-deployment-toolkit-mdt-considerations). ### Popular optional components -The following is a list of popular optional components that are commonly added to boot images: +The following list contains the more popular optional components that are commonly added to boot images: | **Feature** | **File Name** | **Dependency** | **Purpose** | **Required by ConfigMgr** | **Required by MDT** | | --- | --- | --- | --- | --- | @@ -358,7 +362,7 @@ The following is a list of popular optional components that are commonly added t | Startup/WinPE-SecureStartup | `WinPE-SecureStartup.cab` | Scripting/WinPE-WMI | Supports managing BitLocker and TPMs within WinPE | Yes | Yes| | File management/WinPE-FMAPI | `WinPE-FMAPI.cab` | NA | Supports access to the Windows PE File Management API | No | Yes | | Windows PowerShell/WinPE-PowerShell | `WinPE-PowerShell.cab` | Scripting/WinPE-Scripting
Scripting/WinPE-WMI
Microsoft .NET/WinPE-NetFx | Supports running PowerShell commands and scripts in WinPE | No | No | -| Microsoft .NET/WinPE-NetFx | `WinPE-NetFx.cab` | Scripting/WinPE-WMI | Supports .Net applications in WinPE | No | No | +| Microsoft .NET/WinPE-NetFx | `WinPE-NetFx.cab` | Scripting/WinPE-WMI | Supports .NET applications in WinPE | No | No | | Network/WinPE-Dot3Svc | `WinPE-Dot3Svc.cab` | NA | Supports the 802.1X network protocol in WinPE | No | No | | HTML/WinPE-HTA | `WinPE-HTA.cab` | Scripting/WinPE-WMI | Supports running HTML applications in WinPE | No | No | | Database/WinPE-MDAC | `WinPE-MDAC.cab` | NA | Supports connecting to databases in WinPE | No | No | @@ -437,7 +441,7 @@ The DISM log file can be found at C:\Windows\Logs\DISM\dism.log --- -Inspecting the **DISM.log** will reveal the following error: +Inspecting the **DISM.log** reveals the following error: ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) @@ -487,9 +491,9 @@ DISM Package Manager: PID= TID= Failed while processing command add-pa --- -The problem occurs when the WinPE boot image that is being serviced requires installation of a servicing stack update (SSU) before installation of the cumulative update (CU) can occur. The problem usually occurs when using older Windows ADKs and older versions of Windows PE. The suggested fix is to upgrade to the latest version of the Windows ADK and Windows PE which most likely won't need a servicing stack update (SSU) installed before installing the cumulative update (CU). +The problem occurs when the WinPE boot image that is being serviced requires installation of a servicing stack update (SSU) before installation of the cumulative update (CU) can occur. The problem usually occurs when using older Windows ADKs and older versions of Windows PE. The suggested fix is to upgrade to the latest version of the Windows ADK and Windows PE. The latest versions of the Windows ADK and Windows PE most likely don't need a servicing stack update (SSU) installed before installing the cumulative update (CU). -For scenarios where an older version of the Windows ADK and Windows PE need to be used, for example when using Microsoft Deployment Toolkit (MDT), the servicing stack update needs to be installed before installing the cumulative update. The servicing stack update (SSU) is contained within the cumulative update (CU). To obtain the servicing stack update (SSU) so that it can be applied, it can be extracted from the cumulative update (CU). +For scenarios where older versions of the Windows ADK and Windows PE need to be used, for example when using Microsoft Deployment Toolkit (MDT), the servicing stack update needs to be installed before installing the cumulative update. The servicing stack update (SSU) is contained within the cumulative update (CU). To obtain the servicing stack update (SSU) so that it can be applied, it can be extracted from the cumulative update (CU). The following steps outline how to extract and then install the servicing stack update (SSU) to the boot image. Once the servicing stack update (SSU) has been installed in the boot image, then the cumulative update (CU) should install to the boot image without error: @@ -565,11 +569,11 @@ The following steps outline how to extract and then install the servicing stack ## Step 8: Copy boot files from mounted boot image to ADK installation path -Some cumulative updates will update the bootmgr boot files in the boot image. After these bootmgr boot files have been updated in the boot image, it's recommended to copy these updated bootmgr boot files from the boot image back to the Windows ADK. This will ensure that the Windows ADK has the updated bootmgr boot files. +Some cumulative updates contain updated bootmgr boot files that are added to the boot image. After these bootmgr boot files have been updated in the boot image, it's recommended to copy these updated bootmgr boot files from the boot image back to the Windows ADK. Copying these files ensures that the Windows ADK has the updated bootmgr boot files. ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) -From an elevated **PowerShell** command prompt, run the following commands to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands will also back up any existing bootmgr boot files its finds. When applicable, the commands need confirmation to overwrite any existing files: +From an elevated **PowerShell** command prompt, run the following commands to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands also back up any existing bootmgr boot files its finds. When applicable, the commands need confirmation to overwrite any existing files: ```powershell Copy-Item "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.bak.efi" @@ -597,7 +601,7 @@ To overwrite the bootmgr boot files and any backed up bootmgr boot file without ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) -From an elevated command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands will also back up any existing bootmgr boot files its finds. When applicable, the commands need confirmation to overwrite any existing files: +From an elevated command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands also back up any existing bootmgr boot files its finds. When applicable, the commands need confirmation to overwrite any existing files: ```cmd copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.bak.efi" @@ -625,7 +629,7 @@ To overwrite the bootmgr boot files and any backed up bootmgr boot file without --- -This step doesn't update or change the boot image. However, it makes sure that the latest bootmgr boot files are available to the Windows ADK when creating bootable media via the Windows ADK. This may include any product that uses the Windows ADK to create bootable media. +This step doesn't update or change the boot image. However, it makes sure that the latest bootmgr boot files are available to the Windows ADK when creating bootable media via the Windows ADK. When these files are updated in the Windows ADK, products that use the Windows ADK to create bootable media also have access to the updated bootmgr boot files. In particular, this step is needed when addressing the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932). @@ -635,7 +639,7 @@ In particular, this step is needed when addressing the BlackLotus UEFI bootkit v ## Step 9: Perform component cleanup -Run **DISM.exe** commands that will clean up the mounted boot image and help reduce its size: +Run **DISM.exe** commands that clean up the mounted boot image and help reduce its size: ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) @@ -681,7 +685,7 @@ For more information, see [Modify a Windows image using DISM: Reduce the size of ## Step 10: Verify all desired packages have been added to boot image -After the optional components and the cumulative update (CU) have been applied to the boot image, verify that they are showing as installed: +After the optional components and the cumulative update (CU) have been applied to the boot image, verify that they're showing as installed: ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) @@ -861,19 +865,19 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag ## Step 13: Update boot image in products that utilize it (if applicable) -After the default `winpe.wim` boot image from the Windows ADK has been updated, additional steps usually need to take place in the product(s) that utilize the boot image . The following links contain information on how to update the boot image for several popular products that utilize boot images: +After the default `winpe.wim` boot image from the Windows ADK has been updated, additional steps usually need to take place in the product(s) that utilize the boot image. The following links contain information on how to update the boot image for several popular products that utilize boot images: - [Microsoft Configuration Manager](#updating-the-boot-image-in-configuration-manager) - [Microsoft Deployment Toolkit (MDT)](#updating-the-boot-image-in-mdt) - Windows Deployment Services -For any other products that utilize boot images, please consult their documentation on how to finish updating the boot image. +For any other products that utilize boot images, consult the product's documentation on updating the boot image. ## Microsoft Configuration Manager considerations ### How Microsoft Configuration Manager creates boot images -Microsoft Configuration Manager creates its own boot images by taking the `winpe.wim` from the Windows ADK, adding some [optional components it requires](#configuration-manager-boot-image-required-components) to function correctly, and then saving the boot image as `boot.wim` in the directory `\OSD\boot\\boot.wim`. This `boot.wim` boot image is considered the pristine authoritative copy of the boot image by Configuration Manager and is never touched, modified, or updated by Configuration Manager except in some very specific scenarios. Instead, when changes are done in the properties of the boot image in Configuration Manager such as: +Microsoft Configuration Manager creates its own boot images by taking the `winpe.wim` from the Windows ADK, adding some [optional components it requires](#configuration-manager-boot-image-required-components) to function correctly, and then saving the boot image as `boot.wim` in the directory `\OSD\boot\\boot.wim`. This `boot.wim` boot image is considered the pristine authoritative copy of the boot image by Configuration Manager. Configuration Manager never touches, modifies, or updates the `boot.wim` boot image except in some specific scenarios. Instead, when changes are done in the properties of the boot image in Configuration Manager such as: - Adding drivers - Adding optional components @@ -881,21 +885,21 @@ Microsoft Configuration Manager creates its own boot images by taking the `winpe Configuration Manager makes a copy of `boot.wim`, applies the changes to the copy, and then saves the new boot image as `boot..wim`. -If in the future any additional changes are done to the boot image, Configuration Manager discards the previously created `boot..wim` boot image, makes a new copy of `boot.wim`, applies the changes to the copy, and then saves the new boot image as `boot..wim`. In other words, `boot.wim` is never touched. Any time any changes are made to a boot image, both the new changes and any changes done in the past are all reapplied to a new copy of `boot.wim`. +If in the future any additional changes are done to the boot image, Configuration Manager discards the previously created `boot..wim` boot image, makes a new copy of `boot.wim`, applies the changes to the copy, and then saves the new boot image as `boot..wim`. In other words, `boot.wim` is never touched. Anytime any changes are made to a boot image, both the new changes and any changes done in the past are all reapplied to a new copy of `boot.wim`. This process has the following advantages: 1. Keeps `boot.wim` pristine. -1. Makes sure that when changes are made to a boot image, they are being done to a copy of a pristine version of the boot image that hasn't had been modified in the past. This helps avoid corruption when a boot image is updated multiple times. I can also correct issues with existing boot images. +1. Makes sure that changes done to a boot image are being done to a pristine unmodified version of the boot image. This process helps avoid corruption when a boot image is updated multiple times. I can also correct issues with existing boot images. 1. Helps manage components in the boot image. The process doesn't need to know what components may need to be removed from the boot image each time the boot image is rebuilt. Instead, it just needs to know what components need to be added to the boot image. -1. Reduces the size of the boot image that can occur when components are repeatedly added to and removed from the boot image. +1. It reduces the size of the boot image that can occur when components are repeatedly added to and removed from the boot image. -There are two scenarios when the `boot.wim` boot image is updated by Configuration Manager: +Configuration Manager updates the `boot.wim` boot image in two scenarios: -1. When upgrading between versions of Configuration Manager or when applying hotfix roll ups (HFRUs) to Configuration Manager, `boot.wim` may be updated as part of the upgrade process. +1. When Configuration Manager is upgraded between version or a hotfix roll ups (HFRUs) is applied, `boot.wim` may be updated as part of the upgrade process. 1. When selecting the option **Reload this boot image with the current Windows PE version from the Windows ADK** in the **Update Distribution Points Wizard**. @@ -905,7 +909,7 @@ In theses scenarios, the `boot.wim` boot image is updated using the `winpe.wim` When manually adding a cumulative update to a Configuration Manager boot image, it's recommended to update the `winpe.wim` boot image from the Windows ADK instead of directly updating the `boot.wim` boot image generated by Configuration Manager. -The `winpe.wim` boot image from the Windows ADK should be updated because if `boot.wim` generated by Configuration Manager is updated instead, then the next time `boot.wim` is updated via a Configuration Manager upgrade or the **Reload this boot image with the current Windows PE version from the Windows ADK** option, then changes made to `boot.wim`, including the applied cumulative update, will be lost. If the `winpe.wim` boot image from the Windows ADK is updated instead, then changes boot image, including the applied cumulative update, will persist and be preserved even when Configuration Manager does update the `boot.wim` boot image. +The `winpe.wim` boot image from the Windows ADK should be updated because if `boot.wim` generated by Configuration Manager is updated instead, then the next time `boot.wim` is updated via a Configuration Manager upgrade or the **Reload this boot image with the current Windows PE version from the Windows ADK** option, then changes made to `boot.wim`, including the applied cumulative update, will be lost. If the `winpe.wim` boot image from the Windows ADK is updated with the cumulative update instead, then the cumulative update persists and is preserved even when Configuration Manager does update the `boot.wim` boot image. > [!IMPORTANT] > @@ -915,7 +919,7 @@ The `winpe.wim` boot image from the Windows ADK should be updated because if `bo > > - Manually changing the `boot..wim` boot image changes the hash value of the boot image. A change in the hash value of the boot image can lead to download failures when downloading the boot image from a distribution point. -By updating `winpe.wim` from the Windows ADK, this will ensure that the cumulative update will stay applied regardless of what changes are made to the `boot.wim` boot image via Configuration Manager. +Updating `winpe.wim` from the Windows ADK ensures that the cumulative update stays applied regardless of what changes are made to the `boot.wim` boot image via Configuration Manager. ### Updating the boot image in Configuration Manager @@ -937,9 +941,9 @@ After updating the `winpe.wim` boot image from the Windows ADK, generate a new ` 1. The **Progress** page appears while the boot image builds. - 1. Once the boot image finishes building, the **The task "Update Distribution Points Wizard" completed successfully**/**Completion** page will appear. Select the **Close** button. + 1. Once the boot image finishes building, the **The task "Update Distribution Points Wizard" completed successfully**/**Completion** page appears. Select the **Close** button. -This process updates the boot image used by Configuration Manager. It will also update the boot image and the bootmgr boot files used by any PXE enabled distribution points. +This process updates the boot image used by Configuration Manager. It also updates the boot image and the bootmgr boot files used by any PXE enabled distribution points. > [!IMPORTANT] > @@ -947,13 +951,13 @@ This process updates the boot image used by Configuration Manager. It will also ### Add optional components manually to Configuration Manager boot images -For Microsoft Configuration Manager boot images, when applying a cumulative update to a boot image, make sure to add any desired optional components manually using the command lines from the walkthrough instead of adding them through Configuration Manager. Optional components are usually added to boot images in Configuration Manager via the **Optional Components** tab in the **Properties** of the boot image. +For Microsoft Configuration Manager boot images, when applying a cumulative update to a boot image, make sure to add any desired optional components manually using the command lines from the walkthrough instead of adding them through Configuration Manager. Optional components are added to boot images in Configuration Manager via the **Optional Components** tab in the **Properties** of the boot image. Optional components need to be added to the boot image manually instead of via Configuration Manager because: -- When the cumulative update is applied, it will also update any optional components as needed. +- When the cumulative update is applied, it also updates any optional components as needed. -- If optional components are added through Configuration Manager on a boot image that has a cumulative update, then the optional components will not be updated with the cumulative update. This could lead to unexpected behaviors and problems. The cumulative update needs to be added after the optional components have been added to the boot image for the optional components to be updated properly with the cumulative update. +- If optional components are added through Configuration Manager on a boot image that has a cumulative update, then the optional components aren't updated with the cumulative update. Adding the optional components through Configuration Manager could lead to unexpected behaviors and problems. The cumulative update needs to be added after the optional components have been added to the boot image for the optional components to be updated properly with the cumulative update. > [!NOTE] > @@ -961,7 +965,7 @@ Optional components need to be added to the boot image manually instead of via C ### Configuration Manager boot image required components -The following components are required by Microsoft Configuration Manager boot images for Configuration Manager to function correctly: +For Microsoft Configuration Manager boot images to function correctly, it requires the following optional components: | **Feature** | **File Name** | **Dependency** | **Required by ConfigMgr** | | --- | --- | --- | --- | @@ -976,13 +980,13 @@ For a list of all available WinPE optional components including descriptions for ### Updating Configuration Manager boot media -After completing the walkthrough, including updating boot images in Configuration Manager, update any Configuration Manager task sequence media to ensure that the task sequence media has both the updated boot image and if applicable, updated boot files. +After completing the walkthrough, including updating boot images in Configuration Manager, update any Configuration Manager task sequence media. Updating any Configuration Manager task sequence media ensures that the task sequence media has both the updated boot image and if applicable, updated boot files. ## Microsoft Deployment Toolkit (MDT) considerations When adding a cumulative update to a Microsoft Deployment Toolkit (MDT) boot image, it's recommended to update the `winpe.wim` boot image from the Windows ADK instead of directly updating the `LiteTouchPE_.wim` boot image in the MDT Deployment Share. -The `winpe.wim` boot image from the Windows ADK should be updated because if `LiteTouchPE_.wim` is updated instead, then the next time the MDT Deployment Share is updated, the changes made to `LiteTouchPE_.wim`, including the applied cumulative update, will be lost. If the `winpe.wim` boot image from the Windows ADK is updated instead, then the changes to the boot image, including the applied cumulative update, will persist and be preserved when the MDT Deployment Share is updated. +The `winpe.wim` boot image from the Windows ADK should be updated because if `LiteTouchPE_.wim` is updated instead, then the next time the MDT Deployment Share is updated, the changes made to `LiteTouchPE_.wim`, including the applied cumulative update, will be lost. If the `winpe.wim` boot image from the Windows ADK is updated with the cumulative update instead, then the cumulative update persists and is preserved even when the MDT Deployment Share is updated. ### Updating the boot image and boot media in MDT @@ -1000,19 +1004,19 @@ After updating the `winpe.wim` boot image from the Windows ADK, generate a new ` 1. In the **Summary** page, select the **Next >** button. - 1. The **Progress** page appears while the boot image and deployment share builds. + 1. The **Progress** page appears while the boot image and deployment share build. - 1. Once the boot image and deployment share finishes building, the **The process completed successfully**/**Confirmation** page appears. Select the **Finish** button. + 1. Once the boot image and deployment share finish building, the **The process completed successfully**/**Confirmation** page appears. Select the **Finish** button. These steps also update the MDT boot media in the MDT Deployment Share. After following the above steps, use the newly updated ISO files in the `\Boot` folder to create new MDT boot media. ### MDT and Windows ADK versions -Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Windows ADK beyond Windows 10. When using MDT, the recommendation is to use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads) instead of the latest version of the Windows ADK. **ADK for Windows 10, version 2004** was the last version of the Windows ADK supported by MDT. +Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Windows ADK beyond Windows 10. When MDT is used, the recommendation is to use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads) instead of the latest version of the Windows ADK. **ADK for Windows 10, version 2004** was the last version of the Windows ADK supported by MDT. ### MDT boot image required components -The following components are required by Microsoft Configuration Manager boot images for Configuration Manager to function correctly: +For Microsoft Deployment Toolkit (MDT) boot images to function correctly, it requires the following optional components: | **Feature** | **File Name** | **Dependency** | **Required by MDT** | | --- | --- | --- | --- | @@ -1032,4 +1036,4 @@ The **boot.wim** that is part of Windows installation media isn't supported for ## Windows Server 2012 R2 -This walk-through isn't intended for use with Windows Server 2012 R2. There may be additional steps necessary when using Windows Server 2012 R2, such as also having to apply the latest servicing stack update (SSU) to the WinPE boot image. For server OSes, it's strongly recommended to use Windows Server 2016 or later for this walk-through. For more information see, [Windows Server 2012 R2 Lifecycle](/lifecycle/products/windows-server-2012-r2). +This walk-through isn't intended for use with Windows Server 2012 R2. There may be additional steps necessary when using Windows Server 2012 R2, such as also having to apply the latest servicing stack update (SSU) to the WinPE boot image. For server OSes, it's recommended to use Windows Server 2016 or later for this walk-through. For more information, see [Windows Server 2012 R2 Lifecycle](/lifecycle/products/windows-server-2012-r2). From 38324bf811115d565eeff71e47be761f390ee0a4 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Mon, 7 Aug 2023 12:11:22 -0400 Subject: [PATCH 067/110] Update Boot Image with CU Article 52 --- windows/deployment/update-boot-image.md | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index a4dc9573ea..2826d0a60b 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -36,7 +36,7 @@ Microsoft recommends updating Windows PE (WinPE) boot images with the latest cum - [Step 2: Download cumulative update (CU)](#step-2-download-cumulative-update-cu) - [Step 3: Backup existing boot image](#step-3-backup-existing-boot-image) - [Step 4: Mount boot image to mount folder](#step-4-mount-boot-image-to-mount-folder) -- [Step 5: Add drivers to boot image](#step-5-add-drivers-to-boot-image) +- [Step 5: Add drivers to boot image (optional)](#step-5-add-drivers-to-boot-image-optional) - [Step 6: Add optional components to boot image](#step-6-add-optional-components-to-boot-image) - [Step 7: Add cumulative update (CU) to boot image](#step-7-add-cumulative-update-cu-to-boot-image) - [Step 8: Copy boot files from mounted boot image to ADK installation path](#step-8-copy-boot-files-from-mounted-boot-image-to-adk-installation-path) @@ -44,7 +44,7 @@ Microsoft recommends updating Windows PE (WinPE) boot images with the latest cum - [Step 10: Verify all desired packages have been added to boot image](#step-10-verify-all-desired-packages-have-been-added-to-boot-image) - [Step 11: Unmount boot image and save changes](#step-11-unmount-boot-image-and-save-changes) - [Step 12: Export boot image to reduce size](#step-12-export-boot-image-to-reduce-size) -- [Step 13: Update boot images in products that utilize the boot images (optional)](#step-13-update-boot-image-in-products-that-utilize-the-boot-image-if-applicable) +- [Step 13: Update boot images in products that utilize the boot images (optional)](#step-13-update-boot-image-in-products-that-utilize-it-if-applicable) ## Step 1: Download and install ADK @@ -115,6 +115,8 @@ Adjust paths and file names accordingly to back up other boot images. To automatically overwrite an existing backed up boot image without confirmation, for example in a script, add the `-Force` parameter to the end of the command line. +For more information, see [Copy-Item](/powershell/module/microsoft.powershell.management/copy-item). + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) From an elevated command prompt, run the following command to create a backup copy of the 64-bit boot image included with the Windows ADK. If a backed-up boot image already exists, this command needs confirmation before it overwrites the existing backed up boot image: @@ -127,6 +129,8 @@ Adjust paths and file names accordingly to back up other boot images. To automatically overwrite an existing backed up boot image without confirmation, for example in a script, add the `/Y` parameter to the end of the command line. +For more information, see [copy](/windows-server/administration/windows-commands/copy). + --- > [!IMPORTANT] @@ -173,7 +177,7 @@ To automatically overwrite an existing backed up boot image without confirmation --- -## Step 5: Add drivers to boot image +## Step 5: Add drivers to boot image (optional) If needed, add any drivers to the boot image: @@ -815,6 +819,8 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag Remove-Item - Path "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" -Force ``` + For more information, see [Remove-Item](/powershell/module/microsoft.powershell.management/remove-item). + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to delete the original updated boot image: @@ -829,6 +835,8 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag del "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" /Y ``` + For more information, see [del](/windows-server/administration/windows-commands/del). + --- 1. Rename the exported boot image with the name of the original boot image: @@ -847,6 +855,8 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag Rename-Item -Path "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe-export.wim" -NewName "winpe.wim" ``` + For more information, see [Rename-Item](/powershell/module/microsoft.powershell.management/rename-item). + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to rename the exported boot image with the name of the original boot image: @@ -861,6 +871,8 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag rename "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe-export.wim" "winpe.wim" ``` + For more information, see [rename](/windows-server/administration/windows-commands/rename). + --- ## Step 13: Update boot image in products that utilize it (if applicable) @@ -868,7 +880,7 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag After the default `winpe.wim` boot image from the Windows ADK has been updated, additional steps usually need to take place in the product(s) that utilize the boot image. The following links contain information on how to update the boot image for several popular products that utilize boot images: - [Microsoft Configuration Manager](#updating-the-boot-image-in-configuration-manager) -- [Microsoft Deployment Toolkit (MDT)](#updating-the-boot-image-in-mdt) +- [Microsoft Deployment Toolkit (MDT)](#updating-the-boot-image-and-boot-media-in-mdt) - Windows Deployment Services For any other products that utilize boot images, consult the product's documentation on updating the boot image. @@ -980,7 +992,7 @@ For a list of all available WinPE optional components including descriptions for ### Updating Configuration Manager boot media -After completing the walkthrough, including updating boot images in Configuration Manager, update any Configuration Manager task sequence media. Updating any Configuration Manager task sequence media ensures that the task sequence media has both the updated boot image and if applicable, updated boot files. +After completing the walkthrough, including updating boot images in Configuration Manager, update any Configuration Manager task sequence media. Updating any Configuration Manager task sequence media ensures that the task sequence media has both the updated boot image and if applicable, updated boot files. For more information, see [Create task sequence media](/mem/configmgr/osd/deploy-use/create-task-sequence-media). ## Microsoft Deployment Toolkit (MDT) considerations @@ -1036,4 +1048,4 @@ The **boot.wim** that is part of Windows installation media isn't supported for ## Windows Server 2012 R2 -This walk-through isn't intended for use with Windows Server 2012 R2. There may be additional steps necessary when using Windows Server 2012 R2, such as also having to apply the latest servicing stack update (SSU) to the WinPE boot image. For server OSes, it's recommended to use Windows Server 2016 or later for this walk-through. For more information, see [Windows Server 2012 R2 Lifecycle](/lifecycle/products/windows-server-2012-r2). +This walk-through isn't intended for use with Windows Server 2012 R2. Although the steps in this article may work with Windows Server 2012 R2 older versions of the Windows ADK, it may have compatibility problems with versions of the Windows ADK that are newer than the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). For server OSes, it's recommended to use Windows Server 2016 or later for this walk-through. For more information, see [Windows Server 2012 R2 Lifecycle](/lifecycle/products/windows-server-2012-r2). From 89a9f1bba2489fc5701dcdfb5f025b88909b0c7b Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Mon, 7 Aug 2023 12:25:46 -0400 Subject: [PATCH 068/110] Update Boot Image with CU Article 53 --- windows/deployment/update-boot-image.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 2826d0a60b..0c305025f3 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -207,6 +207,8 @@ or Add-WindowsDriver -Path "C:\Mount" -Driver "C:\Drivers" -Recurse ``` +For more information, see [Add-WindowsDriver](/powershell/module/dism/add-windowsdriver). + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) From an elevated **Deployment and Imaging Tools Environment** command prompt, run one of the following commands to add drivers to the boot image: @@ -320,6 +322,8 @@ The cumulative update installed later in this walkthrough doesn't affect drivers These examples assume a 64-bit boot image. If a different architecture is being used, then adjust the paths accordingly. + For more information, see [Add-WindowsPackage](/powershell/module/dism/add-windowspackage). + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to add the language components for the optional components to the boot image: @@ -338,6 +342,8 @@ The cumulative update installed later in this walkthrough doesn't affect drivers You can add as many desired optional components as needed on a single DISM.exe command line. + For more information, see [Add or Remove Packages Offline Using DISM](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism) and [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Add-Package](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#add-package). + --- > [!IMPORTANT] @@ -603,6 +609,8 @@ Copy-Item "C:\Mount\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windo To overwrite the bootmgr boot files and any backed up bootmgr boot file without confirmation, for example in a script, add the `-Force` parameter to the end of the command lines. +For more information, see [Copy-Item](/powershell/module/microsoft.powershell.management/copy-item). + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) From an elevated command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands also back up any existing bootmgr boot files its finds. When applicable, the commands need confirmation to overwrite any existing files: @@ -631,6 +639,9 @@ copy "C:\Mount\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Ki To overwrite the bootmgr boot files and any backed up bootmgr boot file without confirmation, for example in a script, add the `/Y` parameter to the end of the command lines. + +For more information, see [copy](/windows-server/administration/windows-commands/copy). + --- This step doesn't update or change the boot image. However, it makes sure that the latest bootmgr boot files are available to the Windows ADK when creating bootable media via the Windows ADK. When these files are updated in the Windows ADK, products that use the Windows ADK to create bootable media also have access to the updated bootmgr boot files. From 7ffcd457e2692954eaab9f81b10c2374aef79098 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Mon, 7 Aug 2023 13:17:38 -0400 Subject: [PATCH 069/110] Update Boot Image with CU Article 54 --- windows/deployment/update-boot-image.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 0c305025f3..8397d13a9f 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -527,6 +527,8 @@ The following steps outline how to extract and then install the servicing stack Start-Process "expand.exe" -ArgumentList " -f:* `"C:\Updates\windows10.0-kb5028166-x64_fe3aa2fef685c0e76e1f5d34d529624294273f41.msu`" `"C:\Updates\Extract`"" -Wait -LoadUserProfile ``` + For more information, see [Start-Process](/powershell/module/microsoft.powershell.management/start-process) and [expand](/windows-server/administration/windows-commands/expand). + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) ```cmd @@ -539,6 +541,8 @@ The following steps outline how to extract and then install the servicing stack expand.exe -f:* "C:\Updates\windows10.0-kb5028166-x64_fe3aa2fef685c0e76e1f5d34d529624294273f41.msu" "C:\Updates\Extract" ``` + For more information, see [expand](/windows-server/administration/windows-commands/expand). + --- 1. Inspect the extracted files in the extract folder and identify the servicing stack update (SSU) CAB file. One of the files should be called `SSU--.cab`. For example, `SSU-19041.3205-x64.cab`. Make a note of the name of the servicing stack update (SSU) CAB file. @@ -559,6 +563,8 @@ The following steps outline how to extract and then install the servicing stack Add-WindowsPackage -PackagePath "C:\Updates\Extract\SSU-19041.3205-x64.cab" -Path "C:\Mount" -Verbose ``` + For more information, see [Add-WindowsPackage](/powershell/module/dism/add-windowspackage). + ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to add the cumulative update (CU) to the boot image: @@ -573,6 +579,8 @@ The following steps outline how to extract and then install the servicing stack DISM.exe /Image:"C:\Mount" /Add-Package /PackagePath:"C:\Updates\Extract\SSU-19041.3205-x64.cab" ``` + For more information, see [Add or Remove Packages Offline Using DISM](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism) and [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Add-Package](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#add-package). + --- 1. Attempt to apply the cumulative update (CU) to the boot image again using the commands from [Step 7: Add cumulative update (CU) to boot image](#step-7-add-cumulative-update-cu-to-boot-image). From e1af64575308a309ccc52a83a19805c51375d549 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Tue, 8 Aug 2023 08:38:41 -0700 Subject: [PATCH 070/110] Tweaks --- .openpublishing.redirection.windows-deployment.json | 5 +++++ .../operate/windows-autopatch-exclude-device.md | 2 +- .../operate/windows-autopatch-unenroll-tenant.md | 10 +++++----- .../whats-new/windows-autopatch-whats-new-2023.md | 3 ++- 4 files changed, 13 insertions(+), 7 deletions(-) diff --git a/.openpublishing.redirection.windows-deployment.json b/.openpublishing.redirection.windows-deployment.json index 5ac6d20892..e14d8c5108 100644 --- a/.openpublishing.redirection.windows-deployment.json +++ b/.openpublishing.redirection.windows-deployment.json @@ -1039,6 +1039,11 @@ "source_path": "windows/deployment/windows-autopilot/index.yml", "redirect_url": "/mem/autopilot/", "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device", + "redirect_document_id": true } ] } diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md index e8002779df..e3b0793469 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md @@ -18,7 +18,7 @@ ms.collection: To avoid end-user disruption, excluding a device in Windows Autopatch only deletes the Windows Autopatch device record itself. Excluding a device can't delete the Microsoft Intune and/or the Azure Active Directory device records. Microsoft assumes you'll keep managing those devices yourself in some capacity. -When you exclude a device from the Windows Autopatch service, the device is flagged as "excluded" so Windows Autopatch doesn't try to restore the device into the service again, since the exclusion command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** group, or any other Azure AD group, used with Autopatch groups. +When you exclude a device from the Windows Autopatch service, the device is flagged as **excluded** so Windows Autopatch doesn't try to restore the device into the service again, since the exclusion command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** group, or any other Azure AD group, used with Autopatch groups. > [!IMPORTANT] > The Azure AD team doesn't recommend appending query statements to remove specific device from a dynamic query due to dynamic query performance issues. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md index 168bccb66d..ecc8f356a9 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md @@ -36,7 +36,7 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro | Responsibility | Description | | ----- | ----- | | Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We won’t make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../overview/windows-autopatch-privacy.md). | -| Excluding devices | Windows Autopatch will exclude all devices previously registered with the service. Only the Windows Autopatch device record will be deleted. We won't delete Microsoft Intune and/or Azure Active Directory device records. For more information, see [Exclude a device](../operate/windows-autopatch-exclude-device.md). | +| Excluding devices | Windows Autopatch will exclude all devices previously registered with the service. Only the Windows Autopatch device record is deleted. We won't delete Microsoft Intune and/or Azure Active Directory device records. For more information, see [Exclude a device](../operate/windows-autopatch-exclude-device.md). | ## Your responsibilities after unenrolling your tenant @@ -51,9 +51,9 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro **To unenroll from Windows Autopatch:** 1. [Submit a support request](../operate/windows-autopatch-support-request.md) and request to unenroll from the Windows Autopatch service. -1. The Windows Autopatch Service Engineering Team will communicate with your IT Administrator to confirm your intent to unenroll from the service. - 1. You'll have 14 days to review and confirm the communication sent by the Windows Autopatch Service Engineering Team. +1. The Windows Autopatch Service Engineering Team communicates with your IT Administrator to confirm your intent to unenroll from the service. + 1. You have 14 days to review and confirm the communication sent by the Windows Autopatch Service Engineering Team. 2. The Windows Autopatch Service Engineering Team can proceed sooner than 14 days if your confirmation arrives sooner. -1. The Windows Autopatch Service Engineering Team will proceed with the removal of all items listed under [Microsoft's responsibilities during unenrollment](#microsofts-responsibilities-during-unenrollment). -1. The Windows Autopatch Service Engineering Team will inform you when unenrollment is complete. +1. The Windows Autopatch Service Engineering Team proceeds with the removal of all items listed under [Microsoft's responsibilities during unenrollment](#microsofts-responsibilities-during-unenrollment). +1. The Windows Autopatch Service Engineering Team informs you when unenrollment is complete. 1. You’re responsible for the items listed under [Your responsibilities after unenrolling your tenant](#your-responsibilities-after-unenrolling-your-tenant). diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index dbeb0cc232..30b2c45a91 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -1,7 +1,7 @@ --- title: What's new 2023 description: This article lists the 2023 feature releases and any corresponding Message center post numbers. -ms.date: 08/01/2023 +ms.date: 08/08/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: whats-new @@ -27,6 +27,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | Article | Description | | ----- | ----- | +| [Exclude a device](../operate/windows-autopatch-exclude-device.md) | Renamed Deregister a device to [Exclude a device](../operate/windows-autopatch-exclude-device.md). Added the [Restore device](../operate/windows-autopatch-exclude-device.md#restore-a-device-or-multiple-devices-previously-excluded) feature | | [Device alerts](../operate/windows-autopatch-device-alerts.md) | Added `'InstallSetupBlock'` to the [Alert resolutions section](../operate/windows-autopatch-device-alerts.md#alert-resolutions) | ## July 2023 From 34e94edec682cf320629c3a8c537a591901bdef2 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 8 Aug 2023 12:38:25 -0400 Subject: [PATCH 071/110] Refresh articles --- .../certificate-renewal-windows-mdm.md | 29 ++++----- ...e-device-installation-with-group-policy.md | 60 ++++++------------- .../oma-dm-protocol-support.md | 42 ++++++------- 3 files changed, 55 insertions(+), 76 deletions(-) diff --git a/windows/client-management/certificate-renewal-windows-mdm.md b/windows/client-management/certificate-renewal-windows-mdm.md index d7c3443131..bf7efd00cf 100644 --- a/windows/client-management/certificate-renewal-windows-mdm.md +++ b/windows/client-management/certificate-renewal-windows-mdm.md @@ -8,7 +8,7 @@ ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.date: 08/08/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -16,7 +16,7 @@ appliesto: # Certificate Renewal -The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account. The enrollment client gets a new client certificate from the enrollment server, and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported. +The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account. The enrollment client gets a new client certificate from the enrollment server, and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS#7 request, and signs the PKCS#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported. > [!NOTE] > Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered. @@ -30,9 +30,9 @@ Windows supports automatic certificate renewal, also known as Renew On Behalf Of Auto certificate renewal is the only supported MDM client certificate renewal method for the device that's enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate. -For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP's](mdm/certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL. +For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP's](mdm/certificatestore-csp.md) ROBOSupport node under `CertificateStore/My/WSTEP/Renew` URL. -With automatic renewal, the PKCS\#7 message content isn't b64 encoded separately. With manual certificate renewal, there's an additional b64 encoding for PKCS\#7 message content. +With automatic renewal, the PKCS#7 message content isn't base64 encoded separately. With manual certificate renewal, there's an additional base64 encoding for PKCS#7 message content. During the automatic certificate renewal process, if the root certificate isn't trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](mdm/certificatestore-csp.md). @@ -96,21 +96,21 @@ The following example shows the details of an automatic renewal request. In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry. They're configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSP's RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, the Windows device reminds the user with a dialog at every renewal retry time until the certificate is expired. -For more information about the parameters, see the CertificateStore configuration service provider. +For more information about the parameters, see the [CertificateStore configuration service provider](mdm/certificatestore-csp.md). -Unlike manual certificate renewal, the device will not do an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead every 7 days (weekly). This change increases the chance that the device will try to connect at different days of the week. +Unlike manual certificate renewal, the device will not do an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead of every 7 days (weekly). This change increases the chance that the device will try to connect at different days of the week. ## Certificate renewal response When RequestType is set to Renew, the web service verifies the following (in additional to initial enrollment): -- The signature of the PKCS\#7 BinarySecurityToken is correct +- The signature of the PKCS#7 BinarySecurityToken is correct - The client's certificate is in the renewal period - The certificate was issued by the enrollment service - The requester is the same as the requester for initial enrollment - For standard client's request, the client hasn't been blocked -After validation is completed, the web service retrieves the PKCS\#10 content from the PKCS\#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA. +After validation is completed, the web service retrieves the PKCS#10 content from the PKCS#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA. > [!NOTE] > The HTTP server response must not be chunked; it must be sent as one message. @@ -120,7 +120,8 @@ The following example shows the details of a certificate renewal response. ```xml - + + @@ -147,9 +148,9 @@ The following example shows the details of a certificate renewal response. ## Configuration service providers supported during MDM enrollment and certificate renewal -The following configuration service providers are supported during MDM enrollment and certificate renewal process. See Configuration service provider reference for detailed descriptions of each configuration service provider. +The following configuration service providers are supported during MDM enrollment and certificate renewal process. -- CertificateStore -- w7 APPLICATION -- DMClient -- EnterpriseAppManagement +- [CertificateStore](mdm/certificatestore-csp.md) +- [w7 APPLICATION](mdm/w7-application-csp.md) +- [DMClient](mdm/dmclient-csp.md) +- [EnterpriseAppManagement](mdm/enterpriseappvmanagement-csp.md) diff --git a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md index da685db207..6fdc71124f 100644 --- a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md +++ b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md @@ -1,9 +1,9 @@ --- -title: Manage Device Installation with Group Policy (Windows 10 and Windows 11) +title: Manage Device Installation with Group Policy description: Find out how to manage Device Installation Restrictions with Group Policy. ms.prod: windows-client author: vinaypamnani-msft -ms.date: 09/14/2021 +ms.date: 08/08/2023 ms.reviewer: manager: aaroncz ms.author: vinpa @@ -17,15 +17,13 @@ appliesto: # Manage Device Installation with Group Policy -## Summary - By using Windows operating systems, administrators can determine what devices can be installed on computers they manage. This guide summarizes the device installation process and demonstrates several techniques for controlling device installation by using Group Policy. ## Introduction ### General -This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and can't install. This guide applies to all Windows versions starting with RS5 (1809). The guide includes the following scenarios: +This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and can't install. This guide applies to all Windows versions starting with Windows 10, version 1809. The guide includes the following scenarios: - Prevent users from installing devices that are on a "prohibited" list. If a device isn't on the list, then the user can install it. - Allow users to install only devices that are on an "approved" list. If a device isn't on the list, then the user can't install it. @@ -62,32 +60,15 @@ You can ensure that users install only those devices that your technical support ## Scenario Overview -The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage. The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy. With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to use Group Policy to manage your client computers, see Group Policy at the Microsoft Web site. +The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage. The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy. With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to create a Group policy object to manage your client computers, see [Create a Group Policy Object](/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object). -Group Policy guides: - -- [Create a Group Policy Object (Windows 10) - Windows Security](/windows/security/threat-protection/windows-firewall/create-a-group-policy-object) -- [Advanced Group Policy Management - Microsoft Desktop Optimization Pack](/microsoft-desktop-optimization-pack/agpm) - -### Scenario #1: Prevent installation of all printers - -In this scenario, the administrator wants to prevent users from installing any printers. Thus is a basic scenario to introduce you to the 'prevent/allow' functionality of Device Installation policies in Group Policy. - -### Scenario #2: Prevent installation of a specific printer - -In this scenario, the administrator allows standard users to install all printers while but preventing them from installing a specific one. - -### Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed - -In this scenario, you'll combine what you learned from both scenario #1 and scenario #2. The administrator wants to allow standard users to install only a specific printer while preventing the installation of all other printers. This scenario is a more realistic one and brings you a step farther in understanding of the Device Installation Restrictions policies. - -### Scenario #4: Prevent installation of a specific USB device - -This scenario, although similar to scenario #2, brings another layer of complexity—how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree. - -### Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive - -In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the 'prevent' functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario. +| Scenario | Description| +|--|--| +| Scenario #1: Prevent installation of all printers | In this scenario, the administrator wants to prevent users from installing any printers. Thus is a basic scenario to introduce you to the 'prevent/allow' functionality of Device Installation policies in Group Policy. | +| Scenario #2: Prevent installation of a specific printer | In this scenario, the administrator allows standard users to install all printers while but preventing them from installing a specific one. | +| Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed | In this scenario, you'll combine what you learned from both scenario #1 and scenario #2. The administrator wants to allow standard users to install only a specific printer while preventing the installation of all other printers. This scenario is a more realistic one and brings you a step farther in understanding of the Device Installation Restrictions policies. | +| Scenario #4: Prevent installation of a specific USB device | This scenario, although similar to scenario #2, brings another layer of complexity—how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree. | +| Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive | In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the 'prevent' functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario. | ## Technology Review @@ -217,11 +198,8 @@ Some of these policies take precedence over other policies. The flowchart shown To complete each of the scenarios, ensure you have: - A client computer running Windows. - - A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a "removable disk drive", "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives don't require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build. - - A USB/network printer pre-installed on the machine. - - Access to the administrator account on the testing machine. The procedures in this guide require administrator privileges for most steps. ### Understanding implications of applying 'Prevent' policies retroactive @@ -353,7 +331,7 @@ Creating the policy to prevent all printers from being installed: 1. Enter the printer class GUID you found above with the curly braces: `{4d36e979-e325-11ce-bfc1-08002be10318}`. - ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ + ![List of prevent Class GUIDs](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ 1. Click 'OK'. @@ -364,7 +342,7 @@ Creating the policy to prevent all printers from being installed: > [!IMPORTANT] > Using a Prevent policy (like the one we used in scenario #1 above) and applying it to all previously installed devices (see step #9) could render crucial devices unusable; hence, use with caution. For example: If an IT admin wants to prevent all removable storage devices from being installed on the machine, using 'Disk Drive' class for blocking and applying it retroactive could render the internal hard-drive unusable and to break the machine. -### Testing the scenario +### Testing scenario 1 1. If you haven't completed step #9, follow these steps: @@ -418,7 +396,7 @@ Creating the policy to prevent a single printer from being installed: 1. Optionally, if you would like to apply the policy to an existing install, open the **Prevent installation of devices that match any of these device IDs** policy again. In the 'Options' window, mark the checkbox that says 'Also apply to matching devices that are already installed'. -### Testing the scenario +### Testing scenario 2 If you completed step #8 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use. @@ -469,7 +447,7 @@ First create a 'Prevent Class' policy and then create 'Allow Device' one: 1. Enter the printer class GUID you found above with the curly braces (this value is important! Otherwise, it won't work): {4d36e979-e325-11ce-bfc1-08002be10318} - ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ + ![List of prevent Class IDs](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ 1. Click 'OK'. @@ -495,7 +473,7 @@ First create a 'Prevent Class' policy and then create 'Allow Device' one: 1. Click 'Apply' on the bottom right of the policy's window—this option pushes the policy and allows the target printer to be installed (or stayed installed). -## Testing the scenario +## Testing scenario 3 1. Look for your printer under Device Manager or the Windows Settings app and see that it's still there and accessible. Or just print a test document. @@ -562,7 +540,7 @@ Creating the policy to prevent a single USB thumb-drive from being installed: 1. Optional - if you would like to apply the policy to an existing install, open the **Prevent installation of devices that match any of these device IDs** policy again. In the 'Options' window, mark the checkbox that says 'also apply to matching devices that are already installed'. -### Testing the scenario +### Testing scenario 4 1. If you haven't completed step #8, follow these steps: @@ -668,6 +646,6 @@ First create a 'Prevent Class' policy and then create 'Allow Device' one: 1. To apply the 'Prevent' coverage of all currently installed USB devices, open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' and click 'OK'. -### Testing the scenario +### Testing scenario 5 -You shouldn't be able to install any USB thumb-drive, except the one you authorized for usage +You shouldn't be able to install any USB thumb-drive, except the one you authorized for usage. diff --git a/windows/client-management/oma-dm-protocol-support.md b/windows/client-management/oma-dm-protocol-support.md index 521d15c082..7c5fcc68de 100644 --- a/windows/client-management/oma-dm-protocol-support.md +++ b/windows/client-management/oma-dm-protocol-support.md @@ -8,7 +8,7 @@ ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.date: 08/08/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -38,26 +38,26 @@ The following table shows the OMA DM standards that Windows uses. Common elements are used by other OMA DM element types. The following table lists the OMA DM common elements used to configure the devices. For more information about OMA DM common elements, see "SyncML Representation Protocol Device Management Usage" (OMA-SyncML-DMRepPro-V1_1_2-20030613-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/). -|Element|Description| -|--- |--- | -|Chal|Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.| -|Cmd|Specifies the name of an OMA DM command referenced in a Status element.| -|CmdID|Specifies the unique identifier for an OMA DM command.| -|CmdRef|Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.| -|Cred|Specifies the authentication credential for the originator of the message.| -|Final|Indicates that the current message is the last message in the package.| -|LocName|Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.| -|LocURI|Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.| -|MsgID|Specifies a unique identifier for an OMA DM session message.| -|MsgRef|Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.| -|RespURI|Specifies the URI that the recipient must use when sending a response to this message.| -|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.
**Note**
If the server doesn't notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the client returns the SessionID in integer in decimal format. If the server supports DM session sync version 2.0, which is used in Windows, the device client returns 2 bytes.
| -|Source|Specifies the message source address.| -|SourceRef|Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.| -|Target|Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.| -|TargetRef|Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.| -|VerDTD|Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.| -|VerProto|Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.| +| Element | Description | +|:--|:--| +| Chal | Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message. | +| Cmd | Specifies the name of an OMA DM command referenced in a Status element. | +| CmdID | Specifies the unique identifier for an OMA DM command. | +| CmdRef | Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message. | +| Cred | Specifies the authentication credential for the originator of the message. | +| Final | Indicates that the current message is the last message in the package. | +| LocName | Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication. | +| LocURI | Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard. | +| MsgID | Specifies a unique identifier for an OMA DM session message. | +| MsgRef | Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element. | +| RespURI | Specifies the URI that the recipient must use when sending a response to this message. | +| SessionID | Specifies the identifier of the OMA DM session associated with the containing message. If the server doesn't notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the client returns the SessionID in integer in decimal format. If the server supports DM session sync version 2.0, which is used in Windows, the device client returns 2 bytes. | +| Source | Specifies the message source address. | +| SourceRef | Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element. | +| Target | Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command. | +| TargetRef | Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element. | +| VerDTD | Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message. | +| VerProto | Specifies the major and minor version identifier of the OMA DM protocol specification used with the message. | ## Device management session From 28f48003691b659d8f6641f40622a4195afc9de9 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 8 Aug 2023 10:51:19 -0700 Subject: [PATCH 072/110] fix 11646 --- windows/application-management/apps-in-windows-10.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index e54211075c..30bd681931 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -45,14 +45,15 @@ There are different types of apps that can run on your Windows client devices. T - **Windows Presentation Foundation (WPF)**: Using .NET, you can create a WPF desktop app that runs on the device, or create a WPF web app. This app is commonly used by organizations that create line of business (LOB) desktop apps. For more information, see [WPF Application Development](/dotnet/desktop/wpf/app-development). - **Windows Forms (WinForm)**: Using .NET, you can create a Windows Forms desktop app that runs on the device, and doesn't require a web browser or internet access. Just like Win32 apps, WinForm apps can access the local hardware and file system of the computer where the app is running. For more information, see [Desktop Guide (Windows Forms .NET)](/dotnet/desktop/winforms/overview). -- **Windows apps**: +- **Windows apps**: > [!TIP] > Starting with Windows 10, you can use the **Windows UI Library (WinUI 3)** to create .NET, Win32 desktop, and UWP apps. This library includes native Windows UI controls and other user interface elements familiar to Windows users. For more information, see [Windows UI Library (WinUI)](/windows/apps/winui/). - **Apps**: All apps installed in `C:\Program Files\WindowsApps`. There are two classes of apps: - - **Provisioned**: Installed in user account the first time you sign in with a new user account. For a list of some common provisioned apps, see [Provisioned apps installed with the Windows client OS](provisioned-apps-windows-client-os.md). + - **Provisioned**: Installed in user account the first time you sign in with a new user account. To get a list of all the provisioned apps, use Windows PowerShell: `Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName` The output lists all the provisioned apps, and their package names. For more information, see [Get-AppxProvisionedPackage](/powershell/module/dism/get-appxprovisionedpackage). + - **Installed**: Installed as part of the OS. - **Universal Windows Platform (UWP) apps**: These apps run and can be installed on many Windows platforms, including tablets, Microsoft HoloLens, Xbox, and more. All UWP apps are Windows apps. Not all Windows apps are UWP apps. @@ -63,7 +64,7 @@ There are different types of apps that can run on your Windows client devices. T For more information, see [Get started developing apps for Windows desktop](/windows/apps/get-started) and [Make your apps great on Windows 11](/windows/apps/get-started/make-apps-great-for-windows). - - **System apps**: Apps installed in the `C:\Windows\` directory. These apps are part of the Windows OS. For a list of some common system apps, see [System apps installed with the Windows client OS](system-apps-windows-client-os.md). + - **System apps**: Apps installed in the `C:\Windows\` directory. These apps are part of the Windows OS. To get a list of all the system apps, use Windows PowerShell: `Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation` The output lists all the system apps, and their installation location. For more information, see [Get-AppxPackage](/powershell/module/appx/get-appxpackage). - **Web apps** and **Progressive web apps (PWA)**: These apps run on a server, and don't run on the end user device. To use these apps, users must use a web browser and have internet access. **Progressive web apps** are designed to work for all users, work with any browser, and work on any platform. From 054d5ce553850e027ab7c78ac291c98929929988 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 8 Aug 2023 12:18:20 -0700 Subject: [PATCH 073/110] Update mcc-isp-signup.md updated for formatting --- windows/deployment/do/mcc-isp-signup.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md index b83d78d4c8..9e9eaa8bd4 100644 --- a/windows/deployment/do/mcc-isp-signup.md +++ b/windows/deployment/do/mcc-isp-signup.md @@ -29,9 +29,9 @@ Before you begin sign up, ensure you have the following components: 1. **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a completely free-of-charge service hosted in Azure. You'll need to have a Pay-As-You-Go subscription in order to onboard to our service. To create a subscription, go to the [Pay-As-You-Go subscription page](https://azure.microsoft.com/offers/ms-azr-0003p/). -> [!NOTE] -> - Microsoft Connected Cache is a completely free service for operators. None of the resources created in Azure will incur any charges. -> - Be aware, however, that any additional services that might be selected as part of the Azure sign-up process might incur charges. + > [!NOTE] + > - Microsoft Connected Cache is a completely free service for operators. None of the resources created in Azure will incur any charges. + > - Be aware, however, that any additional services that might be selected as part of the Azure sign-up process might incur charges. 1. **Access to Azure portal**: Ensure you have the credentials needed to access your organization's Azure portal. From 9e5044b2606e728d9f11d19f7559360bb018376d Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 8 Aug 2023 12:21:25 -0700 Subject: [PATCH 074/110] Update mcc-isp-signup.md tweaks --- windows/deployment/do/mcc-isp-signup.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md index 9e9eaa8bd4..fc6cf1cc8d 100644 --- a/windows/deployment/do/mcc-isp-signup.md +++ b/windows/deployment/do/mcc-isp-signup.md @@ -30,8 +30,7 @@ Before you begin sign up, ensure you have the following components: 1. **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a completely free-of-charge service hosted in Azure. You'll need to have a Pay-As-You-Go subscription in order to onboard to our service. To create a subscription, go to the [Pay-As-You-Go subscription page](https://azure.microsoft.com/offers/ms-azr-0003p/). > [!NOTE] - > - Microsoft Connected Cache is a completely free service for operators. None of the resources created in Azure will incur any charges. - > - Be aware, however, that any additional services that might be selected as part of the Azure sign-up process might incur charges. + > Microsoft Connected Cache is a completely free service for operators. None of the resources created in Azure will incur any charges. However, be aware that any additional services that might be selected as part of the Azure sign-up process might incur charges. 1. **Access to Azure portal**: Ensure you have the credentials needed to access your organization's Azure portal. From 6f4be5c5630e43cc4c14de8b344554fd1fc5dc37 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 9 Aug 2023 08:42:23 +0200 Subject: [PATCH 075/110] Fixed broken links --- includes/licensing/_edition-requirements.md | 4 ++-- includes/licensing/_licensing-requirements.md | 4 ++-- windows/security/includes/sections/security-foundations.md | 2 +- windows/security/index.yml | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/includes/licensing/_edition-requirements.md b/includes/licensing/_edition-requirements.md index b7a06b9836..e803e8009d 100644 --- a/includes/licensing/_edition-requirements.md +++ b/includes/licensing/_edition-requirements.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 08/02/2023 +ms.date: 08/09/2023 ms.topic: include --- @@ -71,7 +71,7 @@ ms.topic: include |**[Virtual private network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes| |**[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)**|Yes|Yes|Yes|Yes| |**[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)**|Yes|Yes|Yes|Yes| -|**[Windows application software development kit (SDK)](/windows/security/security-foundations/certification/windows-platform-common-criteria%23security-and-privacy)**|Yes|Yes|Yes|Yes| +|**[Windows application software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/)**|Yes|Yes|Yes|Yes| |**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|❌|Yes| |**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes| |**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes| diff --git a/includes/licensing/_licensing-requirements.md b/includes/licensing/_licensing-requirements.md index 0021be3c39..28ea87e8e0 100644 --- a/includes/licensing/_licensing-requirements.md +++ b/includes/licensing/_licensing-requirements.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 08/02/2023 +ms.date: 08/09/2023 ms.topic: include --- @@ -71,7 +71,7 @@ ms.topic: include |**[Virtual private network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|Yes| |**[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)**|Yes|Yes|Yes|Yes|Yes| |**[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)**|Yes|Yes|Yes|Yes|Yes| -|**[Windows application software development kit (SDK)](/windows/security/security-foundations/certification/windows-platform-common-criteria%23security-and-privacy)**|Yes|Yes|Yes|Yes|Yes| +|**[Windows application software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/)**|Yes|Yes|Yes|Yes|Yes| |**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|Yes|❌|❌| |**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes|Yes| |**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes| diff --git a/windows/security/includes/sections/security-foundations.md b/windows/security/includes/sections/security-foundations.md index 6cbeb13816..61eb75d6e8 100644 --- a/windows/security/includes/sections/security-foundations.md +++ b/windows/security/includes/sections/security-foundations.md @@ -26,4 +26,4 @@ ms.topic: include |:---|:---| | **Software Bill of Materials (SBOM)** | SBOMs are leveraged to provide the transparency and provenance of the content as it moves through various stages of the Windows supply chain. This enables trust between each supply chain segment, ensures that tampering has not taken place during ingestion and along the way, and provides a provable chain of custody for the product that we ship to customers. | | **[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)** | Windows Defender Application Control (WDAC) enables customers to define policies for controlling what is allowed to run on their devices. WDAC policies can be remotely applied to devices using an MDM solution like Microsoft Intune.

To simplify WDAC enablement, organizations can take advantage of Azure Code Signing, a secure and fully managed service for signing WDAC policies and apps.

Azure Code Signing minimizes the complexity of code signing with a turnkey service backed by a Microsoft managed certificate authority, eliminating the need to procure and self-manage any signing certificates. The service is managed just as any other Azure resource and integrates easily with the leading development and CI/CD toolsets. | -| **[Windows application software development kit (SDK)](/windows/security/security-foundations/certification/windows-platform-common-criteria%23security-and-privacy)** | Developers have an opportunity to design highly secure applications that benefit from the latest Windows safeguards. The Windows App SDK provides a unified set of APIs and tools for developing desktop apps for Windows. To help create apps that are up-to-date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system. | +| **[Windows application software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/)** | Developers have an opportunity to design highly secure applications that benefit from the latest Windows safeguards. The Windows App SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows. To help create apps that are up-to-date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system. | diff --git a/windows/security/index.yml b/windows/security/index.yml index e49166e1ef..8c8d647a5a 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -72,7 +72,7 @@ productDirectory: links: - url: /windows/security/identity-protection/hello-for-business text: Windows Hello for Business - - url: /windows/security/identity-protection/credential-guard + - url: /windows/security/identity-protection/credential-guard/credentail-guard text: Windows Defender Credential Guard - url: /windows-server/identity/laps/laps-overview text: Windows LAPS (Local Administrator Password Solution) From 8376b00f3ebf62d867ee7abb4710f58118b9eee8 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Wed, 9 Aug 2023 11:56:57 -0700 Subject: [PATCH 076/110] update manager metadata --- education/windows/change-home-to-edu.md | 2 +- windows/application-management/app-v/appv-about-appv.md | 2 +- ...dd-or-remove-an-administrator-with-the-management-console.md | 2 +- .../appv-add-or-upgrade-packages-with-the-management-console.md | 2 +- .../app-v/appv-administering-appv-with-powershell.md | 2 +- ...istering-virtual-applications-with-the-management-console.md | 2 +- .../appv-allow-administrators-to-enable-connection-groups.md | 2 +- .../app-v/appv-application-publishing-and-client-interaction.md | 2 +- ...v-apply-the-deployment-configuration-file-with-powershell.md | 2 +- .../appv-apply-the-user-configuration-file-with-powershell.md | 2 +- .../application-management/app-v/appv-auto-batch-sequencing.md | 2 +- .../application-management/app-v/appv-auto-batch-updating.md | 2 +- .../app-v/appv-auto-clean-unpublished-packages.md | 2 +- .../application-management/app-v/appv-auto-provision-a-vm.md | 2 +- .../application-management/app-v/appv-available-mdm-settings.md | 2 +- windows/application-management/app-v/appv-capacity-planning.md | 2 +- .../app-v/appv-client-configuration-settings.md | 2 +- ...-configure-access-to-packages-with-the-management-console.md | 2 +- ...configure-connection-groups-to-ignore-the-package-version.md | 2 +- ...-the-client-to-receive-updates-from-the-publishing-server.md | 2 +- .../app-v/appv-connect-to-the-management-console.md | 2 +- .../application-management/app-v/appv-connection-group-file.md | 2 +- .../app-v/appv-connection-group-virtual-environment.md | 2 +- ...v-convert-a-package-created-in-a-previous-version-of-appv.md | 2 +- ...group-with-user-published-and-globally-published-packages.md | 2 +- .../app-v/appv-create-a-connection-group.md | 2 +- ...e-a-custom-configuration-file-with-the-management-console.md | 2 +- .../app-v/appv-create-a-package-accelerator-with-powershell.md | 2 +- .../app-v/appv-create-a-package-accelerator.md | 2 +- ...-create-a-virtual-application-package-package-accelerator.md | 2 +- .../app-v/appv-create-and-use-a-project-template.md | 2 +- .../appv-creating-and-managing-virtualized-applications.md | 2 +- ...irtual-application-extensions-with-the-management-console.md | 2 +- .../app-v/appv-delete-a-connection-group.md | 2 +- .../app-v/appv-delete-a-package-with-the-management-console.md | 2 +- .../app-v/appv-deploy-appv-databases-with-sql-scripts.md | 2 +- ...-packages-with-electronic-software-distribution-solutions.md | 2 +- .../app-v/appv-deploy-the-appv-server-with-a-script.md | 2 +- .../application-management/app-v/appv-deploy-the-appv-server.md | 2 +- windows/application-management/app-v/appv-deploying-appv.md | 2 +- .../app-v/appv-deploying-microsoft-office-2010-wth-appv.md | 2 +- .../app-v/appv-deploying-microsoft-office-2013-with-appv.md | 2 +- .../app-v/appv-deploying-microsoft-office-2016-with-appv.md | 2 +- ...-packages-with-electronic-software-distribution-solutions.md | 2 +- .../app-v/appv-deploying-the-appv-sequencer-and-client.md | 2 +- .../app-v/appv-deploying-the-appv-server.md | 2 +- .../application-management/app-v/appv-deployment-checklist.md | 2 +- .../application-management/app-v/appv-dynamic-configuration.md | 2 +- ...-packages-with-electronic-software-distribution-solutions.md | 2 +- .../appv-enable-reporting-on-the-appv-client-with-powershell.md | 2 +- .../app-v/appv-enable-the-app-v-desktop-client.md | 2 +- windows/application-management/app-v/appv-evaluating-appv.md | 2 +- windows/application-management/app-v/appv-for-windows.md | 2 +- windows/application-management/app-v/appv-getting-started.md | 2 +- .../app-v/appv-high-level-architecture.md | 2 +- ...nvert-the-associated-security-identifiers-with-powershell.md | 2 +- ...-management-and-reporting-databases-on-separate-computers.md | 2 +- ...pv-install-the-management-server-on-a-standalone-computer.md | 2 +- .../appv-install-the-publishing-server-on-a-remote-computer.md | 2 +- ...ppv-install-the-reporting-server-on-a-standalone-computer.md | 2 +- .../application-management/app-v/appv-install-the-sequencer.md | 2 +- .../appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md | 2 +- windows/application-management/app-v/appv-maintaining-appv.md | 2 +- ...ackages-running-on-a-stand-alone-computer-with-powershell.md | 2 +- ...nnection-groups-on-a-stand-alone-computer-with-powershell.md | 2 +- .../app-v/appv-managing-connection-groups.md | 2 +- .../app-v/appv-migrating-to-appv-from-a-previous-version.md | 2 +- .../appv-modify-an-existing-virtual-application-package.md | 2 +- .../app-v/appv-modify-client-configuration-with-powershell.md | 2 +- .../app-v/appv-move-the-appv-server-to-another-computer.md | 2 +- windows/application-management/app-v/appv-operations.md | 2 +- .../application-management/app-v/appv-performance-guidance.md | 2 +- windows/application-management/app-v/appv-planning-checklist.md | 2 +- .../app-v/appv-planning-folder-redirection-with-appv.md | 2 +- .../app-v/appv-planning-for-appv-server-deployment.md | 2 +- windows/application-management/app-v/appv-planning-for-appv.md | 2 +- .../app-v/appv-planning-for-high-availability-with-appv.md | 2 +- .../app-v/appv-planning-for-sequencer-and-client-deployment.md | 2 +- .../app-v/appv-planning-for-using-appv-with-office.md | 2 +- ...ploy-appv-with-electronic-software-distribution-solutions.md | 2 +- .../app-v/appv-planning-to-deploy-appv.md | 2 +- .../app-v/appv-preparing-your-environment.md | 2 +- windows/application-management/app-v/appv-prerequisites.md | 2 +- .../app-v/appv-publish-a-connection-group.md | 2 +- .../appv-publish-a-packages-with-the-management-console.md | 2 +- ...nregister-a-publishing-server-with-the-management-console.md | 2 +- .../app-v/appv-release-notes-for-appv-for-windows-1703.md | 2 +- .../app-v/appv-release-notes-for-appv-for-windows.md | 2 +- windows/application-management/app-v/appv-reporting.md | 2 +- ...cally-installed-applications-inside-a-virtual-environment.md | 2 +- .../app-v/appv-security-considerations.md | 2 +- .../app-v/appv-sequence-a-new-application.md | 2 +- .../app-v/appv-sequence-a-package-with-powershell.md | 2 +- .../app-v/appv-supported-configurations.md | 2 +- .../application-management/app-v/appv-technical-reference.md | 2 +- ...-another-version-of-a-package-with-the-management-console.md | 2 +- windows/application-management/app-v/appv-troubleshooting.md | 2 +- ...ing-to-app-v-for-windows-10-from-an-existing-installation.md | 2 +- .../app-v/appv-using-the-client-management-console.md | 2 +- ...irtual-application-extensions-with-the-management-console.md | 2 +- .../app-v/appv-viewing-appv-server-publishing-metadata.md | 2 +- windows/client-management/index.yml | 2 +- .../configuration/cortana-at-work/cortana-at-work-feedback.md | 2 +- windows/configuration/cortana-at-work/cortana-at-work-o365.md | 2 +- .../configuration/cortana-at-work/cortana-at-work-overview.md | 2 +- .../cortana-at-work/cortana-at-work-policy-settings.md | 2 +- .../configuration/cortana-at-work/cortana-at-work-scenario-1.md | 2 +- .../configuration/cortana-at-work/cortana-at-work-scenario-2.md | 2 +- .../configuration/cortana-at-work/cortana-at-work-scenario-3.md | 2 +- .../configuration/cortana-at-work/cortana-at-work-scenario-4.md | 2 +- .../configuration/cortana-at-work/cortana-at-work-scenario-5.md | 2 +- .../configuration/cortana-at-work/cortana-at-work-scenario-6.md | 2 +- .../configuration/cortana-at-work/cortana-at-work-scenario-7.md | 2 +- .../cortana-at-work/cortana-at-work-testing-scenarios.md | 2 +- .../cortana-at-work/cortana-at-work-voice-commands.md | 2 +- .../cortana-at-work/set-up-and-test-cortana-in-windows-10.md | 2 +- windows/configuration/cortana-at-work/test-scenario-1.md | 2 +- windows/configuration/cortana-at-work/test-scenario-2.md | 2 +- windows/configuration/cortana-at-work/test-scenario-3.md | 2 +- windows/configuration/cortana-at-work/test-scenario-4.md | 2 +- windows/configuration/cortana-at-work/test-scenario-5.md | 2 +- windows/configuration/cortana-at-work/test-scenario-6.md | 2 +- .../testing-scenarios-using-cortana-in-business-org.md | 2 +- .../configuration/includes/multi-app-kiosk-support-windows11.md | 2 +- windows/configuration/index.yml | 2 +- .../uev-administering-uev-with-windows-powershell-and-wmi.md | 2 +- windows/configuration/ue-v/uev-administering-uev.md | 2 +- .../ue-v/uev-application-template-schema-reference.md | 2 +- .../ue-v/uev-changing-the-frequency-of-scheduled-tasks.md | 2 +- .../ue-v/uev-configuring-uev-with-group-policy-objects.md | 2 +- ...-configuring-uev-with-system-center-configuration-manager.md | 2 +- windows/configuration/ue-v/uev-deploy-required-features.md | 2 +- .../ue-v/uev-deploy-uev-for-custom-applications.md | 2 +- windows/configuration/ue-v/uev-for-windows.md | 2 +- windows/configuration/ue-v/uev-getting-started.md | 2 +- .../ue-v/uev-manage-administrative-backup-and-restore.md | 2 +- windows/configuration/ue-v/uev-manage-configurations.md | 2 +- ...tings-location-templates-using-windows-powershell-and-wmi.md | 2 +- ...ng-uev-agent-and-packages-with-windows-powershell-and-wmi.md | 2 +- windows/configuration/ue-v/uev-migrating-settings-packages.md | 2 +- windows/configuration/ue-v/uev-prepare-for-deployment.md | 2 +- windows/configuration/ue-v/uev-release-notes-1607.md | 2 +- windows/configuration/ue-v/uev-security-considerations.md | 2 +- windows/configuration/ue-v/uev-sync-methods.md | 2 +- windows/configuration/ue-v/uev-sync-trigger-events.md | 2 +- .../ue-v/uev-synchronizing-microsoft-office-with-uev.md | 2 +- windows/configuration/ue-v/uev-technical-reference.md | 2 +- windows/configuration/ue-v/uev-troubleshooting.md | 2 +- .../ue-v/uev-upgrade-uev-from-previous-releases.md | 2 +- ...ev-using-uev-with-application-virtualization-applications.md | 2 +- windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md | 2 +- .../uev-working-with-custom-templates-and-the-uev-generator.md | 2 +- windows/configuration/wcd/wcd-accountmanagement.md | 2 +- windows/configuration/wcd/wcd-accounts.md | 2 +- windows/configuration/wcd/wcd-admxingestion.md | 2 +- windows/configuration/wcd/wcd-assignedaccess.md | 2 +- windows/configuration/wcd/wcd-browser.md | 2 +- windows/configuration/wcd/wcd-cellcore.md | 2 +- windows/configuration/wcd/wcd-cellular.md | 2 +- windows/configuration/wcd/wcd-certificates.md | 2 +- windows/configuration/wcd/wcd-changes.md | 2 +- windows/configuration/wcd/wcd-cleanpc.md | 2 +- windows/configuration/wcd/wcd-connections.md | 2 +- windows/configuration/wcd/wcd-connectivityprofiles.md | 2 +- windows/configuration/wcd/wcd-countryandregion.md | 2 +- windows/configuration/wcd/wcd-desktopbackgroundandcolors.md | 2 +- windows/configuration/wcd/wcd-developersetup.md | 2 +- windows/configuration/wcd/wcd-deviceformfactor.md | 2 +- windows/configuration/wcd/wcd-devicemanagement.md | 2 +- windows/configuration/wcd/wcd-deviceupdatecenter.md | 2 +- windows/configuration/wcd/wcd-dmclient.md | 2 +- windows/configuration/wcd/wcd-editionupgrade.md | 2 +- windows/configuration/wcd/wcd-firewallconfiguration.md | 2 +- windows/configuration/wcd/wcd-firstexperience.md | 2 +- windows/configuration/wcd/wcd-folders.md | 2 +- windows/configuration/wcd/wcd-hotspot.md | 2 +- windows/configuration/wcd/wcd-kioskbrowser.md | 2 +- windows/configuration/wcd/wcd-licensing.md | 2 +- windows/configuration/wcd/wcd-location.md | 2 +- windows/configuration/wcd/wcd-maps.md | 2 +- windows/configuration/wcd/wcd-networkproxy.md | 2 +- windows/configuration/wcd/wcd-networkqospolicy.md | 2 +- windows/configuration/wcd/wcd-oobe.md | 2 +- windows/configuration/wcd/wcd-personalization.md | 2 +- windows/configuration/wcd/wcd-policies.md | 2 +- windows/configuration/wcd/wcd-privacy.md | 2 +- windows/configuration/wcd/wcd-provisioningcommands.md | 2 +- windows/configuration/wcd/wcd-sharedpc.md | 2 +- windows/configuration/wcd/wcd-smisettings.md | 2 +- windows/configuration/wcd/wcd-start.md | 2 +- windows/configuration/wcd/wcd-startupapp.md | 2 +- windows/configuration/wcd/wcd-startupbackgroundtasks.md | 2 +- windows/configuration/wcd/wcd-storaged3inmodernstandby.md | 2 +- windows/configuration/wcd/wcd-surfacehubmanagement.md | 2 +- windows/configuration/wcd/wcd-tabletmode.md | 2 +- windows/configuration/wcd/wcd-takeatest.md | 2 +- windows/configuration/wcd/wcd-time.md | 2 +- windows/configuration/wcd/wcd-unifiedwritefilter.md | 2 +- windows/configuration/wcd/wcd-universalappinstall.md | 2 +- windows/configuration/wcd/wcd-universalappuninstall.md | 2 +- windows/configuration/wcd/wcd-usberrorsoemoverride.md | 2 +- windows/configuration/wcd/wcd-weakcharger.md | 2 +- windows/configuration/wcd/wcd-windowshelloforbusiness.md | 2 +- windows/configuration/wcd/wcd-windowsteamsettings.md | 2 +- windows/configuration/wcd/wcd-wlan.md | 2 +- windows/configuration/wcd/wcd-workplace.md | 2 +- windows/configuration/wcd/wcd.md | 2 +- windows/deployment/do/index.yml | 2 +- .../windows-information-protection/app-behavior-with-wip.md | 2 +- .../collect-wip-audit-event-logs.md | 2 +- .../create-and-verify-an-efs-dra-certificate.md | 2 +- .../create-vpn-and-wip-policy-using-intune-azure.md | 2 +- .../create-wip-policy-using-configmgr.md | 2 +- .../create-wip-policy-using-intune-azure.md | 2 +- .../deploy-wip-policy-using-intune-azure.md | 2 +- .../enlightened-microsoft-apps-and-wip.md | 2 +- .../guidance-and-best-practices-wip.md | 2 +- .../windows-information-protection/how-to-disable-wip.md | 2 +- .../windows-information-protection/limitations-with-wip.md | 2 +- .../mandatory-settings-for-wip.md | 2 +- .../overview-create-wip-policy-configmgr.md | 2 +- .../overview-create-wip-policy.md | 2 +- .../protect-enterprise-data-using-wip.md | 2 +- .../recommended-network-definitions-for-wip.md | 2 +- .../windows-information-protection/testing-scenarios-for-wip.md | 2 +- .../windows-information-protection/using-owa-with-wip.md | 2 +- .../wip-app-enterprise-context.md | 2 +- .../windows-information-protection/wip-learning.md | 2 +- .../threat-protection/block-untrusted-fonts-in-enterprise.md | 2 +- windows/security/threat-protection/index.md | 2 +- ...ride-mitigation-options-for-app-related-security-policies.md | 2 +- .../overview-of-threat-mitigations-in-windows-10.md | 2 +- ...windows-event-forwarding-to-assist-in-intrusion-detection.md | 2 +- windows/whats-new/index.yml | 2 +- 234 files changed, 234 insertions(+), 234 deletions(-) diff --git a/education/windows/change-home-to-edu.md b/education/windows/change-home-to-edu.md index df5e41eb07..92e4894f78 100644 --- a/education/windows/change-home-to-edu.md +++ b/education/windows/change-home-to-edu.md @@ -6,7 +6,7 @@ ms.topic: how-to author: scottbreenmsft ms.author: scbree ms.reviewer: paoloma -manager: jeffbu +manager: aaroncz ms.collection: - tier3 - education diff --git a/windows/application-management/app-v/appv-about-appv.md b/windows/application-management/app-v/appv-about-appv.md index cc656aafd4..e92126877b 100644 --- a/windows/application-management/app-v/appv-about-appv.md +++ b/windows/application-management/app-v/appv-about-appv.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 06/08/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md index 58897cdf6e..db32a71242 100644 --- a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md +++ b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 06/08/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md index fa08c35781..d9607a39ca 100644 --- a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 06/08/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-administering-appv-with-powershell.md b/windows/application-management/app-v/appv-administering-appv-with-powershell.md index 03cecb9d0e..e11cff3d2f 100644 --- a/windows/application-management/app-v/appv-administering-appv-with-powershell.md +++ b/windows/application-management/app-v/appv-administering-appv-with-powershell.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 06/08/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md index e211ca7e51..b73a1de7c6 100644 --- a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md +++ b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 06/08/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md index 26f95c80b5..80ab1602b9 100644 --- a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md +++ b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 06/08/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md index 74ab14397b..5782b539d8 100644 --- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md +++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 06/08/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md index 567e7032c1..ec704a9bfe 100644 --- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md +++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 06/15/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md index cdf4c28c91..134f74c8d0 100644 --- a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md +++ b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 06/15/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-auto-batch-sequencing.md b/windows/application-management/app-v/appv-auto-batch-sequencing.md index 4939b6ebf8..ccec12eeac 100644 --- a/windows/application-management/app-v/appv-auto-batch-sequencing.md +++ b/windows/application-management/app-v/appv-auto-batch-sequencing.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md index e7258a8130..3cfc4a25e9 100644 --- a/windows/application-management/app-v/appv-auto-batch-updating.md +++ b/windows/application-management/app-v/appv-auto-batch-updating.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md index 3355376c09..ef08860114 100644 --- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md +++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 06/15/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-auto-provision-a-vm.md b/windows/application-management/app-v/appv-auto-provision-a-vm.md index 7ceed272a7..960c96a092 100644 --- a/windows/application-management/app-v/appv-auto-provision-a-vm.md +++ b/windows/application-management/app-v/appv-auto-provision-a-vm.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md index 771a738982..1e7968c63d 100644 --- a/windows/application-management/app-v/appv-available-mdm-settings.md +++ b/windows/application-management/app-v/appv-available-mdm-settings.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 06/15/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md index a6a532e8a3..87702c1df2 100644 --- a/windows/application-management/app-v/appv-capacity-planning.md +++ b/windows/application-management/app-v/appv-capacity-planning.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-client-configuration-settings.md b/windows/application-management/app-v/appv-client-configuration-settings.md index 326585e719..2b4f017846 100644 --- a/windows/application-management/app-v/appv-client-configuration-settings.md +++ b/windows/application-management/app-v/appv-client-configuration-settings.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md index 41d37e769a..1160f2c0de 100644 --- a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 06/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md index 8a69ae36a5..b472e767b9 100644 --- a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md +++ b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 06/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md index 6c2f01bc3f..ef9a170375 100644 --- a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md +++ b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 06/25/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-connect-to-the-management-console.md b/windows/application-management/app-v/appv-connect-to-the-management-console.md index 07b3d731e9..d5f427090d 100644 --- a/windows/application-management/app-v/appv-connect-to-the-management-console.md +++ b/windows/application-management/app-v/appv-connect-to-the-management-console.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 06/25/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-connection-group-file.md b/windows/application-management/app-v/appv-connection-group-file.md index e39efd3b64..dbd81a5419 100644 --- a/windows/application-management/app-v/appv-connection-group-file.md +++ b/windows/application-management/app-v/appv-connection-group-file.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 06/25/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md index f1f55c9cd9..eb01f08fd1 100644 --- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md +++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 06/25/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md index 860483ff03..eb35d19690 100644 --- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md +++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 07/10/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md index 96b3e97312..fe8a0c0ac9 100644 --- a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md +++ b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 07/10/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-create-a-connection-group.md b/windows/application-management/app-v/appv-create-a-connection-group.md index 497e3ea71b..b67e058e20 100644 --- a/windows/application-management/app-v/appv-create-a-connection-group.md +++ b/windows/application-management/app-v/appv-create-a-connection-group.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 07/10/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md index 4c8acf525d..4d6aef98c4 100644 --- a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md +++ b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 07/10/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md index ddd0de127f..206a2c4dc9 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 07/10/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md index c753f09372..cd1a5e6314 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 07/10/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md index 49e3724b94..c5d16599a9 100644 --- a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 07/10/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-create-and-use-a-project-template.md b/windows/application-management/app-v/appv-create-and-use-a-project-template.md index 70650f1456..8fad7898e7 100644 --- a/windows/application-management/app-v/appv-create-and-use-a-project-template.md +++ b/windows/application-management/app-v/appv-create-and-use-a-project-template.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 07/10/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md index adb044d34a..41a9ea4ae0 100644 --- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md +++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md index 0326ed9cec..5d28a86d19 100644 --- a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md +++ b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 07/10/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md index 32cb6660b7..018b8c8984 100644 --- a/windows/application-management/app-v/appv-delete-a-connection-group.md +++ b/windows/application-management/app-v/appv-delete-a-connection-group.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 09/27/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md index 21b928cfbb..6c7fbb6ee0 100644 --- a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md +++ b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 09/27/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md index 2f34d49a3a..580eebc9fd 100644 --- a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md +++ b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md index 4005389caf..5088aaaf0f 100644 --- a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 09/27/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md index f643e3540b..16db5ceeae 100644 --- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md +++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md index 417e6a9dbd..3b942f6fc7 100644 --- a/windows/application-management/app-v/appv-deploy-the-appv-server.md +++ b/windows/application-management/app-v/appv-deploy-the-appv-server.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-deploying-appv.md b/windows/application-management/app-v/appv-deploying-appv.md index 9b93a5cd57..e4abca5b4d 100644 --- a/windows/application-management/app-v/appv-deploying-appv.md +++ b/windows/application-management/app-v/appv-deploying-appv.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md index c1a212d4a9..1db6409588 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md index 2361c92d00..482e1e96be 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md index 871ad80c8d..5f5a47faf9 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md index 19ddffc329..baaaf62754 100644 --- a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 09/27/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md index 23364f226c..bbba1c8a0a 100644 --- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md +++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md index a65e0f099d..623e3ef07e 100644 --- a/windows/application-management/app-v/appv-deploying-the-appv-server.md +++ b/windows/application-management/app-v/appv-deploying-the-appv-server.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md index a7c3a33ae3..6b89ffcb68 100644 --- a/windows/application-management/app-v/appv-deployment-checklist.md +++ b/windows/application-management/app-v/appv-deployment-checklist.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md index 2f5070263e..f782e22867 100644 --- a/windows/application-management/app-v/appv-dynamic-configuration.md +++ b/windows/application-management/app-v/appv-dynamic-configuration.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 09/27/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md index c8554bb768..ca51b3b8f9 100644 --- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.technology: itpro-apps ms.date: 05/02/2022 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: how-to --- diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md index 2b56810126..3e0f982303 100644 --- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md +++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md index c90e3f24f7..d23763d372 100644 --- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md +++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md index 5324043e75..7ef67197bc 100644 --- a/windows/application-management/app-v/appv-evaluating-appv.md +++ b/windows/application-management/app-v/appv-evaluating-appv.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md index c0190e9ad0..2798d2e4cf 100644 --- a/windows/application-management/app-v/appv-for-windows.md +++ b/windows/application-management/app-v/appv-for-windows.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 09/27/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md index 0ac943721e..500a015467 100644 --- a/windows/application-management/app-v/appv-getting-started.md +++ b/windows/application-management/app-v/appv-getting-started.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md index d14f1d6594..3d480833f0 100644 --- a/windows/application-management/app-v/appv-high-level-architecture.md +++ b/windows/application-management/app-v/appv-high-level-architecture.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md index ca6176f530..604d4ca93a 100644 --- a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md +++ b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md index 262b132cdd..ec07a9f2a4 100644 --- a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md +++ b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md index 1628f2e74c..077dfe70f2 100644 --- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md +++ b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md index 72db9c5275..62b5f49184 100644 --- a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md +++ b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md index f76835b49c..995af4a7b2 100644 --- a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md +++ b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md index 7d6a6fafc5..eeeb9120d7 100644 --- a/windows/application-management/app-v/appv-install-the-sequencer.md +++ b/windows/application-management/app-v/appv-install-the-sequencer.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md index cd63df0b5f..22fab6a3b5 100644 --- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md +++ b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 09/27/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md index fc8dfc21e0..8892ec9047 100644 --- a/windows/application-management/app-v/appv-maintaining-appv.md +++ b/windows/application-management/app-v/appv-maintaining-appv.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 09/27/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md index 90dbde5bfe..fc381bb0f9 100644 --- a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.prod: windows-client ms.date: 09/24/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md index 9cc33e59c4..4765157af7 100644 --- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md index 92205f0970..789d7cc976 100644 --- a/windows/application-management/app-v/appv-managing-connection-groups.md +++ b/windows/application-management/app-v/appv-managing-connection-groups.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md index 4a56597185..78d3d9b6a6 100644 --- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md +++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md index 5b3828c3ce..0322083aa8 100644 --- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md +++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md index 221a09536f..f707da5e2e 100644 --- a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md +++ b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md index 7a455cd752..7eb6a6ee5d 100644 --- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md +++ b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md index 224a4490ae..bca6d21d80 100644 --- a/windows/application-management/app-v/appv-operations.md +++ b/windows/application-management/app-v/appv-operations.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md index 5675d15eff..3d32c1834d 100644 --- a/windows/application-management/app-v/appv-performance-guidance.md +++ b/windows/application-management/app-v/appv-performance-guidance.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md index 7616cad1e5..4ba8df6b30 100644 --- a/windows/application-management/app-v/appv-planning-checklist.md +++ b/windows/application-management/app-v/appv-planning-checklist.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md index de5a689d74..7f9891e8dc 100644 --- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md +++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md index 9279268e38..d586c7d002 100644 --- a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md +++ b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-planning-for-appv.md b/windows/application-management/app-v/appv-planning-for-appv.md index f05793311f..88d29b3939 100644 --- a/windows/application-management/app-v/appv-planning-for-appv.md +++ b/windows/application-management/app-v/appv-planning-for-appv.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md index 90d0eb2de4..f83a6efb92 100644 --- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md +++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md index c42918e88b..6249fb1463 100644 --- a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md +++ b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md index 451e113eaa..c0d76e731a 100644 --- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md +++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md index ad7565277d..2faf00ec3f 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv.md b/windows/application-management/app-v/appv-planning-to-deploy-appv.md index 9a682b9c47..8aeafdf96d 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-preparing-your-environment.md b/windows/application-management/app-v/appv-preparing-your-environment.md index cf0f423e87..7960a6176f 100644 --- a/windows/application-management/app-v/appv-preparing-your-environment.md +++ b/windows/application-management/app-v/appv-preparing-your-environment.md @@ -5,7 +5,7 @@ ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: author: aczechowski -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-prerequisites.md b/windows/application-management/app-v/appv-prerequisites.md index d63f666cfa..e25a1a1ee7 100644 --- a/windows/application-management/app-v/appv-prerequisites.md +++ b/windows/application-management/app-v/appv-prerequisites.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-publish-a-connection-group.md b/windows/application-management/app-v/appv-publish-a-connection-group.md index 67936bfc06..5f377d48e3 100644 --- a/windows/application-management/app-v/appv-publish-a-connection-group.md +++ b/windows/application-management/app-v/appv-publish-a-connection-group.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 09/27/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md index 3401984dac..2c52dce04b 100644 --- a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 09/27/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md index 0bd4777e42..55b03dee3e 100644 --- a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md +++ b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md index 5bfd8497af..9c0c3225bb 100644 --- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md +++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md index fa7f9d3364..523b7ad256 100644 --- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md +++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md index 5464c1fdcc..cd42eb1ffc 100644 --- a/windows/application-management/app-v/appv-reporting.md +++ b/windows/application-management/app-v/appv-reporting.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/16/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md index 49b68f3ed9..6b551661d4 100644 --- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md +++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 03/08/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md index 23e9dce8a5..9482c32049 100644 --- a/windows/application-management/app-v/appv-security-considerations.md +++ b/windows/application-management/app-v/appv-security-considerations.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/16/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-sequence-a-new-application.md b/windows/application-management/app-v/appv-sequence-a-new-application.md index 7e0b19b428..6950c97d05 100644 --- a/windows/application-management/app-v/appv-sequence-a-new-application.md +++ b/windows/application-management/app-v/appv-sequence-a-new-application.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/16/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md index 65cccc4561..04be00dcbf 100644 --- a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md +++ b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md index e9168ea779..ffb10c4b02 100644 --- a/windows/application-management/app-v/appv-supported-configurations.md +++ b/windows/application-management/app-v/appv-supported-configurations.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/16/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-apps diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md index 80859782c4..bb3c4874f4 100644 --- a/windows/application-management/app-v/appv-technical-reference.md +++ b/windows/application-management/app-v/appv-technical-reference.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md index b0a1c0a587..74aec2aba2 100644 --- a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md +++ b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-troubleshooting.md b/windows/application-management/app-v/appv-troubleshooting.md index 9bba519134..5678e04c06 100644 --- a/windows/application-management/app-v/appv-troubleshooting.md +++ b/windows/application-management/app-v/appv-troubleshooting.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md index 192f9f4b66..bb291a0484 100644 --- a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md +++ b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md index c327a058bb..66b4aa8372 100644 --- a/windows/application-management/app-v/appv-using-the-client-management-console.md +++ b/windows/application-management/app-v/appv-using-the-client-management-console.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md index 858f0dcbad..c0d29c01af 100644 --- a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md +++ b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.technology: itpro-apps --- diff --git a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md index f5fad71c85..d51f9556a1 100644 --- a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md +++ b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md @@ -5,7 +5,7 @@ author: aczechowski ms.prod: windows-client ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.technology: itpro-apps --- diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml index 8b288e7905..9501d46c0a 100644 --- a/windows/client-management/index.yml +++ b/windows/client-management/index.yml @@ -14,7 +14,7 @@ metadata: - tier1 author: aczechowski ms.author: aaroncz - manager: dougeby + manager: aaroncz ms.date: 04/13/2023 localization_priority: medium diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md index ae511d78a9..d238ab8539 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md @@ -8,7 +8,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.date: 10/05/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md index 8e06273c57..5dc0aa37ec 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md @@ -10,7 +10,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.date: 10/05/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index 02f381c39f..2f8c615755 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -1,7 +1,7 @@ --- title: Configure Cortana in Windows 10 and Windows 11 ms.reviewer: -manager: dougeby +manager: aaroncz description: Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and for enterprise environments. ms.prod: windows-client ms.collection: tier3 diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md index fca7d43916..8cfe781f37 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md @@ -7,7 +7,7 @@ author: aczechowski ms.localizationpriority: medium ms.author: aaroncz ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure ms.date: 12/31/2017 ms.topic: article diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md index 661a84faa2..421e8959d9 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md @@ -7,7 +7,7 @@ author: aczechowski ms.localizationpriority: medium ms.author: aaroncz ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure ms.date: 12/31/2017 ms.topic: article diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md index 99c60d8373..c107c97a64 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md @@ -8,7 +8,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.date: 10/05/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md index 3975696457..50fb4c4d32 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md @@ -8,7 +8,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.date: 10/05/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md index 8dcfcc91c7..997bd2f471 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md @@ -8,7 +8,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.date: 10/05/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md index efac6821ae..67d77779e6 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md @@ -8,7 +8,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.date: 10/05/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md index 8fdc30830e..a940f6be39 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md @@ -8,7 +8,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.date: 10/05/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md index e60c202497..88e5901e0c 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md @@ -8,7 +8,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.date: 10/05/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md index 6f2a30aa8b..6a8fa6528d 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md @@ -8,7 +8,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.date: 06/28/2021 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md index c7b3eac2bc..21f168168d 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md @@ -8,7 +8,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.date: 10/05/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md index c280af5397..01d6c2db85 100644 --- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md +++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md @@ -1,7 +1,7 @@ --- title: Set up and test Cortana in Windows 10, version 2004 and later ms.reviewer: -manager: dougeby +manager: aaroncz description: Cortana includes powerful configuration options specifically to optimize unique small to medium-sized business and enterprise environments. ms.prod: windows-client ms.collection: tier3 diff --git a/windows/configuration/cortana-at-work/test-scenario-1.md b/windows/configuration/cortana-at-work/test-scenario-1.md index 81d3d89d7c..6f3ffd8173 100644 --- a/windows/configuration/cortana-at-work/test-scenario-1.md +++ b/windows/configuration/cortana-at-work/test-scenario-1.md @@ -8,7 +8,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.date: 10/05/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/cortana-at-work/test-scenario-2.md b/windows/configuration/cortana-at-work/test-scenario-2.md index df3d6c02ec..f69b1c2789 100644 --- a/windows/configuration/cortana-at-work/test-scenario-2.md +++ b/windows/configuration/cortana-at-work/test-scenario-2.md @@ -8,7 +8,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.date: 10/05/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/cortana-at-work/test-scenario-3.md b/windows/configuration/cortana-at-work/test-scenario-3.md index 2c23f88711..b57dded7f3 100644 --- a/windows/configuration/cortana-at-work/test-scenario-3.md +++ b/windows/configuration/cortana-at-work/test-scenario-3.md @@ -8,7 +8,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.date: 10/05/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/cortana-at-work/test-scenario-4.md b/windows/configuration/cortana-at-work/test-scenario-4.md index 14eb9842c3..081ea5877a 100644 --- a/windows/configuration/cortana-at-work/test-scenario-4.md +++ b/windows/configuration/cortana-at-work/test-scenario-4.md @@ -8,7 +8,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.date: 10/05/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/cortana-at-work/test-scenario-5.md b/windows/configuration/cortana-at-work/test-scenario-5.md index 18c3c99f7a..17a27dc786 100644 --- a/windows/configuration/cortana-at-work/test-scenario-5.md +++ b/windows/configuration/cortana-at-work/test-scenario-5.md @@ -8,7 +8,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.date: 10/05/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/cortana-at-work/test-scenario-6.md b/windows/configuration/cortana-at-work/test-scenario-6.md index 50e009cc49..8915d4300d 100644 --- a/windows/configuration/cortana-at-work/test-scenario-6.md +++ b/windows/configuration/cortana-at-work/test-scenario-6.md @@ -8,7 +8,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.date: 10/05/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md index 973e56ee5e..a7ad523655 100644 --- a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md +++ b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md @@ -8,7 +8,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.date: 10/05/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/includes/multi-app-kiosk-support-windows11.md b/windows/configuration/includes/multi-app-kiosk-support-windows11.md index efe346ced6..7f90909404 100644 --- a/windows/configuration/includes/multi-app-kiosk-support-windows11.md +++ b/windows/configuration/includes/multi-app-kiosk-support-windows11.md @@ -3,7 +3,7 @@ author: aczechowski ms.author: aaroncz ms.date: 09/21/2021 ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 ms.topic: include --- diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml index 2891f614c0..0eace6a656 100644 --- a/windows/configuration/index.yml +++ b/windows/configuration/index.yml @@ -13,7 +13,7 @@ metadata: - tier1 author: aczechowski ms.author: aaroncz - manager: dougeby + manager: aaroncz ms.date: 08/05/2021 #Required; mm/dd/yyyy format. localization_priority: medium diff --git a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md index 852b3e4500..f6909fdc31 100644 --- a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-administering-uev.md b/windows/configuration/ue-v/uev-administering-uev.md index b4bfc496ca..02bb612d1b 100644 --- a/windows/configuration/ue-v/uev-administering-uev.md +++ b/windows/configuration/ue-v/uev-administering-uev.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md index a26af56567..d0d7b3db53 100644 --- a/windows/configuration/ue-v/uev-application-template-schema-reference.md +++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md index d6cb847dc1..28f57b767c 100644 --- a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md +++ b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md index 5942fc45be..f18438c0c3 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md index 60273009e8..efd9497722 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md index 479a729676..04a273fdd4 100644 --- a/windows/configuration/ue-v/uev-deploy-required-features.md +++ b/windows/configuration/ue-v/uev-deploy-required-features.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md index 1d05d369d0..76987da15a 100644 --- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md +++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md index f1604d6359..7b140aa669 100644 --- a/windows/configuration/ue-v/uev-for-windows.md +++ b/windows/configuration/ue-v/uev-for-windows.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 05/02/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md index 36ce63717c..32db93baee 100644 --- a/windows/configuration/ue-v/uev-getting-started.md +++ b/windows/configuration/ue-v/uev-getting-started.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 03/08/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md index 22bf076b54..34a9229f65 100644 --- a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md +++ b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-manage-configurations.md b/windows/configuration/ue-v/uev-manage-configurations.md index 1e594846ab..51a1e724fe 100644 --- a/windows/configuration/ue-v/uev-manage-configurations.md +++ b/windows/configuration/ue-v/uev-manage-configurations.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md index 04dae12024..78252752e3 100644 --- a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md index 4d07a6a09a..079e034324 100644 --- a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-migrating-settings-packages.md b/windows/configuration/ue-v/uev-migrating-settings-packages.md index 9c3cebd1a1..27fcbea39e 100644 --- a/windows/configuration/ue-v/uev-migrating-settings-packages.md +++ b/windows/configuration/ue-v/uev-migrating-settings-packages.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md index 5e13281dc1..f498b6600b 100644 --- a/windows/configuration/ue-v/uev-prepare-for-deployment.md +++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-release-notes-1607.md b/windows/configuration/ue-v/uev-release-notes-1607.md index 47dfe6e7e7..42571c453b 100644 --- a/windows/configuration/ue-v/uev-release-notes-1607.md +++ b/windows/configuration/ue-v/uev-release-notes-1607.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-security-considerations.md b/windows/configuration/ue-v/uev-security-considerations.md index a91444675f..2bde66cad7 100644 --- a/windows/configuration/ue-v/uev-security-considerations.md +++ b/windows/configuration/ue-v/uev-security-considerations.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-sync-methods.md b/windows/configuration/ue-v/uev-sync-methods.md index 7d1eeeccb0..bff2257777 100644 --- a/windows/configuration/ue-v/uev-sync-methods.md +++ b/windows/configuration/ue-v/uev-sync-methods.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-sync-trigger-events.md b/windows/configuration/ue-v/uev-sync-trigger-events.md index b9571cdf2a..a080d46d6e 100644 --- a/windows/configuration/ue-v/uev-sync-trigger-events.md +++ b/windows/configuration/ue-v/uev-sync-trigger-events.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md index 7851418fe8..a28147ecb1 100644 --- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md +++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-technical-reference.md b/windows/configuration/ue-v/uev-technical-reference.md index 9d161c1889..c4f15d65ce 100644 --- a/windows/configuration/ue-v/uev-technical-reference.md +++ b/windows/configuration/ue-v/uev-technical-reference.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-troubleshooting.md b/windows/configuration/ue-v/uev-troubleshooting.md index d2a350b63d..0f96a38a1b 100644 --- a/windows/configuration/ue-v/uev-troubleshooting.md +++ b/windows/configuration/ue-v/uev-troubleshooting.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md index 78cfb2f9c0..495602a3d7 100644 --- a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md +++ b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md index 5d02d042ce..4d2e9541ec 100644 --- a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md +++ b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md index 157f473f1f..147230cb37 100644 --- a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md +++ b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md index 827c6ad3ff..1c94036b4c 100644 --- a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md +++ b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md @@ -6,7 +6,7 @@ ms.prod: windows-client ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: aaroncz ms.topic: article ms.technology: itpro-configure diff --git a/windows/configuration/wcd/wcd-accountmanagement.md b/windows/configuration/wcd/wcd-accountmanagement.md index 2e7840f541..3d883a1d2b 100644 --- a/windows/configuration/wcd/wcd-accountmanagement.md +++ b/windows/configuration/wcd/wcd-accountmanagement.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 04/30/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md index 43031314a1..2f26418dde 100644 --- a/windows/configuration/wcd/wcd-accounts.md +++ b/windows/configuration/wcd/wcd-accounts.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 04/30/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-admxingestion.md b/windows/configuration/wcd/wcd-admxingestion.md index b393f8b184..b1c2aad0d0 100644 --- a/windows/configuration/wcd/wcd-admxingestion.md +++ b/windows/configuration/wcd/wcd-admxingestion.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 09/06/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md index be108dc758..17322a4076 100644 --- a/windows/configuration/wcd/wcd-assignedaccess.md +++ b/windows/configuration/wcd/wcd-assignedaccess.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 04/30/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md index 918836b846..abcc63d261 100644 --- a/windows/configuration/wcd/wcd-browser.md +++ b/windows/configuration/wcd/wcd-browser.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 10/02/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md index af88e9f060..4d48caa562 100644 --- a/windows/configuration/wcd/wcd-cellcore.md +++ b/windows/configuration/wcd/wcd-cellcore.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 10/02/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md index 7b97d13b21..d39280a5fe 100644 --- a/windows/configuration/wcd/wcd-cellular.md +++ b/windows/configuration/wcd/wcd-cellular.md @@ -1,7 +1,7 @@ --- title: Cellular (Windows 10) ms.reviewer: -manager: dougeby +manager: aaroncz description: This section describes the Cellular settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: windows-client author: aczechowski diff --git a/windows/configuration/wcd/wcd-certificates.md b/windows/configuration/wcd/wcd-certificates.md index 0fac2bb393..8a15c48f5b 100644 --- a/windows/configuration/wcd/wcd-certificates.md +++ b/windows/configuration/wcd/wcd-certificates.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 09/06/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-changes.md b/windows/configuration/wcd/wcd-changes.md index a4f21e84f9..6788558d33 100644 --- a/windows/configuration/wcd/wcd-changes.md +++ b/windows/configuration/wcd/wcd-changes.md @@ -1,7 +1,7 @@ --- title: Changes to settings in Windows Configuration Designer (Windows 10) ms.reviewer: -manager: dougeby +manager: aaroncz description: This section describes the changes to settings in Windows Configuration Designer in Windows 10, version 1809. ms.prod: windows-client author: aczechowski diff --git a/windows/configuration/wcd/wcd-cleanpc.md b/windows/configuration/wcd/wcd-cleanpc.md index 7c9b872efe..3bb2b66098 100644 --- a/windows/configuration/wcd/wcd-cleanpc.md +++ b/windows/configuration/wcd/wcd-cleanpc.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 09/06/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-connections.md b/windows/configuration/wcd/wcd-connections.md index e8fb9cfb34..0434a57ba2 100644 --- a/windows/configuration/wcd/wcd-connections.md +++ b/windows/configuration/wcd/wcd-connections.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 04/30/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md index 1692de1889..88daab22bd 100644 --- a/windows/configuration/wcd/wcd-connectivityprofiles.md +++ b/windows/configuration/wcd/wcd-connectivityprofiles.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 04/30/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-countryandregion.md b/windows/configuration/wcd/wcd-countryandregion.md index e008f9285f..9c1e5b2b70 100644 --- a/windows/configuration/wcd/wcd-countryandregion.md +++ b/windows/configuration/wcd/wcd-countryandregion.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 04/30/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md index 4c51c6e3ef..b7d4eee9d8 100644 --- a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md +++ b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 09/21/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-developersetup.md b/windows/configuration/wcd/wcd-developersetup.md index 496b0b07bd..f93fe468a8 100644 --- a/windows/configuration/wcd/wcd-developersetup.md +++ b/windows/configuration/wcd/wcd-developersetup.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 09/06/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-deviceformfactor.md b/windows/configuration/wcd/wcd-deviceformfactor.md index be7bfcda42..d47c6a0d97 100644 --- a/windows/configuration/wcd/wcd-deviceformfactor.md +++ b/windows/configuration/wcd/wcd-deviceformfactor.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 04/30/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md index b7f1546197..fd933e1cb7 100644 --- a/windows/configuration/wcd/wcd-devicemanagement.md +++ b/windows/configuration/wcd/wcd-devicemanagement.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 04/30/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-deviceupdatecenter.md b/windows/configuration/wcd/wcd-deviceupdatecenter.md index 9d0ab9779d..4d5c9d8f2f 100644 --- a/windows/configuration/wcd/wcd-deviceupdatecenter.md +++ b/windows/configuration/wcd/wcd-deviceupdatecenter.md @@ -5,7 +5,7 @@ ms.prod: windows-client author: aczechowski ms.localizationpriority: medium ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.topic: article ms.technology: itpro-configure ms.date: 12/31/2017 diff --git a/windows/configuration/wcd/wcd-dmclient.md b/windows/configuration/wcd/wcd-dmclient.md index 7c7fe21043..218f3f2102 100644 --- a/windows/configuration/wcd/wcd-dmclient.md +++ b/windows/configuration/wcd/wcd-dmclient.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 04/30/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-editionupgrade.md b/windows/configuration/wcd/wcd-editionupgrade.md index c2261d1d6c..696a33078b 100644 --- a/windows/configuration/wcd/wcd-editionupgrade.md +++ b/windows/configuration/wcd/wcd-editionupgrade.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 04/30/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-firewallconfiguration.md b/windows/configuration/wcd/wcd-firewallconfiguration.md index ed8813b347..3bfedb1fc5 100644 --- a/windows/configuration/wcd/wcd-firewallconfiguration.md +++ b/windows/configuration/wcd/wcd-firewallconfiguration.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 09/06/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-firstexperience.md b/windows/configuration/wcd/wcd-firstexperience.md index 317e860a92..d17727272b 100644 --- a/windows/configuration/wcd/wcd-firstexperience.md +++ b/windows/configuration/wcd/wcd-firstexperience.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 08/08/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-folders.md b/windows/configuration/wcd/wcd-folders.md index d65f38e718..d59d40f6a3 100644 --- a/windows/configuration/wcd/wcd-folders.md +++ b/windows/configuration/wcd/wcd-folders.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 04/30/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-hotspot.md b/windows/configuration/wcd/wcd-hotspot.md index 6e0bfbe99c..e838a329d8 100644 --- a/windows/configuration/wcd/wcd-hotspot.md +++ b/windows/configuration/wcd/wcd-hotspot.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 12/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-kioskbrowser.md b/windows/configuration/wcd/wcd-kioskbrowser.md index d1904f8a39..600809d119 100644 --- a/windows/configuration/wcd/wcd-kioskbrowser.md +++ b/windows/configuration/wcd/wcd-kioskbrowser.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 10/02/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-licensing.md b/windows/configuration/wcd/wcd-licensing.md index 7308c531a1..f03737f546 100644 --- a/windows/configuration/wcd/wcd-licensing.md +++ b/windows/configuration/wcd/wcd-licensing.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 09/06/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-location.md b/windows/configuration/wcd/wcd-location.md index 9b1e501fec..94fe50a11b 100644 --- a/windows/configuration/wcd/wcd-location.md +++ b/windows/configuration/wcd/wcd-location.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.topic: article ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/wcd/wcd-maps.md b/windows/configuration/wcd/wcd-maps.md index 37b93da96d..a371f05731 100644 --- a/windows/configuration/wcd/wcd-maps.md +++ b/windows/configuration/wcd/wcd-maps.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.topic: article ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/wcd/wcd-networkproxy.md b/windows/configuration/wcd/wcd-networkproxy.md index 0b8561c8cf..f12104c539 100644 --- a/windows/configuration/wcd/wcd-networkproxy.md +++ b/windows/configuration/wcd/wcd-networkproxy.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.topic: article ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/wcd/wcd-networkqospolicy.md b/windows/configuration/wcd/wcd-networkqospolicy.md index 2be6c377ba..71560b301f 100644 --- a/windows/configuration/wcd/wcd-networkqospolicy.md +++ b/windows/configuration/wcd/wcd-networkqospolicy.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.topic: article ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md index df4078b569..f8af613b82 100644 --- a/windows/configuration/wcd/wcd-oobe.md +++ b/windows/configuration/wcd/wcd-oobe.md @@ -1,7 +1,7 @@ --- title: OOBE (Windows 10) ms.reviewer: -manager: dougeby +manager: aaroncz description: This section describes the OOBE settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: windows-client author: aczechowski diff --git a/windows/configuration/wcd/wcd-personalization.md b/windows/configuration/wcd/wcd-personalization.md index 249dc446a7..b89c45755d 100644 --- a/windows/configuration/wcd/wcd-personalization.md +++ b/windows/configuration/wcd/wcd-personalization.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.topic: article ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index b2ac514b17..902475d894 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -1,7 +1,7 @@ --- title: Policies (Windows 10) ms.reviewer: -manager: dougeby +manager: aaroncz description: This section describes the Policies settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: windows-client author: aczechowski diff --git a/windows/configuration/wcd/wcd-privacy.md b/windows/configuration/wcd/wcd-privacy.md index df2b29c1ff..65d872fe1b 100644 --- a/windows/configuration/wcd/wcd-privacy.md +++ b/windows/configuration/wcd/wcd-privacy.md @@ -5,7 +5,7 @@ ms.prod: windows-client author: aczechowski ms.localizationpriority: medium ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.topic: article ms.technology: itpro-configure ms.date: 12/31/2017 diff --git a/windows/configuration/wcd/wcd-provisioningcommands.md b/windows/configuration/wcd/wcd-provisioningcommands.md index 1015406211..d523106679 100644 --- a/windows/configuration/wcd/wcd-provisioningcommands.md +++ b/windows/configuration/wcd/wcd-provisioningcommands.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 09/06/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md index f0574a44c2..80275970c1 100644 --- a/windows/configuration/wcd/wcd-sharedpc.md +++ b/windows/configuration/wcd/wcd-sharedpc.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 10/16/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md index 5f29ebedfd..5ce6d3c4b1 100644 --- a/windows/configuration/wcd/wcd-smisettings.md +++ b/windows/configuration/wcd/wcd-smisettings.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 03/30/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md index 098c9bbb9c..53ff39614a 100644 --- a/windows/configuration/wcd/wcd-start.md +++ b/windows/configuration/wcd/wcd-start.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 09/06/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-startupapp.md b/windows/configuration/wcd/wcd-startupapp.md index 7ebe657816..44ae8f59c7 100644 --- a/windows/configuration/wcd/wcd-startupapp.md +++ b/windows/configuration/wcd/wcd-startupapp.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 09/06/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-startupbackgroundtasks.md b/windows/configuration/wcd/wcd-startupbackgroundtasks.md index 0ef9b010e5..b04f726240 100644 --- a/windows/configuration/wcd/wcd-startupbackgroundtasks.md +++ b/windows/configuration/wcd/wcd-startupbackgroundtasks.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 09/06/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md index 61f8c30b69..d9a2c856ff 100644 --- a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md +++ b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md @@ -6,7 +6,7 @@ author: aczechowski ms.localizationpriority: medium ms.author: aaroncz ms.topic: article -manager: dougeby +manager: aaroncz ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/wcd/wcd-surfacehubmanagement.md b/windows/configuration/wcd/wcd-surfacehubmanagement.md index 12bd766d54..92dd641460 100644 --- a/windows/configuration/wcd/wcd-surfacehubmanagement.md +++ b/windows/configuration/wcd/wcd-surfacehubmanagement.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 09/06/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-tabletmode.md b/windows/configuration/wcd/wcd-tabletmode.md index 15758077ad..13b9e9a810 100644 --- a/windows/configuration/wcd/wcd-tabletmode.md +++ b/windows/configuration/wcd/wcd-tabletmode.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 04/30/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-takeatest.md b/windows/configuration/wcd/wcd-takeatest.md index 1def53b033..1001238225 100644 --- a/windows/configuration/wcd/wcd-takeatest.md +++ b/windows/configuration/wcd/wcd-takeatest.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 09/06/2017 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd-time.md b/windows/configuration/wcd/wcd-time.md index 659eef75c7..320b7fa6a5 100644 --- a/windows/configuration/wcd/wcd-time.md +++ b/windows/configuration/wcd/wcd-time.md @@ -5,7 +5,7 @@ ms.prod: windows-client author: aczechowski ms.localizationpriority: medium ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.topic: article ms.technology: itpro-configure ms.date: 12/31/2017 diff --git a/windows/configuration/wcd/wcd-unifiedwritefilter.md b/windows/configuration/wcd/wcd-unifiedwritefilter.md index 55abb9002a..6bc7634cfb 100644 --- a/windows/configuration/wcd/wcd-unifiedwritefilter.md +++ b/windows/configuration/wcd/wcd-unifiedwritefilter.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.topic: article ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md index bbd3749ad5..98f1fd3fd3 100644 --- a/windows/configuration/wcd/wcd-universalappinstall.md +++ b/windows/configuration/wcd/wcd-universalappinstall.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.topic: article ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/wcd/wcd-universalappuninstall.md b/windows/configuration/wcd/wcd-universalappuninstall.md index ab0005120f..4f40efa1fb 100644 --- a/windows/configuration/wcd/wcd-universalappuninstall.md +++ b/windows/configuration/wcd/wcd-universalappuninstall.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.topic: article ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/wcd/wcd-usberrorsoemoverride.md b/windows/configuration/wcd/wcd-usberrorsoemoverride.md index 3a53cca460..8dbef10171 100644 --- a/windows/configuration/wcd/wcd-usberrorsoemoverride.md +++ b/windows/configuration/wcd/wcd-usberrorsoemoverride.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.topic: article ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/wcd/wcd-weakcharger.md b/windows/configuration/wcd/wcd-weakcharger.md index 2270de3845..a7eafa43c9 100644 --- a/windows/configuration/wcd/wcd-weakcharger.md +++ b/windows/configuration/wcd/wcd-weakcharger.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.topic: article ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/wcd/wcd-windowshelloforbusiness.md b/windows/configuration/wcd/wcd-windowshelloforbusiness.md index 8c42614eca..1a414d570f 100644 --- a/windows/configuration/wcd/wcd-windowshelloforbusiness.md +++ b/windows/configuration/wcd/wcd-windowshelloforbusiness.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.topic: article ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/wcd/wcd-windowsteamsettings.md b/windows/configuration/wcd/wcd-windowsteamsettings.md index 9db59248ff..e37dc898a4 100644 --- a/windows/configuration/wcd/wcd-windowsteamsettings.md +++ b/windows/configuration/wcd/wcd-windowsteamsettings.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.topic: article ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/wcd/wcd-wlan.md b/windows/configuration/wcd/wcd-wlan.md index c691224077..a44a635cf6 100644 --- a/windows/configuration/wcd/wcd-wlan.md +++ b/windows/configuration/wcd/wcd-wlan.md @@ -1,7 +1,7 @@ --- title: WLAN (Windows 10) ms.reviewer: -manager: dougeby +manager: aaroncz description: This section describes the WLAN settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: windows-client author: aczechowski diff --git a/windows/configuration/wcd/wcd-workplace.md b/windows/configuration/wcd/wcd-workplace.md index 2055154e19..b36b0cd090 100644 --- a/windows/configuration/wcd/wcd-workplace.md +++ b/windows/configuration/wcd/wcd-workplace.md @@ -8,7 +8,7 @@ ms.author: aaroncz ms.topic: article ms.date: 04/30/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure --- diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md index 1c7d6d423c..8c1f2f6053 100644 --- a/windows/configuration/wcd/wcd.md +++ b/windows/configuration/wcd/wcd.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.topic: article ms.reviewer: -manager: dougeby +manager: aaroncz ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml index cdbe9ad071..3d120dad99 100644 --- a/windows/deployment/do/index.yml +++ b/windows/deployment/do/index.yml @@ -14,7 +14,7 @@ metadata: - tier3 author: aczechowski ms.author: aaroncz - manager: dougeby + manager: aaroncz ms.date: 03/07/2022 #Required; mm/dd/yyyy format. localization_priority: medium diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md index c18264a48d..3db313bdd3 100644 --- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md @@ -3,7 +3,7 @@ title: Unenlightened and enlightened app behavior while using Windows Informatio description: Learn how unenlightened and enlightened apps might behave, based on Windows Information Protection (WIP) network policies, app configuration, and other criteria author: aczechowski ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.topic: conceptual ms.date: 02/26/2019 ms.reviewer: diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index 717a6630bd..3d7152aa4c 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -3,7 +3,7 @@ title: How to collect Windows Information Protection (WIP) audit event logs description: How to collect & understand Windows Information Protection audit event logs via the Reporting configuration service provider (CSP) or Windows Event Forwarding. author: aczechowski ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.topic: conceptual ms.date: 02/26/2019 ms.reviewer: diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index c40a6f49b7..303f8c3057 100644 --- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -3,7 +3,7 @@ title: Create an EFS Data Recovery Agent certificate description: Follow these steps to create, verify, and perform a quick recovery by using an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. author: aczechowski ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.reviewer: rafals ms.topic: how-to ms.date: 07/15/2022 diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md index b599da46cc..709de2a54d 100644 --- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md @@ -3,7 +3,7 @@ title: Associate and deploy a VPN policy for Windows Information Protection (WIP description: After you've created and deployed your Windows Information Protection (WIP) policy, use Microsoft Intune to link it to your Virtual Private Network (VPN) policy author: aczechowski ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.topic: conceptual ms.date: 02/26/2019 ms.reviewer: diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md index b6b7dac0ab..01f7c3b238 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md @@ -3,7 +3,7 @@ title: Create and deploy a WIP policy in Configuration Manager description: Use Microsoft Configuration Manager to create and deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data. author: aczechowski ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.reviewer: rafals ms.topic: how-to ms.date: 07/15/2022 diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 1f361f1d46..6cb50dc76b 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -3,7 +3,7 @@ title: Create a WIP policy in Intune description: Learn how to use the Microsoft Intune admin center to create and deploy your Windows Information Protection (WIP) policy to protect data on your network. author: aczechowski ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.reviewer: rafals ms.topic: how-to ms.date: 07/15/2022 diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md index 38b528117e..0269f73fe5 100644 --- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md @@ -3,7 +3,7 @@ title: Deploy your Windows Information Protection (WIP) policy using the Azure p description: After you've created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. author: aczechowski ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.topic: conceptual ms.date: 03/05/2019 ms.reviewer: diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index a2b9598ab5..1660b49f10 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -4,7 +4,7 @@ description: Learn the difference between enlightened and unenlightened apps. Fi ms.reviewer: author: aczechowski ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.topic: conceptual ms.date: 05/02/2019 --- diff --git a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md index e6f007eb70..f98f1a7125 100644 --- a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md +++ b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md @@ -3,7 +3,7 @@ title: General guidance and best practices for Windows Information Protection (W description: Find resources about apps that can work with Windows Information Protection (WIP) to protect data. Enlightened apps can tell corporate and personal data apart. author: aczechowski ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.topic: conceptual ms.date: 02/26/2019 --- diff --git a/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md b/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md index 5d1fd5f71f..f30aaac954 100644 --- a/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md +++ b/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md @@ -6,7 +6,7 @@ ms.topic: how-to author: lizgt2000 ms.author: lizlong ms.reviewer: aaroncz -manager: dougeby +manager: aaroncz --- # How to disable Windows Information Protection (WIP) diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index bb9dd3ec92..783f627a5c 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -3,7 +3,7 @@ title: Limitations while using Windows Information Protection (WIP) description: This section includes info about the common problems you might encounter while using Windows Information Protection (WIP). author: aczechowski ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.reviewer: rafals ms.topic: conceptual ms.date: 04/05/2019 diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md index 90f438a6ae..c849026e4b 100644 --- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md @@ -3,7 +3,7 @@ title: Mandatory tasks and settings required to turn on Windows Information Prot description: Review all of the tasks required for Windows to turn on Windows Information Protection (WIP), formerly enterprise data protection (EDP), in your enterprise. author: aczechowski ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.topic: conceptual ms.date: 05/25/2022 --- diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md index a3e74b015d..25099e224a 100644 --- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md +++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md @@ -3,7 +3,7 @@ title: Create a Windows Information Protection (WIP) policy using Microsoft Conf description: Microsoft Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. author: aczechowski ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.topic: conceptual ms.date: 02/26/2019 --- diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md index 2478ede777..794a46361f 100644 --- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md +++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md @@ -3,7 +3,7 @@ title: Create a Windows Information Protection (WIP) policy using Microsoft Intu description: Microsoft Intune helps you create and deploy your enterprise data protection (WIP) policy. author: aczechowski ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.topic: conceptual ms.date: 03/11/2019 --- diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md index d052a94ac2..4135a203b8 100644 --- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -3,7 +3,7 @@ title: Protect your enterprise data using Windows Information Protection description: Learn how to prevent accidental enterprise data leaks through apps and services, such as email, social media, and the public cloud. author: aczechowski ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.reviewer: rafals ms.topic: overview ms.date: 07/15/2022 diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md index 921f111a75..fc9dfc237c 100644 --- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md @@ -3,7 +3,7 @@ title: Recommended URLs for Windows Information Protection description: Recommended URLs to add to your Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP). author: aczechowski ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.topic: conceptual ms.date: 03/25/2019 --- diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md index 1daeec1865..30c94d76be 100644 --- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -4,7 +4,7 @@ description: A list of suggested testing scenarios that you can use to test Wind ms.reviewer: author: aczechowski ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.topic: conceptual ms.date: 03/05/2019 --- diff --git a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md index 21f5c309e3..43f6497a22 100644 --- a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md @@ -3,7 +3,7 @@ title: Using Outlook on the web with WIP description: Options for using Outlook on the web with Windows Information Protection (WIP). author: aczechowski ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.topic: conceptual ms.date: 02/26/2019 --- diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md index bea9a21501..02730fbed2 100644 --- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md +++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md @@ -3,7 +3,7 @@ title: Determine the Enterprise Context of an app running in Windows Information description: Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). author: aczechowski ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.topic: conceptual ms.date: 02/26/2019 --- diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md index b7ff5f992d..08963510aa 100644 --- a/windows/security/information-protection/windows-information-protection/wip-learning.md +++ b/windows/security/information-protection/windows-information-protection/wip-learning.md @@ -3,7 +3,7 @@ title: Fine-tune Windows Information Policy (WIP) with WIP Learning description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company. author: aczechowski ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.topic: conceptual ms.date: 02/26/2019 --- diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md index 76f980c27e..005fb7d07d 100644 --- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md +++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md @@ -5,7 +5,7 @@ ms.reviewer: ms.prod: windows-client author: aczechowski ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.date: 08/14/2017 ms.localizationpriority: medium ms.technology: itpro-security diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 850102843d..ffc754aaf6 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -4,7 +4,7 @@ description: Describes the security capabilities in Windows client focused on th ms.prod: windows-client author: aczechowski ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.topic: conceptual ms.technology: itpro-security ms.date: 12/31/2017 diff --git a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md index 9ce8d9bfcc..682b246cfa 100644 --- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md +++ b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md @@ -4,7 +4,7 @@ description: How to use Group Policy to override individual Process Mitigation O ms.prod: windows-client author: aczechowski ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.localizationpriority: medium ms.technology: itpro-security ms.date: 12/31/2017 diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index 51a9ad4ad2..365c09f330 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -5,7 +5,7 @@ ms.prod: windows-client ms.localizationpriority: medium author: aczechowski ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.technology: itpro-security ms.date: 12/31/2017 ms.topic: article diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index 08153aa0d5..3b1d1fd82f 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -4,7 +4,7 @@ description: Learn about an approach to collect events from devices in your orga ms.prod: windows-client author: aczechowski ms.author: aaroncz -manager: dougeby +manager: aaroncz ms.date: 02/28/2019 ms.localizationpriority: medium ms.technology: itpro-security diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index b99c54cd1c..193ffc24a8 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -14,7 +14,7 @@ metadata: - tier1 author: aczechowski ms.author: aaroncz - manager: dougeby + manager: aaroncz ms.date: 11/14/2022 localization_priority: medium From e9e01d209e6151bbee1e7096cbf8f9236f9a0b8d Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Wed, 9 Aug 2023 15:22:46 -0400 Subject: [PATCH 077/110] Editing for style and grammar Make a few changes to the contribution to make some of the points clearer and to account for style and grammar. --- ...rted-with-the-user-state-migration-tool.md | 28 +++++++++++-------- 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md index e7cea642e3..9eebdd0921 100644 --- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md +++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md @@ -18,37 +18,41 @@ This article outlines the general process that you should follow to migrate file 1. [Plan Your Migration](usmt-plan-your-migration.md). Depending on whether your migration scenario is refreshing or replacing computers, you can choose an online migration or an offline migration using Windows Preinstallation Environment (WinPE) or the files in the Windows.old directory. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md). -2. [Determine What to Migrate](usmt-determine-what-to-migrate.md). Data you might consider migrating includes end-user information, applications settings, operating-system settings, files, folders, and registry keys. +1. [Determine What to Migrate](usmt-determine-what-to-migrate.md). Data you might consider migrating includes end-user information, applications settings, operating-system settings, files, folders, and registry keys. -3. Determine where to store data. Depending on the size of your migration store, you can store the data remotely, locally in a hard-link migration store or on a local external storage device, or directly on the destination computer. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md). +1. Determine where to store data. Depending on the size of your migration store, you can store the data remotely, locally in a hard-link migration store or on a local external storage device, or directly on the destination computer. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md). -4. Use the `/GenMigXML` command-line option to determine which files will be included in your migration, and to determine whether any modifications are necessary. For more information, see [ScanState Syntax](usmt-scanstate-syntax.md) +1. Use the `/GenMigXML` command-line option to determine which files will be included in your migration, and to determine whether any modifications are necessary. For more information, see [ScanState Syntax](usmt-scanstate-syntax.md) -5. Modify copies of the `Migration.xml` and `MigDocs.xml` files and create custom .xml files, if it's required. To modify the migration behavior, such as migrating the **Documents** folder but not the **Music** folder, you can create a custom .xml file or modify the rules in the existing migration .xml files. The document finder, or `MigXmlHelper.GenerateDocPatterns` helper function, can be used to automatically find user documents on a computer without creating extensive custom migration .xml files. +1. Modify copies of the `Migration.xml` and `MigDocs.xml` files and create custom .xml files, if it's required. To modify the migration behavior, such as migrating the **Documents** folder but not the **Music** folder, you can create a custom .xml file or modify the rules in the existing migration .xml files. The document finder, or `MigXmlHelper.GenerateDocPatterns` helper function, can be used to automatically find user documents on a computer without creating extensive custom migration .xml files. > [!IMPORTANT] > We recommend that you always make and modify copies of the .xml files included in User State Migration Tool (USMT) 10.0. Never modify the original .xml files. You can use the `MigXML.xsd` file to help you write and validate the .xml files. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md). -6. Create a [Config.xml File](usmt-configxml-file.md) if you want to exclude any components from the migration. To create this file, run the `ScanState.exe` command with the [/genconfig](usmt-scanstate-syntax.md#migration-rule-options) option and specify the .xml files that you use with `ScanState.exe` as arguments. For example, the following command creates a `Config.xml` file by using the `MigDocs.xml` and `MigApp.xml` files: +1. Create a [Config.xml File](usmt-configxml-file.md) if you want to exclude any components from the migration. To create this file, run the `ScanState.exe` command with the following options: + - [/genconfig](usmt-scanstate-syntax.md#migration-rule-options). + - [/i](usmt-scanstate-syntax.md#migration-rule-options) - as arguments specify the .xml files that you plan to use with `ScanState.exe`. + + For example, the following command creates a `Config.xml` file by using the `MigDocs.xml` and `MigApp.xml` files: ```cmd ScanState.exe /genconfig:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:ScanState.log ``` -7. Review and modify the `Config.xml` file to specify components that you don't want to migrate. Open the `Config.xml` that you generated, review the migration state of the components listed in it, and specify `migrate=no` for any components that you don't want to migrate. +1. Open the `Config.xml` that was generated in the previous step. Review the migration state of each of the components listed in the `Config.xml` file. If necessary, edit the `Config.xml` file and specify `migrate=no` for any components that you don't want to migrate. ## Step 2: Collect files and settings from the source computer 1. Back up the source computer. -2. Close all applications. If some applications are running when you run the `ScanState.exe` command, USMT might not migrate all of the specified data. For example, if Microsoft Office Outlook is open, USMT might not migrate PST files. +1. Close all applications. If some applications are running when you run the `ScanState.exe` command, USMT might not migrate all of the specified data. For example, if Microsoft Office Outlook is open, USMT might not migrate PST files. > [!NOTE] > USMT will fail if it cannot migrate a file or setting unless you specify the `/C` option. When you specify the `/C` option, USMT will ignore the errors, and log an error every time that it encounters a file that is being used that USMT did not migrate. You can use the `` section in the `Config.xml` file to specify which errors should be ignored, and which should cause the migration to fail. -3. Run the `ScanState.exe` command on the source computer to collect files and settings. You should specify all of the .xml files that you want the `ScanState.exe` command to use. For example, +1. Run the `ScanState.exe` command on the source computer to collect files and settings. You should specify all of the .xml files that you want the `ScanState.exe` command to use. For example, ```cmd ScanState.exe \\server\migration\mystore /config:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:ScanState.log @@ -57,23 +61,23 @@ This article outlines the general process that you should follow to migrate file > [!NOTE] > If the source computer is running Windows 7, or Windows 8, you must run the `ScanState.exe` command in **Administrator** mode. To run in **Administrator** mode, right-click **Command Prompt**, and then select **Run As Administrator**. For more information about the how the `ScanState.exe` command processes and stores the data, see [How USMT Works](usmt-how-it-works.md). -4. Run the `UsmtUtils.exe` command with the `/Verify` option to ensure that the store you created isn't corrupted. +1. Run the `UsmtUtils.exe` command with the `/Verify` option to ensure that the store you created isn't corrupted. ## Step 3: Prepare the destination computer and restore files and settings 1. Install the operating system on the destination computer. -2. Install all applications that were on the source computer. Although it isn't always required, we recommend installing all applications on the destination computer before you restore the user state. This makes sure that migrated settings are preserved. +1. Install all applications that were on the source computer. Although it isn't always required, we recommend installing all applications on the destination computer before you restore the user state. This makes sure that migrated settings are preserved. > [!NOTE] > The application version that is installed on the destination computer should be the same version as the one on the source computer. USMT does not support migrating the settings for an older version of an application to a newer version. The exception to this is Microsoft Office, which USMT can migrate from an older version to a newer version. -3. Close all applications. If some applications are running when you run the `LoadState.exe ` command, USMT might not migrate all of the specified data. For example, if Microsoft Office Outlook is open, USMT might not migrate PST files. +1. Close all applications. If some applications are running when you run the `LoadState.exe ` command, USMT might not migrate all of the specified data. For example, if Microsoft Office Outlook is open, USMT might not migrate PST files. > [!NOTE] > Use `/C` to continue your migration if errors are encountered, and use the `` section in the `Config.xml` file to specify which errors should be ignored, and which errors should cause the migration to fail. -4. Run the `LoadState.exe ` command on the destination computer. Specify the same set of .xml files that you specified when you used the `ScanState.exe` command. However, you don't have to specify the `Config.xml` file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the `Config.xml` file and specify the updated file by using the `LoadState.exe ` command. Then, the `LoadState.exe ` command will migrate only the files and settings that you want to migrate. For more information about how the `LoadState.exe ` command processes and migrates data, see [How USMT Works](usmt-how-it-works.md). +1. Run the `LoadState.exe ` command on the destination computer. Specify the same set of .xml files that you specified when you used the `ScanState.exe` command. However, you don't have to specify the `Config.xml` file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the `Config.xml` file and specify the updated file by using the `LoadState.exe ` command. Then, the `LoadState.exe ` command will migrate only the files and settings that you want to migrate. For more information about how the `LoadState.exe ` command processes and migrates data, see [How USMT Works](usmt-how-it-works.md). For example, the following command migrates the files and settings: From d51f05b4eba07d4688e04aeb123b3027cc6313c0 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Wed, 9 Aug 2023 15:37:42 -0400 Subject: [PATCH 078/110] Update that Azure AD isn't supported Made changes to initial contribution. Removed mention of hybrid AAD and just mentioned that AAD isn't supported. Will wait to get further clarification on hybrid AAD before adding info on hybrid AAD. --- .../windows-upgrade-and-migration-considerations.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md index 6df13ed120..81fcb592e6 100644 --- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md +++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md @@ -7,7 +7,7 @@ ms.prod: windows-client author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 08/09/2023 --- # Windows upgrade and migration considerations @@ -29,12 +29,15 @@ Windows Easy Transfer is a software wizard for transferring files and settings f With Windows Easy Transfer, files and settings can be transferred using a network share, a USB flash drive (UFD), or the Easy Transfer cable. However, you can't use a regular universal serial bus (USB) cable to transfer files and settings with Windows Easy Transfer. An Easy Transfer cable can be purchased on the Web, from your computer manufacturer, or at an electronics store. > [!NOTE] +> > Windows Easy Transfer [is not available in Windows 10](https://support.microsoft.com/help/4026265/windows-windows-easy-transfer-is-not-available-in-windows-10). ### Migrate with the User State Migration Tool You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they're migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded. -Note USMT supports devices that are joined to an Active Directory domain. USMT does not support hybrid or AAD joined devices. +> [!IMPORTANT] +> +> USMT only supports devices that are joined to a local Active Directory domain. USMT doesn't support Azure AD joined devices. ## Upgrade and migration considerations Whether you're upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations: @@ -66,4 +69,4 @@ This feature is disabled if this registry key value exists and is configured to ## Related articles [User State Migration Tool (USMT) Overview Topics](../usmt/usmt-topics.md)
[Windows 10 upgrade paths](windows-10-upgrade-paths.md)
-[Windows 10 edition upgrade](windows-10-edition-upgrades.md) \ No newline at end of file +[Windows 10 edition upgrade](windows-10-edition-upgrades.md) From 8694942120d67ba321f32eeedc07c2186e6b9e81 Mon Sep 17 00:00:00 2001 From: MeeraDi <97992368+MeeraDi@users.noreply.github.com> Date: Wed, 9 Aug 2023 12:29:58 -0600 Subject: [PATCH 079/110] Updates to country and countries --- windows/deployment/do/delivery-optimization-workflow.md | 2 +- windows/deployment/do/mcc-isp-faq.yml | 6 +++--- windows/deployment/update/wufb-reports-schema-ucclient.md | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/deployment/do/delivery-optimization-workflow.md b/windows/deployment/do/delivery-optimization-workflow.md index b994ac956f..b0a7f34819 100644 --- a/windows/deployment/do/delivery-optimization-workflow.md +++ b/windows/deployment/do/delivery-optimization-workflow.md @@ -35,7 +35,7 @@ This workflow allows Delivery Optimization to securely and efficiently deliver r |Endpoint hostname | Port|Name|Description|Data sent from the computer to the endpoint |--------------------------------------------|--------|---------------|-----------------------|------------------------| | geover-prod.do.dsp.mp.microsoft.com
geo-prod.do.dsp.mp.microsoft.com
geo.prod.do.dsp.mp.microsoft.com
geover.prod.do.dsp.mp.microsoft.com | 443 | Geo | Service used to identify the location of the device in order to direct it to the nearest data center. | **Profile**: The device type (for example, PC or Xbox)
**doClientVersion**: The version of the DoSvc client
**groupID**: Group the device belongs to (set with DownloadMode = '2' (Group download mode) + groupID group policy / MDM policies) | -| kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services and device configs. | **countryCode**: The country the client is connected from
**doClientVersion**: The version of the DoSvc client
**Profile**: The device type (for example, PC or Xbox)
**eId**: Client grouping ID
**CacheHost**: Cache host ID | +| kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services and device configs. | **countryCode**: The country or region the client is connected from
**doClientVersion**: The version of the DoSvc client
**Profile**: The device type (for example, PC or Xbox)
**eId**: Client grouping ID
**CacheHost**: Cache host ID | | cp\*.prod.do.dsp.mp.microsoft.com
| 443 | Content Policy | Provides content specific policies and as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**countryCode**: The country the client is connected from
**altCatalogID**: If ContentID isn't available, use the download URL instead
**eID**: Client grouping ID
**CacheHost**: Cache host ID | | disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupID and external IP. | **Profile**: The device type (for example, PC or Xbox)
**ContentID**: The content identifier
**doClientVersion**: The version of the DoSvc client
**partitionID**: Client partitioning hint
**altCatalogID**: If ContentID isn't available, use the download URL instead
**eID**: Client grouping ID | | array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox)
**ContentID**: The content identifier
**doClientVersion**: The version of the DoSvc client
**altCatalogID**: If ContentID isn't available, use the download URL instead
**PeerID**: Identity of the device running DO client
**ReportedIp**: The internal / private IP Address
**IsBackground**: Is the download interactive or background
**Uploaded**: Total bytes uploaded to peers
**Downloaded**: Total bytes downloaded from peers
**DownloadedCdn**: Total bytes downloaded from CDN
**Left**: Bytes left to download
**Peers Wanted**: Total number of peers wanted
**Group ID**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies)
**Scope**: The Download mode
**UploadedBPS**: The upload speed in bytes per second
**DownloadBPS**: The download speed in Bytes per second
**eID**: Client grouping ID | diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml index ce711ad5b5..61cf0eeef2 100644 --- a/windows/deployment/do/mcc-isp-faq.yml +++ b/windows/deployment/do/mcc-isp-faq.yml @@ -54,8 +54,8 @@ sections: answer: You can choose to route your traffic using manual CIDR blocks or BGP. If you have multiple Microsoft Connected Cache(s), you can allocate subsets of CIDR blocks to each cache node if you wish. However, since Microsoft Connected Cache has automatic load balancing, we recommend adding all of your traffic to all of your cache nodes. - question: Should I add any load balancing mechanism? answer: You don't need to add any load balancing. Our service will take care of routing traffic if you have multiple cache nodes serving the same CIDR blocks based on the reported health of the cache node. - - question: How many Microsoft Connected Cache instances will I need? How do we set up if we support multiple countries? - answer: As stated in the table above, the recommended configuration will achieve near the maximum possible egress of 40 Gbps with a two-port link aggregated NIC and four cache drives. We have a feature coming soon that will help you estimate the number of cache nodes needed. If your ISP spans multiple countries, you can set up separate cache nodes per country. + - question: How many Microsoft Connected Cache instances will I need? How do we set up if we support multiple countries or regions? + answer: As stated in the table above, the recommended configuration will achieve near the maximum possible egress of 40 Gbps with a two-port link aggregated NIC and four cache drives. We have a feature coming soon that will help you estimate the number of cache nodes needed. If your ISP spans multiple countries or regions, you can set up separate cache nodes per country or region. - question: Where should we install Microsoft Connected Cache? answer: You are in control of your hardware and you can pick the location based on your traffic and end customers. You can choose the location where you have your routers or where you have dense traffic or any other parameters. - question: How long would a piece of content live within the Microsoft Connected Cache? Is content purged from the cache? @@ -67,7 +67,7 @@ sections: - question: Is IPv6 supported? answer: No, we don't currently support IPV6. We plan to support it in the future. - question: Is Microsoft Connected Cache stable and reliable? - answer: We have already successfully onboarded ISPs in many countries around the world and have received positive feedback! However, you can always start off with a portion of your CIDR blocks to test out the performance of MCC before expanding to more customers. + answer: We have already successfully onboarded ISPs in many countries and regions around the world and have received positive feedback! However, you can always start off with a portion of your CIDR blocks to test out the performance of MCC before expanding to more customers. - question: How does Microsoft Connected Cache populate its content? answer: Microsoft Connected Cache is a cold cache warmed by client requests. The client requests content and that is what fills up the cache. There's no off-peak cache fill necessary. Microsoft Connected Cache will reach out to different CDN providers just like a client device would. The traffic flow from Microsoft Connected Cache will vary depending on how you currently transit to each of these CDN providers. The content can come from third party CDNs or from AFD. - question: What CDNs will Microsoft Connected Cache pull content from? diff --git a/windows/deployment/update/wufb-reports-schema-ucclient.md b/windows/deployment/update/wufb-reports-schema-ucclient.md index 3b460f113f..45ad832a0a 100644 --- a/windows/deployment/update/wufb-reports-schema-ucclient.md +++ b/windows/deployment/update/wufb-reports-schema-ucclient.md @@ -20,7 +20,7 @@ UCClient acts as an individual device's record. It contains data such as the cur |---|---|---|---| | **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID | | **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID | -| **Country** | [string](/azure/kusto/query/scalar-data-types/string) | `US` | The last-reported location of device (country), based on IP address. Shown as country code. | +| **Country** | [string](/azure/kusto/query/scalar-data-types/string) | `US` | The last-reported location of device (country or region), based on IP address. Shown as country code. | | **DeviceFamily** | [string](/azure/kusto/query/scalar-data-types/string) | `PC, Phone` | The device family such as PC, Phone. | | **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | Client-provided device name | | **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | The global device identifier | From d9714bc952eb3a7768f4f753281df94d7b1660ad Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 9 Aug 2023 14:08:21 -0700 Subject: [PATCH 080/110] ucclient-schema-edits --- .../update/wufb-reports-schema-ucclient.md | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/windows/deployment/update/wufb-reports-schema-ucclient.md b/windows/deployment/update/wufb-reports-schema-ucclient.md index 3b460f113f..0662b5090b 100644 --- a/windows/deployment/update/wufb-reports-schema-ucclient.md +++ b/windows/deployment/update/wufb-reports-schema-ucclient.md @@ -6,7 +6,7 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.topic: reference -ms.date: 06/06/2022 +ms.date: 08/09/2023 ms.technology: itpro-updates --- @@ -27,29 +27,29 @@ UCClient acts as an individual device's record. It contains data such as the cur | **LastCensusScanTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The last time this device performed a successful census scan, if any. | | **LastWUScanTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The last time this device performed a successful Windows Update scan, if any. | | **OSArchitecture** | [string](/azure/kusto/query/scalar-data-types/string) | `x86` | The architecture of the operating system (not the device) this device is currently on. | -| **OSBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full operating system build installed on this device, such as Major.Minor.Build.Revision | -| **OSBuildNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `da` | The major build number, in int format, the device is using. | +| **OSBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.22621.1702` | The full operating system build installed on this device, such as Major.Minor.Build.Revision | +| **OSBuildNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `22621` | The major build number, in int format, the device is using. | | **OSEdition** | [string](/azure/kusto/query/scalar-data-types/string) | `Professional` | The Windows edition | -| **OSFeatureUpdateComplianceStatus** | [string](/azure/kusto/query/scalar-data-types/string)| `Compliant` | Whether or not the device is on the latest feature update being offered by the Windows Update for Business deployment service, else NotApplicable. | +| **OSFeatureUpdateComplianceStatus** | [string](/azure/kusto/query/scalar-data-types/string)| `Compliant` | Whether or not the device is on the latest feature update that's offered from the Windows Update for Business deployment service, else NotApplicable. | | **OSFeatureUpdateEOSTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The end of service date of the feature update currently installed on the device. | | **OSFeatureUpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the feature update currently installed on the device. | | **OSFeatureUpdateStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `InService;EndOfService` | Whether or not the device is on the latest available feature update, for its feature update. | -| **OSQualityUpdateComplianceStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `NotCompliant` | Whether or not the device is on the latest quality update being offered by the Windows Update for Business deployment service, else NotApplicable. | +| **OSQualityUpdateComplianceStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `NotCompliant` | Whether or not the device is on the latest quality update that's offered from the Windows Update for Business deployment service, else NotApplicable. | | **OSQualityUpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the quality update currently installed on the device. | | **OSQualityUpdateStatus** | [string](/azure/kusto/query/scalar-data-types/string)| `Latest;NotLatest` | Whether or not the device is on the latest available quality update, for its feature update. | | **OSRevisionNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `836` | The revision, in int format, this device is on. | -| **OSSecurityUpdateComplianceStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `NotCompliant` | Whether or not the device is on the latest security update (quality update where the Classification=Security) being offered by the Windows Update for Business deployment service, else NotApplicable. | +| **OSSecurityUpdateComplianceStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `NotCompliant` | Whether or not the device is on the latest security update (quality update where the Classification=Security) that's offered from the Windows Update for Business deployment service, else NotApplicable. | | **OSSecurityUpdateStatus** | [string](/azure/kusto/query/scalar-data-types/string)| `Latest;NotLatest;MultipleSecurityUpdatesMissing` | Whether or not the device is on the latest available security update, for its feature update. | | **OSServicingChannel** | [string](/azure/kusto/query/scalar-data-types/string) | `SAC` | The elected Windows 10 servicing channel of the device. | | **OSVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10 operating system version currently installed on the device, such as 19H2, 20H1, 20H2. | | **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager client ID, if available. | -| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. | +| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This field is to determine to which batch snapshot this record belongs. | | **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `DeviceEvent` | The EntityType. | -| **WUFeatureDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | `0` | CSP: ConfigureDeadlineForFeatureUpdates. The Windows update feature update deadline configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values > 0 indicate the deadline in days. | -| **WUFeatureDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | `0` | CSP: DeferFeatureUpdates. The Windows update feature update deferral configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values >0 indicate the policy setting. | -| **WUFeatureGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | `7` | The Windows Update grace period for feature update in days. -1 indicates not configured, 0 indicates configured and set to 0. Values greater than 0 indicate the grace period in days. | +| **WUFeatureDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | `0` | CSP: ConfigureDeadlineForFeatureUpdates. The Windows update feature update deadline configuration in days. `-1` indicates not configured, `0` indicates configured but set to `0`. Values > `0` indicate the deadline in days. | +| **WUFeatureDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | `0` | CSP: DeferFeatureUpdates. The Windows update feature update deferral configuration in days. `-1` indicates not configured, `0` indicates configured but set to `0`. Values > `0` indicate the policy setting. | +| **WUFeatureGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | `7` | The Windows Update grace period for feature update in days. -1 indicates not configured, `0` indicates configured and set to `0`. Values greater than `0` indicate the grace period in days. | | **WUFeaturePauseState** | [string](/azure/kusto/query/scalar-data-types/string) | `NotConfigured` | Indicates pause status of device for feature updates, possible values are Paused, NotPaused, NotConfigured. | -| **WUQualityDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | `7` | CSP: ConfigureDeadlineForQualityUpdates. The Windows update quality update deadline configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values > 0 indicate the deadline in days. | -| **WUQualityDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | `-1` | CSP: DeferQualityUpdates. The Windows Update quality update deferral configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values greater than 0 indicate the policy setting. | -| **WUQualityGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | `0` | The Windows Update grace period for quality update in days. -1 indicates not configured, 0 indicates configured and set to 0. Values greater than 0 indicate the grace period in days. | +| **WUQualityDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | `7` | CSP: ConfigureDeadlineForQualityUpdates. The Windows update quality update deadline configuration in days. `-1` indicates not configured, `0` indicates configured but set to `0`. Values > `0` indicate the deadline in days. | +| **WUQualityDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | `-1` | CSP: DeferQualityUpdates. The Windows Update quality update deferral configuration in days. `-1` indicates not configured, `0` indicates configured but set to `0`. Values greater than `0` indicate the policy setting. | +| **WUQualityGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | `0` | The Windows Update grace period for quality update in days. `-1` indicates not configured, `0` indicates configured and set to `0`. Values greater than `0` indicate the grace period in days. | | **WUQualityPauseState** | [string](/azure/kusto/query/scalar-data-types/string) | `NotConfigured` | Indicates pause status of device for quality updates, possible values are Paused, NotPaused, NotConfigured. | From bc72e9f38e0e0ae62cac1de0dbc3f984e8e77ff7 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 9 Aug 2023 14:35:31 -0700 Subject: [PATCH 081/110] Changed "being offered" to "offered" to raise Acrolinx score --- windows/deployment/update/wufb-reports-schema-ucclient.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/wufb-reports-schema-ucclient.md b/windows/deployment/update/wufb-reports-schema-ucclient.md index 45ad832a0a..6ba2f4117a 100644 --- a/windows/deployment/update/wufb-reports-schema-ucclient.md +++ b/windows/deployment/update/wufb-reports-schema-ucclient.md @@ -34,11 +34,11 @@ UCClient acts as an individual device's record. It contains data such as the cur | **OSFeatureUpdateEOSTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The end of service date of the feature update currently installed on the device. | | **OSFeatureUpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the feature update currently installed on the device. | | **OSFeatureUpdateStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `InService;EndOfService` | Whether or not the device is on the latest available feature update, for its feature update. | -| **OSQualityUpdateComplianceStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `NotCompliant` | Whether or not the device is on the latest quality update being offered by the Windows Update for Business deployment service, else NotApplicable. | +| **OSQualityUpdateComplianceStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `NotCompliant` | Whether or not the device is on the latest quality update offered by the Windows Update for Business deployment service, else NotApplicable. | | **OSQualityUpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the quality update currently installed on the device. | | **OSQualityUpdateStatus** | [string](/azure/kusto/query/scalar-data-types/string)| `Latest;NotLatest` | Whether or not the device is on the latest available quality update, for its feature update. | | **OSRevisionNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `836` | The revision, in int format, this device is on. | -| **OSSecurityUpdateComplianceStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `NotCompliant` | Whether or not the device is on the latest security update (quality update where the Classification=Security) being offered by the Windows Update for Business deployment service, else NotApplicable. | +| **OSSecurityUpdateComplianceStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `NotCompliant` | Whether or not the device is on the latest security update (quality update where the Classification=Security) offered by the Windows Update for Business deployment service, else NotApplicable. | | **OSSecurityUpdateStatus** | [string](/azure/kusto/query/scalar-data-types/string)| `Latest;NotLatest;MultipleSecurityUpdatesMissing` | Whether or not the device is on the latest available security update, for its feature update. | | **OSServicingChannel** | [string](/azure/kusto/query/scalar-data-types/string) | `SAC` | The elected Windows 10 servicing channel of the device. | | **OSVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10 operating system version currently installed on the device, such as 19H2, 20H1, 20H2. | From a71a6ef44b3fbbd14d1666202010c68c305499e5 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 10 Aug 2023 07:04:25 -0400 Subject: [PATCH 082/110] Update add-apps-and-features.md set date correctly --- windows/application-management/add-apps-and-features.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md index 889b326553..bc31b8b6e5 100644 --- a/windows/application-management/add-apps-and-features.md +++ b/windows/application-management/add-apps-and-features.md @@ -4,7 +4,7 @@ description: Learn how to add Windows 10 and Windows 11 optional features using author: aczechowski ms.author: aaroncz manager: aaroncz -ms.date: 08/04/2023 +ms.date: 08/30/2021 ms.topic: article ms.prod: windows-client ms.technology: itpro-apps From 7dbb1d9dffb256a5e06f3b131412e1328aa66233 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 10 Aug 2023 07:04:50 -0400 Subject: [PATCH 083/110] Update apps-in-windows-10.md 02/09/2023 --- windows/application-management/apps-in-windows-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index 6387f6e388..340e639b2e 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -4,7 +4,7 @@ description: Learn more and understand the different types of apps that run on W author: aczechowski ms.author: aaroncz manager: aaroncz -ms.date: 08/04/2023 +ms.date: 02/09/2023 ms.topic: article ms.prod: windows-client ms.technology: itpro-apps From d6febce25746795a8addba9f505fa243ae8f89fa Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 10 Aug 2023 07:05:24 -0400 Subject: [PATCH 084/110] Update enterprise-background-activity-controls.md correct date --- .../enterprise-background-activity-controls.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index d59d548da5..1ed95c362a 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -4,7 +4,7 @@ description: Allow enterprise background tasks unrestricted access to computer r author: aczechowski ms.author: aaroncz manager: aaroncz -ms.date: 08/04/2023 +ms.date: 10/03/2017 ms.topic: article ms.prod: windows-client ms.technology: itpro-apps From ac657de4bc8a092681b1cb6994181649a1dcbf32 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 10 Aug 2023 07:05:48 -0400 Subject: [PATCH 085/110] Update app-v-end-life-statement.md correct date --- .../application-management/includes/app-v-end-life-statement.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/includes/app-v-end-life-statement.md b/windows/application-management/includes/app-v-end-life-statement.md index faa562b953..f9844e71b1 100644 --- a/windows/application-management/includes/app-v-end-life-statement.md +++ b/windows/application-management/includes/app-v-end-life-statement.md @@ -2,7 +2,7 @@ author: aczechowski ms.author: aaroncz manager: aaroncz -ms.date: 08/04/2023 +ms.date: 09/20/2021 ms.topic: include ms.prod: w10 ms.collection: tier1 From eb401c290e70b8729229a85d32fb619268a7acf9 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 10 Aug 2023 07:06:21 -0400 Subject: [PATCH 086/110] Update applies-to-windows-client-versions.md correct date --- .../includes/applies-to-windows-client-versions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/includes/applies-to-windows-client-versions.md b/windows/application-management/includes/applies-to-windows-client-versions.md index 2bde1c4e62..35084641c6 100644 --- a/windows/application-management/includes/applies-to-windows-client-versions.md +++ b/windows/application-management/includes/applies-to-windows-client-versions.md @@ -2,7 +2,7 @@ author: aczechowski ms.author: aaroncz manager: aaroncz -ms.date: 08/04/2023 +ms.date: 09/28/2021 manager: aaroncz ms.topic: include ms.prod: windows-client From 165e22c325c05c4dee388a1d0b4561b74a5533e7 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 10 Aug 2023 07:06:50 -0400 Subject: [PATCH 087/110] Update index.yml correct date --- windows/application-management/index.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index 5705397c60..adca0baba0 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -9,7 +9,7 @@ metadata: author: aczechowski ms.author: aaroncz manager: aaroncz - ms.date: 08/04/2023 + ms.date: 08/24/2021 ms.topic: landing-page ms.prod: windows-client ms.collection: @@ -63,4 +63,4 @@ landingContent: - text: Per-user services in Windows url: per-user-services-in-windows.md - text: Per-user services in Windows - url: per-user-services-in-windows.md \ No newline at end of file + url: per-user-services-in-windows.md From 7c7c1b2c77676cd2e57557c4cf43585d0f4185d9 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 10 Aug 2023 07:07:14 -0400 Subject: [PATCH 088/110] Update per-user-services-in-windows.md correct date --- windows/application-management/per-user-services-in-windows.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md index ed038c7e0d..1b840ef5a8 100644 --- a/windows/application-management/per-user-services-in-windows.md +++ b/windows/application-management/per-user-services-in-windows.md @@ -4,7 +4,7 @@ description: Learn about per-user services, how to change the template service S author: aczechowski ms.author: aaroncz manager: aaroncz -ms.date: 08/04/2023 +ms.date: 09/14/2017 ms.topic: article ms.prod: windows-client ms.technology: itpro-apps From edcdb56dc150d385a2648f59267c93a72e5c5dfa Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 10 Aug 2023 07:07:37 -0400 Subject: [PATCH 089/110] Update private-app-repository-mdm-company-portal-windows-11.md correct date --- .../private-app-repository-mdm-company-portal-windows-11.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md index 2d103039b2..93ceaacb2c 100644 --- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md +++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md @@ -4,7 +4,7 @@ description: Use the Company Portal app in Windows 11 devices to access the priv author: aczechowski ms.author: aaroncz manager: aaroncz -ms.date: 08/04/2023 +ms.date: 04/04/2023 ms.topic: article ms.prod: windows-client ms.technology: itpro-apps From e07068d4408686f2e147b565b2c396ccea4e16fe Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 10 Aug 2023 07:08:03 -0400 Subject: [PATCH 090/110] Update remove-provisioned-apps-during-update.md correct date --- .../remove-provisioned-apps-during-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md index 24e4b5076d..a7d6df5901 100644 --- a/windows/application-management/remove-provisioned-apps-during-update.md +++ b/windows/application-management/remove-provisioned-apps-during-update.md @@ -4,7 +4,7 @@ description: How to keep provisioned apps that were removed from your machine fr author: aczechowski ms.author: aaroncz manager: aaroncz -ms.date: 08/04/2023 +ms.date: 05/25/2018 ms.topic: article ms.prod: windows-client ms.technology: itpro-apps From 427018219ff0767c934a4610029c036219797f1f Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 10 Aug 2023 07:08:25 -0400 Subject: [PATCH 091/110] Update sideload-apps-in-windows-10.md correct date --- windows/application-management/sideload-apps-in-windows-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md index cacafd251f..70f3c50177 100644 --- a/windows/application-management/sideload-apps-in-windows-10.md +++ b/windows/application-management/sideload-apps-in-windows-10.md @@ -4,7 +4,7 @@ description: Learn how to sideload line-of-business (LOB) apps in Windows client author: aczechowski ms.author: aaroncz manager: aaroncz -ms.date: 08/04/2023 +ms.date: 12/07/2017 ms.topic: article ms.prod: windows-client ms.technology: itpro-apps From 81d552edbd600d40e7a19a0131adda4fba17c433 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 10 Aug 2023 07:08:48 -0400 Subject: [PATCH 092/110] Update svchost-service-refactoring.md correct date --- windows/application-management/svchost-service-refactoring.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md index cdcf69903a..eef38fed3e 100644 --- a/windows/application-management/svchost-service-refactoring.md +++ b/windows/application-management/svchost-service-refactoring.md @@ -4,7 +4,7 @@ description: Learn about the SvcHost Service Refactoring introduced in Windows 1 author: aczechowski ms.author: aaroncz manager: aaroncz -ms.date: 08/04/2023 +ms.date: 07/20/2017 ms.topic: article ms.prod: windows-client ms.technology: itpro-apps From 1d21af9886f1c44be26baff1f3ad3bdc8c45113a Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 10 Aug 2023 11:42:46 -0400 Subject: [PATCH 093/110] Refresh articles and globalize metadata --- ...e-active-directory-integration-with-mdm.md | 23 ++-- ...omatic-mdm-enrollment-in-the-new-portal.md | 11 +- ...ollment-using-windows-provisioning-tool.md | 11 +- ...ficate-authentication-device-enrollment.md | 11 +- .../certificate-renewal-windows-mdm.md | 11 +- .../administrative-tools-in-windows.md | 10 +- ...t-removal-policy-external-storage-media.md | 10 +- .../client-tools/connect-to-remote-aadj-pc.md | 10 +- ...e-device-installation-with-group-policy.md | 40 +++---- .../manage-settings-app-with-group-policy.md | 12 +- .../client-tools/mandatory-user-profile.md | 15 +-- .../client-tools/quick-assist.md | 11 +- .../client-tools/windows-libraries.md | 14 +-- .../client-tools/windows-version-search.md | 11 +- windows/client-management/config-lock.md | 107 ++++++++--------- .../device-update-management.md | 11 +- .../disconnecting-from-mdm-unenrollment.md | 11 +- windows/client-management/docfx.json | 16 ++- .../enable-admx-backed-policies-in-mdm.md | 11 +- ...device-automatically-using-group-policy.md | 11 +- .../enterprise-app-management.md | 11 +- .../esim-enterprise-management.md | 9 +- ...erated-authentication-device-enrollment.md | 11 +- ...rver-side-mobile-application-management.md | 11 +- ...-in-your-organization-modern-management.md | 11 +- windows/client-management/mdm-collect-logs.md | 11 +- .../mdm-diagnose-enrollment.md | 11 +- .../mdm-enrollment-of-windows-devices.md | 11 +- windows/client-management/mdm-known-issues.md | 11 +- windows/client-management/mdm-overview.md | 10 +- .../mobile-device-enrollment.md | 11 +- ...ew-in-windows-mdm-enrollment-management.md | 12 +- .../oma-dm-protocol-support.md | 11 +- ...remise-authentication-device-enrollment.md | 11 +- .../push-notification-windows-mdm.md | 11 +- .../server-requirements-windows-mdm.md | 11 +- .../structure-of-oma-dm-provisioning-files.md | 21 +--- .../understanding-admx-backed-policies.md | 11 +- ...-scripting-with-the-wmi-bridge-provider.md | 11 +- ...and-centennial-app-policy-configuration.md | 11 +- .../windows-mdm-enterprise-settings.md | 11 +- .../wmi-providers-supported-in-windows.md | 110 ++++++++---------- 42 files changed, 178 insertions(+), 538 deletions(-) diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md index 0bb98be706..49babbaee1 100644 --- a/windows/client-management/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/azure-active-directory-integration-with-mdm.md @@ -1,20 +1,11 @@ --- title: Azure Active Directory integration with MDM description: Azure Active Directory is the world's largest enterprise cloud identity management service. -ms.reviewer: -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.collection: - highpri - tier2 -ms.date: 04/05/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # Azure Active Directory integration with MDM @@ -256,12 +247,12 @@ Location: ms-appx-web://App1/ToUResponse?error=access_denied&error_description=A The following table shows the error codes. -|Cause|HTTP status|Error|Description| -|--- |--- |--- |--- | -|api-version|302|invalid_request|unsupported version| -|Tenant or user data are missing or other required prerequisites for device enrollment aren't met|302|unauthorized_client|unauthorized user or tenant| -|Azure AD token validation failed|302|unauthorized_client|unauthorized_client| -|internal service error|302|server_error|internal service error| +| Cause | HTTP status | Error | Description | +|--------------------------------------------------------------------------------------------------|-------------|---------------------|-----------------------------| +| api-version | 302 | invalid_request | unsupported version | +| Tenant or user data are missing or other required prerequisites for device enrollment aren't met | 302 | unauthorized_client | unauthorized user or tenant | +| Azure AD token validation failed | 302 | unauthorized_client | unauthorized_client | +| internal service error | 302 | server_error | internal service error | ## Enrollment protocol with Azure AD diff --git a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md index 1c9d410723..7be811341c 100644 --- a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md +++ b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md @@ -1,17 +1,8 @@ --- title: Automatic MDM enrollment in the Intune admin center description: Automatic MDM enrollment in the Intune admin center -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 04/05/2023 -ms.reviewer: -manager: aaroncz -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # Automatic MDM enrollment in the Intune admin center diff --git a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md index a09f295976..b7120cd181 100644 --- a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md @@ -1,17 +1,8 @@ --- title: Bulk enrollment description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. -ms.reviewer: -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 04/05/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # Bulk enrollment using Windows Configuration Designer diff --git a/windows/client-management/certificate-authentication-device-enrollment.md b/windows/client-management/certificate-authentication-device-enrollment.md index 6db2ca38a4..c1ab833e1c 100644 --- a/windows/client-management/certificate-authentication-device-enrollment.md +++ b/windows/client-management/certificate-authentication-device-enrollment.md @@ -1,17 +1,8 @@ --- title: Certificate authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy. -ms.reviewer: -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 04/05/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # Certificate authentication device enrollment diff --git a/windows/client-management/certificate-renewal-windows-mdm.md b/windows/client-management/certificate-renewal-windows-mdm.md index bf7efd00cf..297a6f1918 100644 --- a/windows/client-management/certificate-renewal-windows-mdm.md +++ b/windows/client-management/certificate-renewal-windows-mdm.md @@ -1,17 +1,8 @@ --- title: Certificate Renewal description: Learn how to find all the resources that you need to provide continuous access to client certificates. -ms.reviewer: -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/08/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # Certificate Renewal diff --git a/windows/client-management/client-tools/administrative-tools-in-windows.md b/windows/client-management/client-tools/administrative-tools-in-windows.md index a511db702c..41a9ab68ab 100644 --- a/windows/client-management/client-tools/administrative-tools-in-windows.md +++ b/windows/client-management/client-tools/administrative-tools-in-windows.md @@ -1,20 +1,12 @@ --- title: Windows Tools/Administrative Tools description: The folders for Windows Tools and Administrative Tools are folders in the Control Panel that contain tools for system administrators and advanced users. -ms.prod: windows-client -author: vinaypamnani-msft -ms.author: vinpa -manager: aaroncz ms.localizationpriority: medium -ms.date: 04/11/2023 +ms.date: 08/10/2023 ms.topic: article ms.collection: - highpri - tier2 -ms.technology: itpro-manage -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 --- # Windows Tools/Administrative Tools diff --git a/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md index 2959430065..72d54682b2 100644 --- a/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md +++ b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md @@ -1,17 +1,9 @@ --- title: Windows default media removal policy description: In Windows 10 and later, the default removal policy for external storage media changed from Better performance to Quick removal. -ms.prod: windows-client -author: vinaypamnani-msft -ms.author: vinpa -ms.date: 04/11/2023 +ms.date: 08/10/2023 ms.topic: article ms.localizationpriority: medium -manager: aaroncz -ms.technology: itpro-manage -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 --- # Change in default removal policy for external storage media in Windows diff --git a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md index 85c581ddd4..56f57c950e 100644 --- a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md +++ b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md @@ -1,20 +1,12 @@ --- title: Connect to remote Azure Active Directory joined device description: Learn how to use Remote Desktop Connection to connect to an Azure AD joined device. -ms.prod: windows-client -author: vinaypamnani-msft ms.localizationpriority: medium -ms.author: vinpa -ms.date: 04/11/2023 -manager: aaroncz +ms.date: 08/10/2023 ms.topic: article -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 ms.collection: - highpri - tier2 -ms.technology: itpro-manage --- # Connect to remote Azure Active Directory joined device diff --git a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md index 6fdc71124f..bcc46c3832 100644 --- a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md +++ b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md @@ -1,18 +1,8 @@ --- title: Manage Device Installation with Group Policy description: Find out how to manage Device Installation Restrictions with Group Policy. -ms.prod: windows-client -author: vinaypamnani-msft -ms.date: 08/08/2023 -ms.reviewer: -manager: aaroncz -ms.author: vinpa +ms.date: 08/10/2023 ms.topic: article -ms.technology: itpro-manage -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 --- # Manage Device Installation with Group Policy @@ -67,7 +57,7 @@ The scenarios presented in this guide illustrate how you can control device inst | Scenario #1: Prevent installation of all printers | In this scenario, the administrator wants to prevent users from installing any printers. Thus is a basic scenario to introduce you to the 'prevent/allow' functionality of Device Installation policies in Group Policy. | | Scenario #2: Prevent installation of a specific printer | In this scenario, the administrator allows standard users to install all printers while but preventing them from installing a specific one. | | Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed | In this scenario, you'll combine what you learned from both scenario #1 and scenario #2. The administrator wants to allow standard users to install only a specific printer while preventing the installation of all other printers. This scenario is a more realistic one and brings you a step farther in understanding of the Device Installation Restrictions policies. | -| Scenario #4: Prevent installation of a specific USB device | This scenario, although similar to scenario #2, brings another layer of complexity—how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree. | +| Scenario #4: Prevent installation of a specific USB device | This scenario, although similar to scenario #2, brings another layer of complexity-how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree. | | Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive | In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the 'prevent' functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario. | ## Technology Review @@ -76,7 +66,7 @@ The following sections provide a brief overview of the core technologies discuss ### Device Installation in Windows -A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition—it's a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type. +A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition-it's a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type. When Windows detects a device that has never been installed on the computer, the operating system queries the device to retrieve its list of device identification strings. A device usually has multiple device identification strings, which the device manufacturer assigns. The same device identification strings are included in the .inf file (also known as an _INF_) that is part of the driver package. Windows chooses which driver package to install by matching the device identification strings retrieved from the device to those strings included with the driver packages. @@ -238,7 +228,7 @@ To find device identification strings using Device Manager !['Details' tab.](images/device-installation-dm-printer-details-screen.png)
_Open the 'Details' tab to look for the device identifiers_ -1. From the 'Value' window, copy the most detailed Hardware ID—we'll use this value in the policies. +1. From the 'Value' window, copy the most detailed Hardware ID-we'll use this value in the policies. ![HWID.](images/device-installation-dm-printer-hardware-ids.png) @@ -335,9 +325,9 @@ Creating the policy to prevent all printers from being installed: 1. Click 'OK'. -1. Click 'Apply' on the bottom right of the policy's window—this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs. +1. Click 'Apply' on the bottom right of the policy's window-this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs. -1. Optional—if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' +1. Optional-if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' > [!IMPORTANT] > Using a Prevent policy (like the one we used in scenario #1 above) and applying it to all previously installed devices (see step #9) could render crucial devices unusable; hence, use with caution. For example: If an IT admin wants to prevent all removable storage devices from being installed on the machine, using 'Disk Drive' class for blocking and applying it retroactive could render the internal hard-drive unusable and to break the machine. @@ -347,7 +337,7 @@ Creating the policy to prevent all printers from being installed: 1. If you haven't completed step #9, follow these steps: 1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click "Uninstall device". - 1. For USB printer—unplug and plug back the cable; for network device—make a search for the printer in the Windows Settings app. + 1. For USB printer-unplug and plug back the cable; for network device-make a search for the printer in the Windows Settings app. 1. You shouldn't be able to reinstall the printer. 1. If you completed step #9 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use. @@ -426,14 +416,14 @@ Setting up the environment for the scenario with the following steps: ### Scenario steps - preventing installation of an entire class while allowing a specific printer -Getting the device identifier for both the Printer Class and a specific printer—following the steps in scenario #1 to find Class identifier and scenario #2 to find Device identifier you could get the identifiers you need for this scenario: +Getting the device identifier for both the Printer Class and a specific printer-following the steps in scenario #1 to find Class identifier and scenario #2 to find Device identifier you could get the identifiers you need for this scenario: - ClassGuid = {4d36e979-e325-11ce-bfc1-08002be10318} - Hardware ID = WSDPRINT\CanonMX920_seriesC1A0 First create a 'Prevent Class' policy and then create 'Allow Device' one: -1. Open Group Policy Object Editor—either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI. +1. Open Group Policy Object Editor-either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI. 1. Navigate to the Device Installation Restriction page: @@ -451,11 +441,11 @@ First create a 'Prevent Class' policy and then create 'Allow Device' one: 1. Click 'OK'. -1. Click 'Apply' on the bottom right of the policy's window—this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs. +1. Click 'Apply' on the bottom right of the policy's window-this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs. 1. To complete the coverage of all future and existing printers, open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' and click 'OK' -1. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it—this policy will enable you to override the wide coverage of the 'Prevent' policy with a specific device. +1. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it-this policy will enable you to override the wide coverage of the 'Prevent' policy with a specific device. :::image type="content" alt-text="Screenshot of Local Group Policy Editor that shows the policies under Device Installation Restrictions and the policy named in this step." source="images/device-installation-apply-layered_policy-1.png" lightbox="images/device-installation-apply-layered_policy-1.png"::: @@ -471,13 +461,13 @@ First create a 'Prevent Class' policy and then create 'Allow Device' one: 1. Click 'OK'. -1. Click 'Apply' on the bottom right of the policy's window—this option pushes the policy and allows the target printer to be installed (or stayed installed). +1. Click 'Apply' on the bottom right of the policy's window-this option pushes the policy and allows the target printer to be installed (or stayed installed). ## Testing scenario 3 1. Look for your printer under Device Manager or the Windows Settings app and see that it's still there and accessible. Or just print a test document. -1. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer—you shouldn't be bale to print anything or able to access the printer at all. +1. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer-you shouldn't be bale to print anything or able to access the printer at all. ## Scenario #4: Prevent installation of a specific USB device @@ -530,7 +520,7 @@ Creating the policy to prevent a single USB thumb-drive from being installed: 1. In the lower left side, in the 'Options' window, click the 'Show' box. This option will take you to a table where you can enter the device identifier to block. -1. Enter the USB thumb-drive device ID you found above—`USBSTOR\DiskGeneric_Flash_Disk______8.07`. +1. Enter the USB thumb-drive device ID you found above-`USBSTOR\DiskGeneric_Flash_Disk______8.07`. ![Prevent Device IDs list.](images/device-installation-gpo-prevent-device-id-list-usb.png)
_Prevent Device IDs list_ @@ -636,7 +626,7 @@ First create a 'Prevent Class' policy and then create 'Allow Device' one: 1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to allow. -1. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation—`USBSTOR\DiskGeneric_Flash_Disk______8.07`. +1. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation-`USBSTOR\DiskGeneric_Flash_Disk______8.07`. ![Image of an example list of devices that have been configured for the policy "Allow installation of devices that match any of these Device IDs.".](images/device-installation-gpo-allow-device-id-list-usb.png)
_Allowed USB Device IDs list_ diff --git a/windows/client-management/client-tools/manage-settings-app-with-group-policy.md b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md index a0af81bb73..afc00a6203 100644 --- a/windows/client-management/client-tools/manage-settings-app-with-group-policy.md +++ b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md @@ -1,18 +1,8 @@ --- title: Manage the Settings app with Group Policy description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users. -ms.prod: windows-client -author: vinaypamnani-msft -ms.date: 04/13/2023 -ms.reviewer: -manager: aaroncz -ms.author: vinpa +ms.date: 08/10/2023 ms.topic: article -ms.technology: itpro-manage -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2016 --- # Manage the Settings app with Group Policy diff --git a/windows/client-management/client-tools/mandatory-user-profile.md b/windows/client-management/client-tools/mandatory-user-profile.md index 181e7485db..65a2911980 100644 --- a/windows/client-management/client-tools/mandatory-user-profile.md +++ b/windows/client-management/client-tools/mandatory-user-profile.md @@ -1,20 +1,11 @@ --- title: Create mandatory user profiles description: A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. -ms.prod: windows-client -author: vinaypamnani-msft -ms.author: vinpa -ms.date: 04/11/2023 -ms.reviewer: -manager: aaroncz +ms.date: 08/10/2023 ms.topic: article ms.collection: - highpri - tier2 -ms.technology: itpro-manage -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 --- # Create mandatory user profiles @@ -127,13 +118,9 @@ In a domain, you modify properties for the user account to point to the mandator ### How to apply a mandatory user profile to users 1. Open **Active Directory Users and Computers** (dsa.msc). - 1. Navigate to the user account that you will assign the mandatory profile to. - 1. Right-click the user name and open **Properties**. - 1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is `\\server\share\profile.v6`, you would enter `\\server\share\profile`. - 1. Click **OK**. It may take some time for this change to replicate to all domain controllers. diff --git a/windows/client-management/client-tools/quick-assist.md b/windows/client-management/client-tools/quick-assist.md index 9997673adf..615806cfd5 100644 --- a/windows/client-management/client-tools/quick-assist.md +++ b/windows/client-management/client-tools/quick-assist.md @@ -1,18 +1,9 @@ --- title: Use Quick Assist to help users description: Learn how IT Pros can use Quick Assist to help users. -ms.date: 04/11/2023 -ms.prod: windows-client +ms.date: 08/10/2023 ms.topic: article -ms.technology: itpro-manage ms.localizationpriority: medium -author: vinaypamnani-msft -ms.author: vinpa -manager: aaroncz -ms.reviewer: pmadrigal -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 ms.collection: - highpri - tier1 diff --git a/windows/client-management/client-tools/windows-libraries.md b/windows/client-management/client-tools/windows-libraries.md index 12e7efd5db..08d317028a 100644 --- a/windows/client-management/client-tools/windows-libraries.md +++ b/windows/client-management/client-tools/windows-libraries.md @@ -1,20 +1,8 @@ --- title: Windows Libraries description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures. -ms.prod: windows-client -author: vinaypamnani-msft -ms.author: vinpa -manager: aaroncz -ms.reviewer: -ms.technology: itpro-manage ms.topic: article -ms.date: 04/11/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 +ms.date: 08/10/2023 --- # Windows libraries diff --git a/windows/client-management/client-tools/windows-version-search.md b/windows/client-management/client-tools/windows-version-search.md index 42f0454fa7..cfb56793c3 100644 --- a/windows/client-management/client-tools/windows-version-search.md +++ b/windows/client-management/client-tools/windows-version-search.md @@ -1,17 +1,8 @@ --- title: What version of Windows am I running? description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel. -ms.prod: windows-client -author: vinaypamnani-msft -ms.author: vinpa -ms.date: 04/13/2023 -ms.reviewer: -manager: aaroncz +ms.date: 08/10/2023 ms.topic: troubleshooting -ms.technology: itpro-manage -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 --- # What version of Windows am I running? diff --git a/windows/client-management/config-lock.md b/windows/client-management/config-lock.md index d32bed289c..719f8dd7ed 100644 --- a/windows/client-management/config-lock.md +++ b/windows/client-management/config-lock.md @@ -1,13 +1,8 @@ --- title: Secured-core configuration lock description: A secured-core PC (SCPC) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 05/24/2022 +ms.date: 08/10/2023 appliesto: - ✅ Windows 11 --- @@ -24,12 +19,12 @@ To summarize, config lock: - Detects drift remediates within seconds - Doesn't prevent malicious attacks +[!INCLUDE [secured-core-configuration-lock](../../includes/licensing/secured-core-configuration-lock.md)] + ## Configuration Flow After a [secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure) reaches the desktop, config lock will prevent configuration drift by detecting if the device is a secured-core PC or not. When the device isn't a secured-core PC, the lock won't apply. If the device is a secured-core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies). -[!INCLUDE [secured-core-configuration-lock](../../includes/licensing/secured-core-configuration-lock.md)] - ## Enabling config lock using Microsoft Intune Config lock isn't enabled by default, or turned on by the OS during boot. Rather, you need to turn it on. @@ -75,52 +70,52 @@ Config lock is designed to ensure that a secured-core PC isn't unintentionally m ## List of locked policies -|**CSPs** | -|-----| -|[BitLocker](mdm/bitlocker-csp.md) | -|[PassportForWork](mdm/passportforwork-csp.md) | -|[WindowsDefenderApplicationGuard](mdm/windowsdefenderapplicationguard-csp.md) | -|[ApplicationControl](mdm/applicationcontrol-csp.md) +| **CSPs** | +|-------------------------------------------------------------------------------| +| [BitLocker](mdm/bitlocker-csp.md) | +| [PassportForWork](mdm/passportforwork-csp.md) | +| [WindowsDefenderApplicationGuard](mdm/windowsdefenderapplicationguard-csp.md) | +| [ApplicationControl](mdm/applicationcontrol-csp.md) | -|**MDM policies** | **Supported by Group Policy** | -|-----|-----| -|[DataProtection/AllowDirectMemoryAccess](mdm/policy-csp-dataprotection.md) | No | -|[DataProtection/LegacySelectiveWipeID](mdm/policy-csp-dataprotection.md) | No | -|[DeviceGuard/ConfigureSystemGuardLaunch](mdm/policy-csp-deviceguard.md) | Yes | -|[DeviceGuard/EnableVirtualizationBasedSecurity](mdm/policy-csp-deviceguard.md) | Yes | -|[DeviceGuard/LsaCfgFlags](mdm/policy-csp-deviceguard.md) | Yes | -|[DeviceGuard/RequirePlatformSecurityFeatures](mdm/policy-csp-deviceguard.md) | Yes | -|[DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](mdm/policy-csp-deviceinstallation.md) | Yes | -|[DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](mdm/policy-csp-deviceinstallation.md) | Yes | -|[DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](mdm/policy-csp-deviceinstallation.md) | Yes | -|[DeviceInstallation/PreventDeviceMetadataFromNetwork](mdm/policy-csp-deviceinstallation.md) | Yes | -|[DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](mdm/policy-csp-deviceinstallation.md) | Yes | -|[DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](mdm/policy-csp-deviceinstallation.md) | Yes | -|[DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](mdm/policy-csp-deviceinstallation.md) | Yes | -|[DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](mdm/policy-csp-deviceinstallation.md) | Yes | -|[DmaGuard/DeviceEnumerationPolicy](mdm/policy-csp-dmaguard.md) | Yes | -|[WindowsDefenderSecurityCenter/CompanyName](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/DisableAccountProtectionUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/DisableAppBrowserUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/DisableClearTpmButton](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/DisableEnhancedNotifications](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/DisableFamilyUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/DisableHealthUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/DisableNetworkUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/DisableNotifications](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](mdm/policy-csp-windowsdefendersecuritycenter.md)| Yes | -|[WindowsDefenderSecurityCenter/DisableVirusUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/Email](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/EnableCustomizedToasts](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/EnableInAppCustomization](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/HideSecureBoot](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/HideTPMTroubleshooting](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/Phone](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[WindowsDefenderSecurityCenter/URL](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | -|[SmartScreen/EnableAppInstallControl](mdm/policy-csp-smartscreen.md)| Yes | -|[SmartScreen/EnableSmartScreenInShell](mdm/policy-csp-smartscreen.md) | Yes | -|[SmartScreen/PreventOverrideForFilesInShell](mdm/policy-csp-smartscreen.md) | Yes | +| **MDM policies** | **Supported by Group Policy** | +|-----------------------------------------------------------------------------------------------------------------------------|-------------------------------| +| [DataProtection/AllowDirectMemoryAccess](mdm/policy-csp-dataprotection.md) | No | +| [DataProtection/LegacySelectiveWipeID](mdm/policy-csp-dataprotection.md) | No | +| [DeviceGuard/ConfigureSystemGuardLaunch](mdm/policy-csp-deviceguard.md) | Yes | +| [DeviceGuard/EnableVirtualizationBasedSecurity](mdm/policy-csp-deviceguard.md) | Yes | +| [DeviceGuard/LsaCfgFlags](mdm/policy-csp-deviceguard.md) | Yes | +| [DeviceGuard/RequirePlatformSecurityFeatures](mdm/policy-csp-deviceguard.md) | Yes | +| [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](mdm/policy-csp-deviceinstallation.md) | Yes | +| [DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](mdm/policy-csp-deviceinstallation.md) | Yes | +| [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](mdm/policy-csp-deviceinstallation.md) | Yes | +| [DeviceInstallation/PreventDeviceMetadataFromNetwork](mdm/policy-csp-deviceinstallation.md) | Yes | +| [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](mdm/policy-csp-deviceinstallation.md) | Yes | +| [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](mdm/policy-csp-deviceinstallation.md) | Yes | +| [DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](mdm/policy-csp-deviceinstallation.md) | Yes | +| [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](mdm/policy-csp-deviceinstallation.md) | Yes | +| [DmaGuard/DeviceEnumerationPolicy](mdm/policy-csp-dmaguard.md) | Yes | +| [WindowsDefenderSecurityCenter/CompanyName](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/DisableAccountProtectionUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/DisableAppBrowserUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/DisableClearTpmButton](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/DisableEnhancedNotifications](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/DisableFamilyUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/DisableHealthUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/DisableNetworkUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/DisableNotifications](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/DisableVirusUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/Email](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/EnableCustomizedToasts](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/EnableInAppCustomization](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/HideSecureBoot](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/HideTPMTroubleshooting](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/Phone](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [WindowsDefenderSecurityCenter/URL](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes | +| [SmartScreen/EnableAppInstallControl](mdm/policy-csp-smartscreen.md) | Yes | +| [SmartScreen/EnableSmartScreenInShell](mdm/policy-csp-smartscreen.md) | Yes | +| [SmartScreen/PreventOverrideForFilesInShell](mdm/policy-csp-smartscreen.md) | Yes | diff --git a/windows/client-management/device-update-management.md b/windows/client-management/device-update-management.md index 9680e7249e..91cc6c9f18 100644 --- a/windows/client-management/device-update-management.md +++ b/windows/client-management/device-update-management.md @@ -1,20 +1,11 @@ --- title: Mobile device management MDM for device updates description: Windows provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management. -ms.reviewer: -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 04/05/2023 +ms.date: 08/10/2023 ms.collection: - highpri - tier2 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 --- # Mobile device management (MDM) for device updates diff --git a/windows/client-management/disconnecting-from-mdm-unenrollment.md b/windows/client-management/disconnecting-from-mdm-unenrollment.md index 6e4d3f8d8c..98c231a399 100644 --- a/windows/client-management/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/disconnecting-from-mdm-unenrollment.md @@ -1,17 +1,8 @@ --- title: Disconnecting from the management infrastructure (unenrollment) description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server. -ms.reviewer: -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 04/13/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # Disconnecting from the management infrastructure (unenrollment) diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index d388516c8b..06a528a0ca 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -42,7 +42,10 @@ "uhfHeaderId": "MSDocsHeader-Windows", "ms.technology": "itpro-manage", "audience": "ITPro", + "ms.prod": "windows-client", "ms.topic": "article", + "ms.author": "vinpa", + "author": "vinaypamnani-msft", "manager": "aaroncz", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", @@ -72,7 +75,18 @@ "Windows 10" ] }, - "fileMetadata": {}, + "fileMetadata": { + "appliesto": { + "./*.md": [ + "✅ Windows 11", + "✅ Windows 10" + ], + "client-tools/*.md": [ + "✅ Windows 11", + "✅ Windows 10" + ] + } + }, "template": [], "dest": "win-client-management", "markdownEngineName": "markdig" diff --git a/windows/client-management/enable-admx-backed-policies-in-mdm.md b/windows/client-management/enable-admx-backed-policies-in-mdm.md index c60b1439b5..5e18d9ce19 100644 --- a/windows/client-management/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/enable-admx-backed-policies-in-mdm.md @@ -1,18 +1,9 @@ --- title: Enable ADMX policies in MDM description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM). -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.localizationpriority: medium -ms.date: 11/01/2017 -ms.reviewer: -manager: aaroncz -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # Enable ADMX policies in MDM diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md index fc976f6277..aa3a1c4d73 100644 --- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -1,20 +1,11 @@ --- title: Enroll a Windows device automatically using Group Policy description: Learn how to use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 04/13/2023 -ms.reviewer: -manager: aaroncz +ms.date: 08/10/2023 ms.collection: - highpri - tier2 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 --- # Enroll a Windows device automatically using Group Policy diff --git a/windows/client-management/enterprise-app-management.md b/windows/client-management/enterprise-app-management.md index 197087b7dc..58aaaa6019 100644 --- a/windows/client-management/enterprise-app-management.md +++ b/windows/client-management/enterprise-app-management.md @@ -1,17 +1,8 @@ --- title: Enterprise app management description: This article covers one of the key mobile device management (MDM) features for managing the lifecycle of apps across Windows devices. -ms.reviewer: -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 04/13/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # Enterprise app management diff --git a/windows/client-management/esim-enterprise-management.md b/windows/client-management/esim-enterprise-management.md index 1d585aaf8e..ccbd65977d 100644 --- a/windows/client-management/esim-enterprise-management.md +++ b/windows/client-management/esim-enterprise-management.md @@ -1,16 +1,9 @@ --- title: eSIM Enterprise Management description: Learn how Mobile Device Management (MDM) Providers support the eSIM Profile Management Solution on Windows. -ms.prod: windows-client -author: vinaypamnani-msft ms.localizationpriority: medium -ms.author: vinpa ms.topic: conceptual -ms.technology: itpro-manage -ms.date: 12/31/2017 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # How Mobile Device Management Providers support eSIM Management on Windows diff --git a/windows/client-management/federated-authentication-device-enrollment.md b/windows/client-management/federated-authentication-device-enrollment.md index 7ae977249a..1cfb0ff3ad 100644 --- a/windows/client-management/federated-authentication-device-enrollment.md +++ b/windows/client-management/federated-authentication-device-enrollment.md @@ -1,17 +1,8 @@ --- title: Federated authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using federated authentication policy. -ms.reviewer: -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 04/05/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # Federated authentication device enrollment diff --git a/windows/client-management/implement-server-side-mobile-application-management.md b/windows/client-management/implement-server-side-mobile-application-management.md index 01cff16e92..b120e7eb10 100644 --- a/windows/client-management/implement-server-side-mobile-application-management.md +++ b/windows/client-management/implement-server-side-mobile-application-management.md @@ -1,17 +1,8 @@ --- title: Support for mobile application management on Windows description: Learn about implementing the Windows version of mobile application management (MAM), which is a lightweight solution for managing company data access and security on personal devices. -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 04/05/2023 -ms.reviewer: -manager: aaroncz -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # Support for mobile application management on Windows diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 3595276771..c85ffdd241 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -1,18 +1,9 @@ --- title: Manage Windows devices in your organization - transitioning to modern management description: This article offers strategies for deploying and managing Windows devices, including deploying Windows in a mixed environment. -ms.prod: windows-client ms.localizationpriority: medium -ms.date: 04/05/2023 -author: vinaypamnani-msft -ms.author: vinpa -ms.reviewer: -manager: aaroncz +ms.date: 08/10/2023 ms.topic: overview -ms.technology: itpro-manage -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 --- # Manage Windows devices in your organization - transitioning to modern management diff --git a/windows/client-management/mdm-collect-logs.md b/windows/client-management/mdm-collect-logs.md index d544eab6d4..33870a7264 100644 --- a/windows/client-management/mdm-collect-logs.md +++ b/windows/client-management/mdm-collect-logs.md @@ -1,20 +1,11 @@ --- title: Collect MDM logs description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows devices managed by an MDM server. -ms.reviewer: -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 04/13/2023 +ms.date: 08/10/2023 ms.collection: - highpri - tier2 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 --- # Collect MDM logs diff --git a/windows/client-management/mdm-diagnose-enrollment.md b/windows/client-management/mdm-diagnose-enrollment.md index 5022ba4bf1..f8be2c3597 100644 --- a/windows/client-management/mdm-diagnose-enrollment.md +++ b/windows/client-management/mdm-diagnose-enrollment.md @@ -1,17 +1,8 @@ --- title: Diagnose MDM enrollment failures description: Learn how to diagnose enrollment failures for Windows devices -ms.reviewer: -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 04/12/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # Diagnose MDM enrollment diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md index 7974866d71..b0850f563e 100644 --- a/windows/client-management/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm-enrollment-of-windows-devices.md @@ -1,20 +1,11 @@ --- title: MDM enrollment of Windows devices description: Learn about mobile device management (MDM) enrollment of Windows devices to simplify access to your organization's resources. -ms.reviewer: -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.collection: - highpri - tier2 -ms.date: 04/05/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # MDM enrollment of Windows devices diff --git a/windows/client-management/mdm-known-issues.md b/windows/client-management/mdm-known-issues.md index 63895b5917..ebe6d47a30 100644 --- a/windows/client-management/mdm-known-issues.md +++ b/windows/client-management/mdm-known-issues.md @@ -1,17 +1,8 @@ --- title: Known issues in MDM description: Learn about known issues for Windows devices in MDM -ms.reviewer: -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 04/12/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # Known issues diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md index 0e5da2dd3a..01ebde8e94 100644 --- a/windows/client-management/mdm-overview.md +++ b/windows/client-management/mdm-overview.md @@ -1,17 +1,9 @@ --- title: Mobile Device Management overview description: Windows provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy. -ms.date: 04/05/2023 -ms.technology: itpro-manage +ms.date: 08/10/2023 ms.topic: article -ms.prod: windows-client ms.localizationpriority: medium -author: vinaypamnani-msft -ms.author: vinpa -manager: aaroncz -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 ms.collection: - highpri - tier2 diff --git a/windows/client-management/mobile-device-enrollment.md b/windows/client-management/mobile-device-enrollment.md index 1b1fb7c688..3feaa80acd 100644 --- a/windows/client-management/mobile-device-enrollment.md +++ b/windows/client-management/mobile-device-enrollment.md @@ -1,20 +1,11 @@ --- title: Mobile device enrollment description: Learn how mobile device enrollment verifies that only authenticated and authorized devices can be managed by their enterprise. -ms.reviewer: -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 04/05/2023 +ms.date: 08/10/2023 ms.collection: - highpri - tier2 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 --- # Mobile device enrollment diff --git a/windows/client-management/new-in-windows-mdm-enrollment-management.md b/windows/client-management/new-in-windows-mdm-enrollment-management.md index b1f316d46d..c90783b9cd 100644 --- a/windows/client-management/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/new-in-windows-mdm-enrollment-management.md @@ -1,18 +1,9 @@ --- title: What's new in MDM enrollment and management description: Discover what's new and breaking changes in mobile device management (MDM) enrollment and management experience across all Windows devices. -ms.reviewer: -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.localizationpriority: medium -ms.date: 04/05/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # What's new in mobile device enrollment and management @@ -93,4 +84,3 @@ For details about Microsoft mobile device management protocols for Windows, see | [WindowsDefenderApplicationGuard CSP](mdm/windowsdefenderapplicationguard-csp.md) | Added new settings. | | [WindowsLicensing CSP](mdm/windowslicensing-csp.md) | Added S mode settings and SyncML examples. | | [Win32CompatibilityAppraiser CSP](mdm/win32compatibilityappraiser-csp.md) | New CSP. | - diff --git a/windows/client-management/oma-dm-protocol-support.md b/windows/client-management/oma-dm-protocol-support.md index 7c5fcc68de..779c3b3a6e 100644 --- a/windows/client-management/oma-dm-protocol-support.md +++ b/windows/client-management/oma-dm-protocol-support.md @@ -1,17 +1,8 @@ --- title: OMA DM protocol support description: See how the OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. -ms.reviewer: -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/08/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # OMA DM protocol support diff --git a/windows/client-management/on-premise-authentication-device-enrollment.md b/windows/client-management/on-premise-authentication-device-enrollment.md index 8e72627af0..b8c8a73074 100644 --- a/windows/client-management/on-premise-authentication-device-enrollment.md +++ b/windows/client-management/on-premise-authentication-device-enrollment.md @@ -1,17 +1,8 @@ --- title: On-premises authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. -ms.reviewer: -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 04/05/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # On-premises authentication device enrollment diff --git a/windows/client-management/push-notification-windows-mdm.md b/windows/client-management/push-notification-windows-mdm.md index b1094d670f..1d03c53563 100644 --- a/windows/client-management/push-notification-windows-mdm.md +++ b/windows/client-management/push-notification-windows-mdm.md @@ -1,17 +1,8 @@ --- title: Push notification support for device management description: The DMClient CSP supports the ability to configure push-initiated device management sessions. -ms.reviewer: -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 04/05/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # Push notification support for device management diff --git a/windows/client-management/server-requirements-windows-mdm.md b/windows/client-management/server-requirements-windows-mdm.md index 30f628af50..857b9332ba 100644 --- a/windows/client-management/server-requirements-windows-mdm.md +++ b/windows/client-management/server-requirements-windows-mdm.md @@ -1,17 +1,8 @@ --- title: Server requirements for using OMA DM to manage Windows devices description: Learn about the general server requirements for using OMA DM to manage Windows devices, including the supported versions of OMA DM. -ms.reviewer: -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # Server requirements for using OMA DM to manage Windows devices diff --git a/windows/client-management/structure-of-oma-dm-provisioning-files.md b/windows/client-management/structure-of-oma-dm-provisioning-files.md index b3724368d3..2e7feed7fd 100644 --- a/windows/client-management/structure-of-oma-dm-provisioning-files.md +++ b/windows/client-management/structure-of-oma-dm-provisioning-files.md @@ -1,17 +1,8 @@ --- title: Structure of OMA DM provisioning files description: Learn about the structure of OMA DM provisioning files, for example how each message is composed of a header, specified by the SyncHdr element, and a message body. -ms.reviewer: -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # Structure of OMA DM provisioning files @@ -24,10 +15,10 @@ Each message is composed of a header, specified by the SyncHdr element, and a me The following table shows the OMA DM versions that are supported. -|Version|Format| -|--- |--- | -|OMA DM version 1.1.2|<SyncML xmlns='SYNCML:SYNCML1.1'>

</SyncML>| -|OMA DM version 1.2|<SyncML xmlns='SYNCML:SYNCML1.2'>

</SyncML>| +| Version | Format | +|----------------------|----------------------------------------------| +| OMA DM version 1.1.2 | `` | +| OMA DM version 1.2 | `` | ## File format @@ -85,8 +76,6 @@ The following example shows the header component of a DM message. In this case, > [!NOTE] > The `` node value for the `` element in the SyncHdr of the device-generated DM package should be the same as the value of ./DevInfo/DevID. For more information about DevID, see [DevInfo configuration service provider](mdm/devinfo-csp.md). - - ```xml 1.2 diff --git a/windows/client-management/understanding-admx-backed-policies.md b/windows/client-management/understanding-admx-backed-policies.md index dd0861e26c..6b4e1ac228 100644 --- a/windows/client-management/understanding-admx-backed-policies.md +++ b/windows/client-management/understanding-admx-backed-policies.md @@ -1,17 +1,8 @@ --- title: Understanding ADMX policies description: You can use ADMX policies for Windows mobile device management (MDM) across Windows devices. -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 03/23/2020 -ms.reviewer: -manager: aaroncz -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # Understanding ADMX policies diff --git a/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md b/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md index d3ea09a030..d13e5b475e 100644 --- a/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md +++ b/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md @@ -1,17 +1,8 @@ --- title: Using PowerShell scripting with the WMI Bridge Provider description: This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the WMI Bridge Provider. -ms.reviewer: -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # Using PowerShell scripting with the WMI Bridge Provider diff --git a/windows/client-management/win32-and-centennial-app-policy-configuration.md b/windows/client-management/win32-and-centennial-app-policy-configuration.md index b6502accac..719aa09af2 100644 --- a/windows/client-management/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/win32-and-centennial-app-policy-configuration.md @@ -1,17 +1,8 @@ --- title: Win32 and Desktop Bridge app ADMX policy Ingestion description: Ingest ADMX files and set ADMX policies for Win32 and Desktop Bridge apps. -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 03/23/2020 -ms.reviewer: -manager: aaroncz -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # Win32 and Desktop Bridge app ADMX policy Ingestion diff --git a/windows/client-management/windows-mdm-enterprise-settings.md b/windows/client-management/windows-mdm-enterprise-settings.md index 82d1bf3135..e389098154 100644 --- a/windows/client-management/windows-mdm-enterprise-settings.md +++ b/windows/client-management/windows-mdm-enterprise-settings.md @@ -1,17 +1,8 @@ --- title: Enterprise settings and policy management description: The DM client manages the interaction between a device and a server. Learn more about the client-server management workflow. -ms.reviewer: -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 04/05/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # Enterprise settings and policy management diff --git a/windows/client-management/wmi-providers-supported-in-windows.md b/windows/client-management/wmi-providers-supported-in-windows.md index 79a3785540..a3968023ff 100644 --- a/windows/client-management/wmi-providers-supported-in-windows.md +++ b/windows/client-management/wmi-providers-supported-in-windows.md @@ -1,17 +1,8 @@ --- title: WMI providers supported in Windows description: Manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service with Windows Management Infrastructure (WMI). -ms.reviewer: -manager: aaroncz -ms.author: vinpa ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 +ms.date: 08/10/2023 --- # WMI providers supported in Windows @@ -109,79 +100,76 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw | Class | Test completed in Windows 10 | |---------------------------------------------------------------------------------------------------------|------------------------------| -| [**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) | -| [**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) | +| [**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) | | +| [**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) | | | [**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | Yes | | [**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | Yes | -| [**Win32\_CDROMDrive**](/windows/win32/cimwin32prov/win32-cdromdrive) | +| [**Win32\_CDROMDrive**](/windows/win32/cimwin32prov/win32-cdromdrive) | | | [**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | Yes | | [**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | Yes | | [**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | Yes | -| [**Win32\_Desktop**](/windows/win32/cimwin32prov/win32-desktop) | +| [**Win32\_Desktop**](/windows/win32/cimwin32prov/win32-desktop) | | | [**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) | Yes | | [**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | Yes | -| [**Win32\_DiskPartition**](/windows/win32/cimwin32prov/win32-diskpartition) | +| [**Win32\_DiskPartition**](/windows/win32/cimwin32prov/win32-diskpartition) | | | [**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | Yes | -| [**Win32\_DMAChannel**](/windows/win32/cimwin32prov/win32-dmachannel) | -| [**Win32\_DriverVXD**](/previous-versions//aa394141(v=vs.85)) | -| [**Win32\_EncryptableVolume**](/windows/win32/secprov/win32-encryptablevolume) | -| [**Win32\_Environment**](/windows/win32/cimwin32prov/win32-environment) | -| [**Win32\_IDEController**](/windows/win32/cimwin32prov/win32-idecontroller) | -| [**Win32\_InfraredDevice**](/windows/win32/cimwin32prov/win32-infrareddevice) | -| [**Win32\_IRQResource**](/windows/win32/cimwin32prov/win32-irqresource) | -| [**Win32\_Keyboard**](/windows/win32/cimwin32prov/win32-keyboard) | -| [**Win32\_LoadOrderGroup**](/windows/win32/cimwin32prov/win32-loadordergroup) | +| [**Win32\_DMAChannel**](/windows/win32/cimwin32prov/win32-dmachannel) | | +| [**Win32\_DriverVXD**](/previous-versions//aa394141(v=vs.85)) | | +| [**Win32\_EncryptableVolume**](/windows/win32/secprov/win32-encryptablevolume) | | +| [**Win32\_Environment**](/windows/win32/cimwin32prov/win32-environment) | | +| [**Win32\_IDEController**](/windows/win32/cimwin32prov/win32-idecontroller) | | +| [**Win32\_InfraredDevice**](/windows/win32/cimwin32prov/win32-infrareddevice) | | +| [**Win32\_IRQResource**](/windows/win32/cimwin32prov/win32-irqresource) | | +| [**Win32\_Keyboard**](/windows/win32/cimwin32prov/win32-keyboard) | | +| [**Win32\_LoadOrderGroup**](/windows/win32/cimwin32prov/win32-loadordergroup) | | | [**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | Yes | -| [**Win32\_LoggedOnUser**](/windows/win32/cimwin32prov/win32-loggedonuser) | +| [**Win32\_LoggedOnUser**](/windows/win32/cimwin32prov/win32-loggedonuser) | | | [**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | Yes | -| [**Win32\_MotherboardDevice**](/windows/win32/cimwin32prov/win32-motherboarddevice) | +| [**Win32\_MotherboardDevice**](/windows/win32/cimwin32prov/win32-motherboarddevice) | | | [**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | Yes | -| [**Win32\_NetworkAdapterConfiguration**](/windows/win32/cimwin32prov/win32-networkadapterconfiguration) | -| [**Win32\_NetworkClient**](/windows/win32/cimwin32prov/win32-networkclient) | -| [**Win32\_NetworkLoginProfile**](/windows/win32/cimwin32prov/win32-networkloginprofile) | -| [**Win32\_NetworkProtocol**](/windows/win32/cimwin32prov/win32-networkprotocol) | -| [**Win32\_NTEventlogFile**](/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)) | +| [**Win32\_NetworkAdapterConfiguration**](/windows/win32/cimwin32prov/win32-networkadapterconfiguration) | | +| [**Win32\_NetworkClient**](/windows/win32/cimwin32prov/win32-networkclient) | | +| [**Win32\_NetworkLoginProfile**](/windows/win32/cimwin32prov/win32-networkloginprofile) | | +| [**Win32\_NetworkProtocol**](/windows/win32/cimwin32prov/win32-networkprotocol) | | +| [**Win32\_NTEventlogFile**](/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)) | | | [**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | Yes | -| [**Win32\_OSRecoveryConfiguration**](/windows/win32/cimwin32prov/win32-osrecoveryconfiguration) | -| [**Win32\_PageFileSetting**](/windows/win32/cimwin32prov/win32-pagefilesetting) | -| [**Win32\_ParallelPort**](/windows/win32/cimwin32prov/win32-parallelport) | -| [**Win32\_PCMCIAController**](/windows/win32/cimwin32prov/win32-pcmciacontroller) | -| [**Win32\_PhysicalMedia**](/previous-versions/windows/desktop/cimwin32a/win32-physicalmedia) | +| [**Win32\_OSRecoveryConfiguration**](/windows/win32/cimwin32prov/win32-osrecoveryconfiguration) | | +| [**Win32\_PageFileSetting**](/windows/win32/cimwin32prov/win32-pagefilesetting) | | +| [**Win32\_ParallelPort**](/windows/win32/cimwin32prov/win32-parallelport) | | +| [**Win32\_PCMCIAController**](/windows/win32/cimwin32prov/win32-pcmciacontroller) | | +| [**Win32\_PhysicalMedia**](/previous-versions/windows/desktop/cimwin32a/win32-physicalmedia) | | | [**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | Yes | -| [**Win32\_PnPDevice**](/windows/win32/cimwin32prov/win32-pnpdevice) | -| [**Win32\_PnPEntity**](/windows/win32/cimwin32prov/win32-pnpentity) | -| [**Win32\_PointingDevice**](/windows/win32/cimwin32prov/win32-pointingdevice) | -| [**Win32\_PortableBattery**](/windows/win32/cimwin32prov/win32-portablebattery) | -| [**Win32\_PortResource**](/windows/win32/cimwin32prov/win32-portresource) | -| [**Win32\_POTSModem**](/windows/win32/cimwin32prov/win32-potsmodem) | -| [**Win32\_Printer**](/windows/win32/cimwin32prov/win32-printer) | -| [**Win32\_PrinterConfiguration**](/windows/win32/cimwin32prov/win32-printerconfiguration) | +| [**Win32\_PnPDevice**](/windows/win32/cimwin32prov/win32-pnpdevice) | | +| [**Win32\_PnPEntity**](/windows/win32/cimwin32prov/win32-pnpentity) | | +| [**Win32\_PointingDevice**](/windows/win32/cimwin32prov/win32-pointingdevice) | | +| [**Win32\_PortableBattery**](/windows/win32/cimwin32prov/win32-portablebattery) | | +| [**Win32\_PortResource**](/windows/win32/cimwin32prov/win32-portresource) | | +| [**Win32\_POTSModem**](/windows/win32/cimwin32prov/win32-potsmodem) | | +| [**Win32\_Printer**](/windows/win32/cimwin32prov/win32-printer) | | +| [**Win32\_PrinterConfiguration**](/windows/win32/cimwin32prov/win32-printerconfiguration) | | | [**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | Yes | | [**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | Yes | -| [**Win32\_Registry**](/windows/win32/cimwin32prov/win32-registry) | -| [**Win32\_SCSIController**](/windows/win32/cimwin32prov/win32-scsicontroller) | -| [**Win32\_SerialPort**](/windows/win32/cimwin32prov/win32-serialport) | -| [**Win32\_SerialPortConfiguration**](/windows/win32/cimwin32prov/win32-serialportconfiguration) | -| [**Win32\_ServerFeature**](/windows/win32/wmisdk/win32-serverfeature) | +| [**Win32\_Registry**](/windows/win32/cimwin32prov/win32-registry) | | +| [**Win32\_SCSIController**](/windows/win32/cimwin32prov/win32-scsicontroller) | | +| [**Win32\_SerialPort**](/windows/win32/cimwin32prov/win32-serialport) | | +| [**Win32\_SerialPortConfiguration**](/windows/win32/cimwin32prov/win32-serialportconfiguration) | | +| [**Win32\_ServerFeature**](/windows/win32/wmisdk/win32-serverfeature) | | | [**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | Yes | | [**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | Yes | -| [**Win32\_SoundDevice**](/windows/win32/cimwin32prov/win32-sounddevice) | -| [**Win32\_SystemAccount**](/windows/win32/cimwin32prov/win32-systemaccount) | +| [**Win32\_SoundDevice**](/windows/win32/cimwin32prov/win32-sounddevice) | | +| [**Win32\_SystemAccount**](/windows/win32/cimwin32prov/win32-systemaccount) | | | [**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | Yes | -| [**Win32\_SystemDriver**](/windows/win32/cimwin32prov/win32-systemdriver) | +| [**Win32\_SystemDriver**](/windows/win32/cimwin32prov/win32-systemdriver) | | | [**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | Yes | -| [**Win32\_TapeDrive**](/windows/win32/cimwin32prov/win32-tapedrive) | +| [**Win32\_TapeDrive**](/windows/win32/cimwin32prov/win32-tapedrive) | | | [**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | Yes | -| [**Win32\_UninterruptiblePowerSupply**](/previous-versions//aa394503(v=vs.85)) | -| [**Win32\_USBController**](/windows/win32/cimwin32prov/win32-usbcontroller) | +| [**Win32\_UninterruptiblePowerSupply**](/previous-versions//aa394503(v=vs.85)) | | +| [**Win32\_USBController**](/windows/win32/cimwin32prov/win32-usbcontroller) | | | [**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | Yes | -| [**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) | -| **Win32\_WindowsUpdateAgentVersion** | +| [**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) | | +| **Win32\_WindowsUpdateAgentVersion** | | ## Related topics -[Configuration service provider reference](mdm/index.yml) - -## Related Links - [CIM Video Controller](/windows/win32/cimwin32prov/cim-videocontroller) +[Configuration service provider reference](mdm/index.yml) From 98f6d58ccbea1c3672d583fdc0ff69ba9db4c746 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 10 Aug 2023 15:10:38 -0400 Subject: [PATCH 094/110] Acro-updates --- ...e-active-directory-integration-with-mdm.md | 70 +++++++++---------- ...omatic-mdm-enrollment-in-the-new-portal.md | 10 ++- ...ollment-using-windows-provisioning-tool.md | 14 ++-- .../certificate-renewal-windows-mdm.md | 12 ++-- .../administrative-tools-in-windows.md | 2 +- ...t-removal-policy-external-storage-media.md | 2 +- ...e-device-installation-with-group-policy.md | 16 ++--- .../client-tools/mandatory-user-profile.md | 34 ++++----- .../client-tools/windows-libraries.md | 8 +-- .../client-tools/windows-version-search.md | 6 +- windows/client-management/config-lock.md | 19 ++--- .../device-update-management.md | 12 ++-- .../disconnecting-from-mdm-unenrollment.md | 20 +++--- .../enable-admx-backed-policies-in-mdm.md | 10 +-- ...device-automatically-using-group-policy.md | 32 ++++----- .../enterprise-app-management.md | 24 +++---- .../esim-enterprise-management.md | 2 +- ...erated-authentication-device-enrollment.md | 24 +++---- ...rver-side-mobile-application-management.md | 28 ++++---- ...-in-your-organization-modern-management.md | 4 +- windows/client-management/mdm-collect-logs.md | 30 ++++---- .../mdm-diagnose-enrollment.md | 32 ++++----- .../mdm-enrollment-of-windows-devices.md | 54 +++++++------- windows/client-management/mdm-known-issues.md | 10 +-- windows/client-management/mdm-overview.md | 6 +- .../mobile-device-enrollment.md | 16 ++--- ...ew-in-windows-mdm-enrollment-management.md | 2 +- .../oma-dm-protocol-support.md | 36 +++++----- ...remise-authentication-device-enrollment.md | 22 +++--- .../push-notification-windows-mdm.md | 16 ++--- .../server-requirements-windows-mdm.md | 2 +- .../structure-of-oma-dm-provisioning-files.md | 4 +- .../understanding-admx-backed-policies.md | 18 ++--- ...-scripting-with-the-wmi-bridge-provider.md | 8 +-- ...and-centennial-app-policy-configuration.md | 12 ++-- .../windows-mdm-enterprise-settings.md | 4 +- .../wmi-providers-supported-in-windows.md | 4 +- 37 files changed, 310 insertions(+), 315 deletions(-) diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md index 49babbaee1..7f11d203d5 100644 --- a/windows/client-management/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/azure-active-directory-integration-with-mdm.md @@ -48,7 +48,7 @@ Azure AD MDM enrollment is a two-step process: To support Azure AD enrollment, MDM vendors must host and expose a **Terms of Use endpoint** and an **MDM enrollment endpoint**. -- **Terms of Use endpoint**: Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting user's consent before the actual enrollment phase begins. +- **Terms of Use endpoint**: Use this endpoint to inform users of the ways in which their organization can control their device. The **Terms of Use** page is responsible for collecting user's consent before the actual enrollment phase begins. It's important to understand the Terms of Use flow is an "opaque box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL. The user should be redirected back after approving or rejecting the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios. For example, different levels of control are applied on BYOD vs. organization-owned devices. Or, implement user/group based targeting, like users in certain geographies may have stricter device management policies. @@ -73,7 +73,7 @@ A cloud-based MDM is a SaaS application that provides device management capabili The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. For more information about how to add multi-tenant applications to Azure AD, see the [Integrate an app that authenticates users and calls Microsoft Graph using the multi-tenant integration pattern (SaaS)](https://go.microsoft.com/fwlink/p/?LinkId=613661) code sample on GitHub. > [!NOTE] -> For the MDM provider, if you don't have an existing Azure AD tenant with an Azure AD subscription that you manage, follow the step-by-step guides below: +> For the MDM provider, if you don't have an existing Azure AD tenant with an Azure AD subscription that you manage, follow these step-by-step guides: > > - [Quickstart: Create a new tenant in Azure Active Directory](/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) to set up a tenant. > - [Associate or add an Azure subscription to your Azure Active Directory tenant](/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory) to add a subscription, and manage it via the Azure Portal. @@ -97,11 +97,11 @@ For more information about registering applications with Azure AD, see [Basics o The application keys used by your MDM service are a sensitive resource. They should be protected and rolled over periodically for greater security. Access tokens obtained by your MDM service to call the Microsoft Graph API are bearer tokens and should be protected to avoid unauthorized disclosure. -For security best practices, see [Windows Azure Security Essentials](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler). +For security best practices, see [Microsoft Azure Security Essentials](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler). -For cloud-based MDM, you can roll over the application keys without requiring a customer interaction. There's a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant. +For cloud-based MDM, you can roll over the application keys without requiring a customer interaction. There's a single set of keys across all customer tenants managed by the MDM vendor in their Azure AD tenant. -For the on-premises MDM, the Azure AD authentication keys are within the customer tenant and must be rolled over by the customer's administrator. To improve security, provide guidance to customers about rolling over and protecting the keys. +For the on-premises MDM, the Azure AD authentication keys are within the customer tenant and the customer's administrator must roll over the keys. To improve security, provide guidance to customers about rolling over and protecting the keys. ## Publish your MDM app to Azure AD app gallery @@ -116,23 +116,23 @@ To publish your application, [submit a request to publish your application in Az The following table shows the required information to create an entry in the Azure AD app gallery. -|Item|Description| -|--- |--- | -|**Application ID**|The client ID of your MDM app that is configured within your tenant. This ID is the unique identifier for your multi-tenant app.| -|**Publisher**|A string that identifies the publisher of the app.| -|**Application URL**|A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL isn't used for the actual enrollment.| -|**Description**|A brief description of your MDM app, which must be under 255 characters.| -|**Icons**|A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215| +| Item | Description | +|---------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Application ID** | The client ID of your MDM app that is configured within your tenant. This ID is the unique identifier for your multi-tenant app. | +| **Publisher** | A string that identifies the publisher of the app. | +| **Application URL** | A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL isn't used for the actual enrollment. | +| **Description** | A brief description of your MDM app, which must be under 255 characters. | +| **Icons** | A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215 | ### Add on-premises MDM to the app gallery There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrators to add an app to their tenant. -However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. The ID and key obtain authorization to access the Microsoft Graph API and for reporting device compliance. +However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. The ID and key obtain authorization to access the Microsoft Graph API and report device compliance. ## Themes -The pages rendered by the MDM in the integrated enrollment process must use Windows templates ([Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip)). These templates are important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. +The pages rendered by the MDM in the integrated enrollment process must use Windows templates ([Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip)). These templates are important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Avoid copying the templates because it is difficult to get the button placement right. There are three distinct scenarios: @@ -158,7 +158,7 @@ An MDM page must adhere to a predefined theme depending on the scenario that is ## Terms of Use protocol semantics -The Terms of Use endpoint is hosted by the MDM server. During the Azure AD Join protocol flow, Windows does a full-page redirect to this endpoint. This redirect enables the MDM to display the terms and conditions that apply. It allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue. +The MDM server hosts the **Terms of Use** endpoint. During the Azure AD Join protocol flow, Windows does a full-page redirect to this endpoint. This redirect enables the MDM to display the terms and conditions that apply. It allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue. ### Redirect to the Terms of Use endpoint @@ -166,12 +166,12 @@ This redirect is a full page redirect to the Terms of User endpoint hosted by th The following parameters are passed in the query string: -|Item|Description| -|--- |--- | -|redirect_uri|After the user accepts or rejects the Terms of Use, the user is redirected to this URL.| -|client-request-id|A GUID that is used to correlate logs for diagnostic and debugging purposes. Use this parameter to log or trace the state of the enrollment request to help find the root cause of failures.| -|api-version|Specifies the version of the protocol requested by the client. This value provides a mechanism to support version revisions of the protocol.| -|mode|Specifies that the device is organization owned when mode=azureadjoin. This parameter isn't present for BYOD devices.| +| Item | Description | +|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| redirect_uri | After the user accepts or rejects the Terms of Use, the user is redirected to this URL. | +| client-request-id | A GUID that is used to correlate logs for diagnostic and debugging purposes. Use this parameter to log or trace the state of the enrollment request to help find the root cause of failures. | +| api-version | Specifies the version of the protocol requested by the client. This value provides a mechanism to support version revisions of the protocol. | +| mode | Specifies that the device is organization owned when mode=azureadjoin. This parameter isn't present for BYOD devices. | ### Access token @@ -181,12 +181,12 @@ Azure AD issues a bearer access token. The token is passed in the authorization The following claims are expected in the access token passed by Windows to the Terms of Use endpoint: -|Item|Description| -|--- |--- | -|Object ID|Identifier of the user object corresponding to the authenticated user.| -|UPN|A claim containing the user principal name (UPN) of the authenticated user.| -|TID|A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.| -|Resource|A sanitized URL representing the MDM application. Example: `https://fabrikam.contosomdm.com` | +| Item | Description | +|-----------|----------------------------------------------------------------------------------------------| +| Object ID | Identifier of the user object corresponding to the authenticated user. | +| UPN | A claim containing the user principal name (UPN) of the authenticated user. | +| TID | A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam. | +| Resource | A sanitized URL representing the MDM application. Example: `https://fabrikam.contosomdm.com` | > [!NOTE] > There's no device ID claim in the access token because the device may not yet be enrolled at this time. @@ -200,7 +200,7 @@ https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm Authorization: Bearer eyJ0eXAiOi ``` -The MDM is expected to validate the signature of the access token to ensure it was issued by Azure AD and ensure that recipient is appropriate. +The MDM is expected to validate the signature of the access token to ensure it is issued by Azure AD and that the recipient is appropriate. ### Terms of Use content @@ -225,7 +225,7 @@ At this point, the user is on the Terms of Use page shown during the OOBE or fro - **IsAccepted** - This Boolean value is required, and must be set to false. This option also applies if the user skipped the Terms of Use. - **OpaqueBlob** - This parameter isn't expected to be used. The enrollment is stopped with an error message shown to the user. -Users skip the Terms of Use when they're adding a Microsoft work account to their device. However, they can't skip it during the Azure AD Join process. Don't show the decline button in the Azure AD Join process. MDM enrollment can't be declined by the user if configured by the administrator for the Azure AD Join. +Users skip the Terms of Use when they're adding a Microsoft work account to their device. However, they can't skip it during the Azure AD Join process. Don't show the decline button in the Azure AD Join process. The user can't decline the MDM enrollment if configured by the administrator for the Azure AD Join. We recommend that you send the client-request-id parameters in the query string as part of this redirect response. @@ -282,7 +282,7 @@ There are two different MDM enrollment types that integrate with Azure AD, and u - **Multiple user management for Azure AD-joined devices** - In this scenario the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device. + In this scenario, the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest is logged on to the device. - **Adding a work account and MDM enrollment to a device**: @@ -303,7 +303,7 @@ There are two different MDM enrollment types that integrate with Azure AD, and u - Device ID - identifies the device that is checking in - Tenant ID - Access tokens issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens: + Access tokens issued by Azure AD are JSON web tokens (JWTs). Windows presents a valid JWT token to the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens: - Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JwtSecurityTokenHandler Class](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler). - Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667). @@ -335,8 +335,8 @@ Alert sample: An alert is sent to the MDM server in DM package \#1. -- Alert type - com.microsoft/MDM/LoginStatus -- Alert format - chr +- Alert type - `com.microsoft/MDM/LoginStatus` +- Alert format - `chr` - Alert data - provide sign-in status information for the current active logged in user. - Signed-in user who has an Azure AD account - predefined text: user. - Signed-in user without an Azure AD account- predefined text: others. @@ -362,7 +362,7 @@ Here's an example. ## Report device compliance to Azure AD -Once a device is enrolled with the MDM for management, organization policies configured by the IT administrator are enforced on the device. The device compliance with configured policies is evaluated by the MDM and then reported to Azure AD. This section covers the Graph API call you can use to report a device compliance status to Azure AD. +Once a device is enrolled with the MDM for management, organization policies configured by the IT administrator are enforced on the device. MDM evaluates the device compliance with configured policies and then reports it to Azure AD. This section covers the Graph API call you can use to report a device compliance status to Azure AD. For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613822). @@ -371,7 +371,7 @@ For a sample that illustrates how an MDM can obtain an access token using OAuth ### Use Microsoft Graph API -The following sample REST API call illustrates how an MDM can use the Microsoft Graph API to report compliance status of a device being managed by it. +The following sample REST API call illustrates how an MDM can use the Microsoft Graph API to report compliance status of a managed device. > [!NOTE] > This API is only applicable for approved MDM apps on Windows devices. diff --git a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md index 7be811341c..636a885451 100644 --- a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md +++ b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md @@ -7,14 +7,12 @@ ms.date: 08/10/2023 # Automatic MDM enrollment in the Intune admin center -Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure Portal. - -1. Go to your Azure AD Blade. +Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure portal. +1. Go to your Azure AD portal. 1. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app. - -1. Select **Microsoft Intune** and configure the blade. You can specify settings to allow **All** users to enroll a device, or choose to allow **Some** users (and specify a group). +1. Select **Microsoft Intune** and configure the enrollment options. You can specify settings to allow **All** users to enroll a device, or choose to allow **Some** users (and specify a group). ![Configure the Blade.](images/azure-intune-configure-scope.png) -1. Select **Save** to configure MDM auto-enrollment for Azure AD joined devices and bring-your-own-device scenarios. +1. Select **Save** to configure MDM autoenrollment for Azure AD joined devices and bring-your-own-device scenarios. diff --git a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md index b7120cd181..84c1486cec 100644 --- a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md @@ -1,17 +1,17 @@ --- title: Bulk enrollment -description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. +description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. ms.topic: article ms.date: 08/10/2023 --- # Bulk enrollment using Windows Configuration Designer -Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. You can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join enrollment scenario. +Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. You can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join enrollment scenario. ## Typical use cases -- Set up devices in bulk for large organizations to be managed by MDM. +- Set up devices in bulk for large organizations for MDM management. - Set up kiosks, such as ATMs or point-of-sale (POS) terminals. - Set up school computers. - Set up industrial machinery. @@ -121,7 +121,7 @@ Using the WCD, create a provisioning package using the enrollment information re 1. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). 1. When you're done adding all the settings, on the **File** menu, select **Save**. -1. Export and build the package (steps 10-13 in the procedure above). +1. Export and build the package (steps 10-13 in previous section). 1. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). 1. Apply the package to your devices. @@ -139,9 +139,9 @@ Using the WCD, create a provisioning package using the enrollment information re ## Retry logic if there's a failure -- If the provisioning engine receives a failure from a CSP, it will retry to provision three times in a row. -- If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts will be run from the SYSTEM context. -- It will also retry to apply the provisioning each time it's launched, if started from somewhere else as well. +- If the provisioning engine receives a failure from a CSP, it retries provisioning three times in a row. +- If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts are run from the SYSTEM context. +- It also retries the provisioning each time it's launched, if started from somewhere else as well. - In addition, provisioning will be restarted in the SYSTEM context after a sign in and the [system has been idle](/windows/win32/taskschd/task-idle-conditions). ## Related articles diff --git a/windows/client-management/certificate-renewal-windows-mdm.md b/windows/client-management/certificate-renewal-windows-mdm.md index 297a6f1918..233a34e3dc 100644 --- a/windows/client-management/certificate-renewal-windows-mdm.md +++ b/windows/client-management/certificate-renewal-windows-mdm.md @@ -23,11 +23,11 @@ Auto certificate renewal is the only supported MDM client certificate renewal me For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP's](mdm/certificatestore-csp.md) ROBOSupport node under `CertificateStore/My/WSTEP/Renew` URL. -With automatic renewal, the PKCS#7 message content isn't base64 encoded separately. With manual certificate renewal, there's an additional base64 encoding for PKCS#7 message content. +With automatic renewal, the PKCS#7 message content isn't base64 encoded separately. With manual certificate renewal, base64 encoding for PKCS#7 message content is required. -During the automatic certificate renewal process, if the root certificate isn't trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](mdm/certificatestore-csp.md). +During the automatic certificate renewal process, if the device doesn't trust the root certificate, the authentication fails. Use one of device preinstalled root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](mdm/certificatestore-csp.md). -During the automatic certificate renew process, the device will deny HTTP redirect request from the server. It won't deny the request if the same redirect URL that the user accepted during the initial MDM enrollment process is used. +During the automatic certificate renewal process, the device denies HTTP redirect request from the server. It doesn't deny the request if the same redirect URL that the user accepted during the initial MDM enrollment process is used. The following example shows the details of an automatic renewal request. @@ -89,15 +89,15 @@ In Windows, the renewal period can only be set during the MDM enrollment phase. For more information about the parameters, see the [CertificateStore configuration service provider](mdm/certificatestore-csp.md). -Unlike manual certificate renewal, the device will not do an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead of every 7 days (weekly). This change increases the chance that the device will try to connect at different days of the week. +Unlike manual certificate renewal, the device doesn't perform an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead of every seven days (weekly). This change increases the chance that the device will try to connect at different days of the week. ## Certificate renewal response -When RequestType is set to Renew, the web service verifies the following (in additional to initial enrollment): +When RequestType is set to Renew, the web service verifies the following (in addition to the initial enrollment): - The signature of the PKCS#7 BinarySecurityToken is correct - The client's certificate is in the renewal period -- The certificate was issued by the enrollment service +- The certificate is issued by the enrollment service - The requester is the same as the requester for initial enrollment - For standard client's request, the client hasn't been blocked diff --git a/windows/client-management/client-tools/administrative-tools-in-windows.md b/windows/client-management/client-tools/administrative-tools-in-windows.md index 41a9ab68ab..7c30da23de 100644 --- a/windows/client-management/client-tools/administrative-tools-in-windows.md +++ b/windows/client-management/client-tools/administrative-tools-in-windows.md @@ -62,6 +62,6 @@ These tools were included in previous versions of Windows. The associated docume > [!TIP] > If the linked content in this list doesn't provide the information you need to use that tool, send feedback with the **This page** link in the **Feedback** section at the bottom of this article. -## Related topics +## Related articles [Diagnostic data viewer](/windows/privacy/diagnostic-data-viewer-overview) diff --git a/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md index 72d54682b2..1bcd9ff753 100644 --- a/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md +++ b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md @@ -16,7 +16,7 @@ You can change the policy setting for each external device, and the policy that You can use the storage device policy setting to change the manner in which Windows manages storage devices to better meet your needs. The policy settings have the following effects: -- **Quick removal**: This policy manages storage operations in a manner that keeps the device ready to remove at any time. You can remove the device without using the Safely Remove Hardware process. However, to do this, Windows cannot cache disk write operations. This may degrade system performance. +- **Quick removal**: This policy manages storage operations in a manner that keeps the device ready to remove at any time. You can remove the device without using the Safely Remove Hardware process. However, to do this, Windows can't cache disk write operations. This may degrade system performance. - **Better performance**: This policy manages storage operations in a manner that improves system performance. When this policy is in effect, Windows can cache write operations to the external device. However, you must use the Safely Remove Hardware process to remove the external drive. The Safely Remove Hardware process protects the integrity of data on the device by making sure that all cached operations finish. > [!IMPORTANT] diff --git a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md index bcc46c3832..8efcf24c66 100644 --- a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md +++ b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md @@ -56,9 +56,9 @@ The scenarios presented in this guide illustrate how you can control device inst |--|--| | Scenario #1: Prevent installation of all printers | In this scenario, the administrator wants to prevent users from installing any printers. Thus is a basic scenario to introduce you to the 'prevent/allow' functionality of Device Installation policies in Group Policy. | | Scenario #2: Prevent installation of a specific printer | In this scenario, the administrator allows standard users to install all printers while but preventing them from installing a specific one. | -| Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed | In this scenario, you'll combine what you learned from both scenario #1 and scenario #2. The administrator wants to allow standard users to install only a specific printer while preventing the installation of all other printers. This scenario is a more realistic one and brings you a step farther in understanding of the Device Installation Restrictions policies. | +| Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed | In this scenario, you combine what you learned from both scenario #1 and scenario #2. The administrator wants to allow standard users to install only a specific printer while preventing the installation of all other printers. This scenario is a more realistic one and brings you a step farther in understanding of the Device Installation Restrictions policies. | | Scenario #4: Prevent installation of a specific USB device | This scenario, although similar to scenario #2, brings another layer of complexity-how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree. | -| Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive | In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the 'prevent' functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario. | +| Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive | In this scenario, combining all previous four scenarios, you learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the 'prevent' functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario. | ## Technology Review @@ -95,7 +95,7 @@ Hardware IDs are the identifiers that provide the exact match between a device a Windows uses these identifiers to select a driver if the operating system can't find a match with the device ID or any of the other hardware IDs. Compatible IDs are listed in the order of decreasing suitability. These strings are optional, and, when provided, they're generic, such as Disk. When a match is made using a compatible ID, you can typically use only the most basic functions of the device. -When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you are attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank. For more information about the process of ranking and selecting driver packages, see [How Windows selects a driver package for a device](/windows-hardware/drivers/install/how-windows-selects-a-driver-for-a-device). +When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you're attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank. For more information about the process of ranking and selecting driver packages, see [How Windows selects a driver package for a device](/windows-hardware/drivers/install/how-windows-selects-a-driver-for-a-device). > [!NOTE] > For more information about the driver installation process, see the "Technology review" section of the Step-by-Step Guide to Driver Signing and Staging. @@ -168,7 +168,7 @@ Note: This policy setting takes precedence over any other policy settings that a ### Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria -This policy setting will change the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. Enable this policy setting to ensure that overlapping device match criteria is applied based on an established hierarchy where more specific match criteria supersedes less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match criteria is as follows: +This policy setting changes the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. Enable this policy setting to ensure that overlapping device match criteria is applied based on an established hierarchy where more specific match criteria supersedes less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match criteria is as follows: > **Device instance IDs** > **Device IDs** > **Device setup class** > **Removable devices** @@ -177,7 +177,7 @@ This policy setting will change the evaluation order in which Allow and Prevent > > If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device. -Some of these policies take precedence over other policies. The flowchart shown below illustrates how Windows processes them to determine whether a user can install a device or not, as shown in Figure below. +Some of these policies take precedence over other policies. The following flowchart illustrates how Windows processes them to determine whether a user can install a device or not. ![Device Installation policies flow chart.](images/device-installation-flowchart.png)
_Device Installation policies flow chart_ @@ -216,7 +216,7 @@ To find device identification strings using Device Manager 1. Make sure your printer is plugged in and installed. -1. To open Device Manager, click the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application. +1. To open Device Manager, select the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application. 1. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped. @@ -317,9 +317,9 @@ Creating the policy to prevent all printers from being installed: 1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button. -1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option takes you to a table where you can enter the class identifier to block. -1. Enter the printer class GUID you found above with the curly braces: `{4d36e979-e325-11ce-bfc1-08002be10318}`. +1. Enter the printer class GUID you found with the curly braces: `{4d36e979-e325-11ce-bfc1-08002be10318}`. ![List of prevent Class GUIDs](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ diff --git a/windows/client-management/client-tools/mandatory-user-profile.md b/windows/client-management/client-tools/mandatory-user-profile.md index 65a2911980..8e65545d6c 100644 --- a/windows/client-management/client-tools/mandatory-user-profile.md +++ b/windows/client-management/client-tools/mandatory-user-profile.md @@ -10,17 +10,17 @@ ms.collection: # Create mandatory user profiles -A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to) icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned. +A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but aren't limited to) icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile aren't saved when a mandatory user profile is assigned. Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles. -When the server that stores the mandatory profile is unavailable, such as when the user is not connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user will be signed in with a temporary profile. +When the server that stores the mandatory profile is unavailable, such as when the user isn't connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user is signed in with a temporary profile. User profiles become mandatory profiles when the administrator renames the `NTuser.dat` file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile. ## Profile extension for each Windows version -The name of the folder in which you store the mandatory profile must use the correct extension for the operating system it will be applied to. The following table lists the correct extension for each operating system version. +The name of the folder in which you store the mandatory profile must use the correct extension for the operating system it applies to. The following table lists the correct extension for each operating system version. | Client operating system version | Server operating system version | Profile extension | |-------------------------------------|-------------------------------------------------|-------------------| @@ -39,7 +39,7 @@ First, you create a default user profile with the customizations that you want, ### How to create a default user profile -1. Sign in to a computer running Windows as a member of the local Administrator group. Do not use a domain account. +1. Sign in to a computer running Windows as a member of the local Administrator group. Don't use a domain account. > [!NOTE] > Use a lab or extra computer running a clean installation of Windows to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. @@ -51,7 +51,7 @@ First, you create a default user profile with the customizations that you want, 1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user's profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. -1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows](/windows/application-management/apps-in-windows-10). +1. Uninstall any application you don't need or want from the PC. For examples on how to uninstall Windows Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows](/windows/application-management/apps-in-windows-10). > [!NOTE] > It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times. @@ -73,27 +73,27 @@ First, you create a default user profile with the customizations that you want, 1. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the setup, and then sign in to the computer using an account that has local administrator privileges. -1. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and click **Settings** in the **User Profiles** section. +1. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and select **Settings** in the **User Profiles** section. -1. In **User Profiles**, click **Default Profile**, and then click **Copy To**. +1. In **User Profiles**, select **Default Profile**, and then select **Copy To**. ![Example of User Profiles UI.](images/copy-to.png) -1. In **Copy To**, under **Permitted to use**, click **Change**. +1. In **Copy To**, under **Permitted to use**, select **Change**. ![Example of Copy To UI.](images/copy-to-change.png) -1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**. +1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, select **Check Names**, and then select **OK**. 1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with `.v6` to identify it as a user profile folder for Windows 10, version 1607 or later. - - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path. + - If the device is joined to the domain and you're signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path. ![Example of Copy profile to.](images/copy-to-path.png) - - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location. + - If the device isn't joined to the domain, you can save the profile locally, and then copy it to the shared folder location. -1. Click **OK** to copy the default user profile. +1. Select **OK** to copy the default user profile. ### How to make the user profile mandatory @@ -109,7 +109,7 @@ First, you create a default user profile with the customizations that you want, 1. Open the properties of the "profile.v6" folder. 1. Select the **Security** tab and then select **Advanced**. 1. Verify the **Owner** of the folder. It must be the builtin **Administrators** group. To change the owner, you must be a member of the Administrators group on the file server, or have "Set owner" privilege on the server. -1. When you set the owner, select **Replace owner on subcontainers and objects** before you click OK. +1. When you set the owner, select **Replace owner on subcontainers and objects** before you select OK. ## Apply a mandatory user profile to users @@ -118,10 +118,10 @@ In a domain, you modify properties for the user account to point to the mandator ### How to apply a mandatory user profile to users 1. Open **Active Directory Users and Computers** (dsa.msc). -1. Navigate to the user account that you will assign the mandatory profile to. +1. Navigate to the user account that you'll assign the mandatory profile to. 1. Right-click the user name and open **Properties**. 1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is `\\server\share\profile.v6`, you would enter `\\server\share\profile`. -1. Click **OK**. +1. Select **OK**. It may take some time for this change to replicate to all domain controllers. @@ -136,9 +136,9 @@ When a user is configured with a mandatory profile, Windows starts as though it | Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ✅ | ❌ | > [!NOTE] -> The Group Policy settings above can be applied in Windows Professional edition. +> These Group Policy settings can be applied in Windows Professional edition. -## Related topics +## Related articles - [Manage Windows 10 Start layout and taskbar options](/windows/configuration/windows-10-start-layout-options-and-policies) - [Lock down Windows 10 to specific apps](/windows/configuration/lock-down-windows-10-to-specific-apps) diff --git a/windows/client-management/client-tools/windows-libraries.md b/windows/client-management/client-tools/windows-libraries.md index 08d317028a..43666505af 100644 --- a/windows/client-management/client-tools/windows-libraries.md +++ b/windows/client-management/client-tools/windows-libraries.md @@ -11,7 +11,7 @@ Libraries are virtual containers for users' content. A library can contain files ## Features for Users -Windows libraries are backed by full content search and rich metadata. Libraries offer the following advantages to users: +Windows libraries provide full content search and rich metadata. Libraries offer the following advantages to users: - Aggregate content from multiple storage locations into a single, unified presentation. - Enable users to stack and group library contents based on metadata. @@ -51,7 +51,7 @@ Libraries are built upon the legacy known folders (such as My Documents, My Pict ### Hiding Default Libraries -Users or administrators can hide or delete the default libraries, though the libraries node in the Navigation pane can't be hidden or deleted. Hiding a default library is preferable to deleting it, as applications like Windows Media Player rely on the default libraries and will re-create them if they don't exist on the computer. See [How to Hide Default Libraries](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_HideDefaultLibraries) for instructions. +Users or administrators can hide or delete the default libraries, though the libraries node in the Navigation pane can't be hidden or deleted. Hiding a default library is preferable to deleting it, as applications like Windows Media Player rely on the default libraries and re-create them if they don't exist on the computer. See [How to Hide Default Libraries](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_HideDefaultLibraries) for instructions. ### Default Save Locations for Libraries @@ -105,9 +105,7 @@ The following library attributes can be modified within Windows Explorer, the Li - Order of library locations - Default save location -The library icon can be modified by the administrator or user by directly editing the Library Description schema file. - -See [Library Description Schema](/windows/win32/shell/library-schema-entry) for information on creating Library Description files. +The library icon can be modified by the administrator or user by directly editing the Library Description schema file. See [Library Description Schema](/windows/win32/shell/library-schema-entry) for information on creating Library Description files. ## See also diff --git a/windows/client-management/client-tools/windows-version-search.md b/windows/client-management/client-tools/windows-version-search.md index cfb56793c3..fefbaf36f1 100644 --- a/windows/client-management/client-tools/windows-version-search.md +++ b/windows/client-management/client-tools/windows-version-search.md @@ -11,11 +11,11 @@ The [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servi In the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels), you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment. -To determine if your device is enrolled in the Long-Term Servicing Channel or the General Availability Channel, you'll need to know what version of Windows you're running. There are a few ways to figure this out. Each method provides a different set of details, so it's useful to learn about all of them. +To determine if your device is enrolled in the Long-Term Servicing Channel or the General Availability Channel, you need to know what version of Windows you're running. There are a few ways to figure this out. Each method provides a different set of details, so it's useful to learn about all of them. ## System Properties -Select **Start** > **Settings** > **System**, then select **About**. You'll then see **Edition**, **Version**, and **OS Build** information. +Select **Start** > **Settings** > **System**, then select **About**. You then see **Edition**, **Version**, and **OS Build** information. :::image type="content" source="images/systemcollage.png" alt-text="screenshot of the system properties window for a device running Windows 10."::: @@ -40,6 +40,6 @@ You can type the following in the search bar and press **ENTER** to see version :::image type="content" source="images/refcmd.png" alt-text="screenshot of system information display text."::: -- At the PowerShell or Command Prompt, type `slmgr /dlv`, and then press ENTER. The /dlv command displays the detailed licensing information. Notice the output displays "EnterpriseS" as seen in the image below: +- At the PowerShell or Command Prompt, type `slmgr /dlv`, and then press ENTER. The /dlv command displays the detailed licensing information. Notice the output displays "EnterpriseS" as seen in the following image: :::image type="content" source="images/slmgr-dlv.png" alt-text="screenshot of software licensing manager."::: diff --git a/windows/client-management/config-lock.md b/windows/client-management/config-lock.md index 719f8dd7ed..443c29c949 100644 --- a/windows/client-management/config-lock.md +++ b/windows/client-management/config-lock.md @@ -9,7 +9,7 @@ appliesto: # Secured-core PC configuration lock -In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with config lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds. +In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a noncompliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with config lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds. Secured-core configuration lock (config lock) is a new [secured-core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a secured-core PC remains a secured-core PC. @@ -23,7 +23,7 @@ To summarize, config lock: ## Configuration Flow -After a [secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure) reaches the desktop, config lock will prevent configuration drift by detecting if the device is a secured-core PC or not. When the device isn't a secured-core PC, the lock won't apply. If the device is a secured-core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies). +After a [secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure) reaches the desktop, config lock will prevent configuration drift by detecting if the device is a secured-core PC or not. When the device isn't a secured-core PC, the lock doesn't apply. If the device is a secured-core PC, config lock locks the policies listed under [List of locked policies](#list-of-locked-policies). ## Enabling config lock using Microsoft Intune @@ -34,23 +34,24 @@ The steps to turn on config lock using Microsoft Intune are as follows: 1. Ensure that the device to turn on config lock is enrolled in Microsoft Intune. 1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Configuration Profiles** > **Create a profile**. 1. Select the following and press **Create**: - - **Platform**: Windows 10 and later - - **Profile type**: Templates + - **Platform**: `Windows 10 and later` + - **Profile type**: `Templates` - **Template name**: Custom :::image type="content" source="images/configlock-mem-createprofile.png" alt-text="In Configuration profiles, the Create a profile page is showing, with the Platform set to Windows 10 and later, and a Profile Type of Templates."::: 1. Name your profile. 1. When you reach the Configuration Settings step, select "Add" and add the following information: - - **OMA-URI**: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock - - **Data type**: Integer - - **Value**: 1
+ - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock` + - **Data type**: `Integer` + - **Value**: `1` + To turn off config lock, change the value to 0. - :::image type="content" source="images/configlock-mem-editrow.png" alt-text="In the Configuration settings step, the Edit Row page is shown with a Name of config lock, a Description of Turn on config lock and the OMA-URI set as above, along with a Data type of Integer set to a Value of 1."::: + :::image type="content" source="images/configlock-mem-editrow.png" alt-text="In the Configuration settings step, the Edit Row page is shown with a Name of config lock, a Description of Turn-on config lock and the OMA-URI set, along with a Data type of Integer set to a Value of 1."::: 1. Select the devices to turn on config lock. If you're using a test tenant, you can select "+ Add all devices". -1. You'll not need to set any applicability rules for test purposes. +1. You don't need to set any applicability rules for test purposes. 1. Review the Configuration and select "Create" if everything is correct. 1. After the device syncs with the Microsoft Intune server, you can confirm if the config lock was successfully enabled. diff --git a/windows/client-management/device-update-management.md b/windows/client-management/device-update-management.md index 91cc6c9f18..e6c914668a 100644 --- a/windows/client-management/device-update-management.md +++ b/windows/client-management/device-update-management.md @@ -50,8 +50,8 @@ This section describes this setup. The following diagram shows the server-server MSDN provides much information about the Server-Server sync protocol. In particular: -- It's a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development. -- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although it's even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to `https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx`. +- It's a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, to simplify development. +- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although it's even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL generates an incorrect binding URL. The binding URL should be set to `https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx`. Some important highlights: @@ -64,7 +64,7 @@ Some important highlights: ### Examples of update metadata XML structure and element descriptions -The response of the GetUpdateData call returns an array of ServerSyncUpdateData that contains the update metadata in the XmlUpdateBlob element. The schema of the update xml is available at [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). Some of the key elements are described below: +The response of the GetUpdateData call returns an array of ServerSyncUpdateData that contains the update metadata in the XmlUpdateBlob element. The schema of the update xml is available at [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). Some of the key elements are described here: - **UpdateID** - The unique identifier for an update - **RevisionNumber** - Revision number for the update in case the update was modified. @@ -94,9 +94,9 @@ First some background: The following procedure describes a basic algorithm for a metadata sync service: -1. Create an empty list of "needed update IDs to fault in". This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since they're temporary. For example, Defender can release new definition updates many times per day, each of which is cumulative. +1. Create an empty list of "needed update IDs to fault in". This list gets updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since they're temporary. For example, Defender can release new definition updates many times per day, each of which is cumulative. 1. Sync periodically (we recommend once every 2 hours - no more than once/hour). - 1. Implement the authorization phase of the protocol to get a cookie if you don't already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). + 1. Implement the authorization phase of the protocol to get a cookie if you don't already have a nonexpired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). 1. Implement the metadata portion of the protocol. See **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a)), and call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata hasn't already been pulled into the DB. - If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one. - Remove updates from the "needed update IDs to fault in" list once they've been brought in. @@ -122,7 +122,7 @@ Updates are configured using the [Update Policy CSP](mdm/policy-csp-update.md). ### Update management user experience screenshot -The following screenshots of the administrator console show the list of update titles, approval status, and additional metadata fields. +The following screenshots of the administrator console show the list of update titles, approval status, and other metadata fields. :::image type="content" source="images/deviceupdatescreenshot1.png" alt-text="mdm update management screenshot."::: diff --git a/windows/client-management/disconnecting-from-mdm-unenrollment.md b/windows/client-management/disconnecting-from-mdm-unenrollment.md index 98c231a399..9b12683d3e 100644 --- a/windows/client-management/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/disconnecting-from-mdm-unenrollment.md @@ -8,7 +8,7 @@ ms.date: 08/10/2023 # Disconnecting from the management infrastructure (unenrollment) The Disconnecting process is done either locally by the user who uses a phone or remotely by the IT administrator using management server. The user-initiated disconnection process is similar to the initial connection, wherein its initiation is from the same location in the Setting Control Panel as creating the workplace account. -The users choose to disconnect for any number of reasons, such as the ones described below: leaving the company or getting a new device or not needing access to their LOB apps on the old device, anymore. When an IT administrator initiates a disconnection, the enrollment client performs the disconnection during the next regular maintenance session. Administrators choose to disconnect users' device after they've left the company or because the device is regularly failing to comply with the organization's security settings policy. +The users choose to disconnect for any number of reasons, such as leaving the company or getting a new device or not needing access to their LOB apps on the old device anymore. When an IT administrator initiates a disconnection, the enrollment client performs the disconnection during the next regular maintenance session. Administrators choose to disconnect users' device after they've left the company or because the device is regularly failing to comply with the organization's security settings policy. During disconnection, the client executes the following tasks: @@ -20,7 +20,7 @@ During disconnection, the client executes the following tasks: ## User-initiated disconnection -In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will notify to the MDM server that the account will be removed. This notification is a best-effort action as no retry is built-in to ensure the notification is successfully sent to the device. +In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will notify to the MDM server that the account will be removed. This notification is a best-effort action as no retry is built in to ensure the notification is successfully sent to the device. This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work. @@ -31,7 +31,7 @@ The vendor uses the Type attribute to specify what type of generic alert it is. After the user elects to unenroll, any active MDM OMA DM sessions are terminated. After that, the DM client starts a DM session, including a user unenroll generic alert in the first package that it sends to the server. -The following sample shows an OMA DM first package that contains a generic alert message. For more information on WP OMA DM support, see the [OMA DM protocol support](oma-dm-protocol-support.md) topic. +The following sample shows an OMA DM first package that contains a generic alert message. For more information on WP OMA DM support, see the [OMA DM protocol support](oma-dm-protocol-support.md) article. ```xml @@ -82,7 +82,7 @@ After the previous package is sent, the unenrollment process begins. ## Server-initiated disconnection -When the server initiates disconnection, all undergoing sessions for the enrollment ID are aborted immediately to avoid deadlocks. The server will not get a response for the unenrollment, instead a generic alert notification is sent with `messageid=1`. +When the server initiates disconnection, all undergoing sessions for the enrollment ID are aborted immediately to avoid deadlocks. The server doesn't get a response for the unenrollment, instead a generic alert notification is sent with `messageid=1`. ```xml @@ -100,7 +100,7 @@ When the server initiates disconnection, all undergoing sessions for the enrollm ## Unenrollment from Work Access settings page -If the user is enrolled into MDM using an Azure Active Directory (AAD Join or by adding a Microsoft work account), the MDM account will show up under the Work Access page. However, the **Disconnect** button is greyed out and not accessible. Users can remove that MDM account by removing the Azure AD association to the device. +If the user is enrolled into MDM using an Azure Active Directory (Azure AD Join or by adding a Microsoft work account), the MDM account shows up under the Work Access page. However, the **Disconnect** button is greyed out and not accessible. Users can remove that MDM account by removing the Azure AD association to the device. You can only use the Work Access page to unenroll under the following conditions: @@ -109,18 +109,18 @@ You can only use the Work Access page to unenroll under the following conditions ## Unenrollment from Azure Active Directory Join -When a user is enrolled into MDM through Azure Active Directory Join and later, the enrollment disconnects, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data. +When a user is enrolled into MDM through Azure Active Directory Join and later, the enrollment disconnects, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data. ![aadj unenerollment.](images/azure-ad-unenrollment.png) -During the process in which a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be re-imaged. When devices are remotely unenrolled from MDM, the Azure Active Directory association is also removed. This safeguard is in place to avoid leaving the corporate devices in un-managed state. +During the process in which a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Azure Active Directory association is also removed. This safeguard is in place to avoid leaving the corporate devices in unmanaged state. -Before remotely un-enrolling corporate devices, you must ensure that there is at least one admin user on the device that is not part of the Azure tenant, otherwise the device will not have any admin user after the operation. +Before remotely unenrolling corporate devices, you must ensure that there is at least one admin user on the device that isn't part of Azure AD, otherwise the device won't have any admin user after the operation. -In mobile devices, remote unenrollment for Azure Active Directory Joined devices will fail. To remove corporate content from these devices, we recommend you remotely wipe the device. +In mobile devices, remote unenrollment for Azure Active Directory Joined devices fails. To remove corporate content from these devices, we recommend you remotely wipe the device. ## IT admin-requested disconnection -The server requests an enterprise management disconnection by issuing an Exec OMA DM SyncML XML command to the device, using the DMClient configuration service provider's Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DMClient configuration topic. +The server requests an enterprise management disconnection by issuing an Exec OMA DM SyncML XML command to the device, using the DMClient configuration service provider's Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DMClient configuration article. When the disconnection is completed, the user is notified that the device has been disconnected from enterprise management. diff --git a/windows/client-management/enable-admx-backed-policies-in-mdm.md b/windows/client-management/enable-admx-backed-policies-in-mdm.md index 5e18d9ce19..bd41f63d4d 100644 --- a/windows/client-management/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/enable-admx-backed-policies-in-mdm.md @@ -32,9 +32,9 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ 1. Use the Group Policy Editor to determine whether you need additional information to enable the policy. Run GPEdit.msc - 1. Click **Start**, then in the text box type **gpedit**. + 1. Select **Start**, then in the text box type **gpedit**. - 2. Under **Best match**, click **Edit group policy** to launch it. + 2. Under **Best match**, select **Edit group policy** to launch it. ![GPEdit search.](images/admx-gpedit-search.png) @@ -100,7 +100,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ 1. Search for GP name **Publishing_Server2_policy**. - 1. Under **policy name="Publishing_Server2_Policy"** you can see the \ listed. The *text id* and *enum id* represent the *data id* you need to include in the SyncML data payload. They correspond to the fields you see in the Group Policy Editor. + 1. Under **policy name="Publishing_Server2_Policy"** you can see the `` listed. The `text id` and `enum id` represent the `data id` you need to include in the SyncML data payload. They correspond to the fields you see in the Group Policy Editor. Here's the snippet from appv.admx: @@ -192,7 +192,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ ``` - 1. From the **\** tag, copy all of the *text id* and *enum id* and create an XML with *data id* and *value* fields. The *value* field contains the configuration settings that you would enter in the Group Policy Editor. + 1. From the `` tag, copy all of the `text id` and `enum id` and create an XML with `data id` and `value` fields. The *value* field contains the configuration settings that you would enter in the Group Policy Editor. Here's the example XML for Publishing_Server2_Policy: @@ -251,7 +251,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ ## Disable a policy -The \ payload is \. Here is an example to disable AppVirtualization/PublishingAllowServer2. +The \ payload is \. Here's an example to disable AppVirtualization/PublishingAllowServer2. ```xml diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md index aa3a1c4d73..031f810c1b 100644 --- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -1,6 +1,6 @@ --- title: Enroll a Windows device automatically using Group Policy -description: Learn how to use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. +description: Learn how to use a Group Policy to trigger autoenrollment to MDM for Active Directory (AD) domain-joined devices. ms.topic: article ms.date: 08/10/2023 ms.collection: @@ -10,7 +10,7 @@ ms.collection: # Enroll a Windows device automatically using Group Policy -You can use a Group Policy to trigger auto-enrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices. +You can use a Group Policy to trigger autoenrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices. The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account. @@ -19,7 +19,7 @@ The enrollment into Intune is triggered by a group policy created on your local - The Active Directory joined device must be running a [supported version of Windows](/windows/release-health/supported-versions-windows-client). - The enterprise has configured a Mobile Device Management (MDM) service. - The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad). -- The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`). +- The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents fail enrollment with `error 0x80180026`). - The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. For more information, see [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan). > [!TIP] @@ -29,28 +29,28 @@ The enrollment into Intune is triggered by a group policy created on your local > - [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) > - [Azure Active Directory integration with MDM](./azure-active-directory-integration-with-mdm.md) -The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD-registered. +The autoenrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD-registered. > [!NOTE] > In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. -When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. +When the autoenrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task uses the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user gets prompted to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. - Starting in Windows 10, version 1709, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM. - Starting in Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see [Windows Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins). For this policy to work, you must verify that the MDM service provider allows Group Policy initiated MDM enrollment for domain-joined devices. -## Configure the auto-enrollment for a group of devices +## Configure the autoenrollment for a group of devices -To configure auto-enrollment using a group policy, use the following steps: +To configure autoenrollment using a group policy, use the following steps: 1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**. 1. Create a Security Group for the PCs. 1. Link the GPO. 1. Filter using Security Groups. -If you don't see the policy, it may be because you don't have the ADMX for Windows 10, version 1803 or later installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible. +If you don't see the policy, it may be because you don't have the ADMX for Windows 10, version 1803 or later installed. To fix the issue, use the following procedures. The latest MDM.admx is backwards compatible. 1. Download the administrative templates for the desired version: @@ -67,17 +67,17 @@ If you don't see the policy, it may be because you don't have the ADMX for Windo 1. Install the package on the Domain Controller. -1. Navigate to `C:\Program Files (x86)\Microsoft Group Policy`, and locate the appropriate sub-directory depending on the installed version. +1. Navigate to `C:\Program Files (x86)\Microsoft Group Policy`, and locate the appropriate subdirectory depending on the installed version. 1. Copy the PolicyDefinitions folder to `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`. - If this folder doesn't exist, then you'll be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain. + If this folder doesn't exist, then copy the files to the [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your domain. 1. Wait for the SYSVOL DFSR replication to be completed for the policy to be available. -## Configure the auto-enrollment Group Policy for a single PC +## Configure the autoenrollment Group Policy for a single PC -This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It's not recommended for the production environment in the enterprise. +This procedure is only for illustration purposes to show how the new autoenrollment policy works. It's not recommended for the production environment in the enterprise. 1. Run `GPEdit.msc`. Choose **Start**, then in the text box type `gpedit`. @@ -96,7 +96,7 @@ This procedure is only for illustration purposes to show how the new auto-enroll When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called **Schedule created by enrollment client for automatically enrolling in MDM from Azure Active Directory**. To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). -If two-factor authentication is required, you'll be prompted to complete the process. Here's an example screenshot. +If two-factor authentication is required, you are prompted to complete the process. Here's an example screenshot. :::image type="content" source="images/autoenrollment-2-factor-auth.png" alt-text="Screenshot of Two-factor authentication notification."::: @@ -118,16 +118,16 @@ Select **Start**, then in the text box type `task scheduler`. Under **Best match In **Task Scheduler Library**, open **Microsoft > Windows** , then select **EnterpriseMgmt**. -:::image type="content" alt-text="Auto-enrollment scheduled task." source="images/autoenrollment-scheduled-task.png" lightbox="images/autoenrollment-scheduled-task.png"::: +:::image type="content" alt-text="Autoenrollment scheduled task." source="images/autoenrollment-scheduled-task.png" lightbox="images/autoenrollment-scheduled-task.png"::: -To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. You can see the logs in the **History** tab. +To see the result of the task, move the scroll bar to see the **Last Run Result**. You can see the logs in the **History** tab. The message **0x80180026** is a failure message (`MENROLL_E_DEVICE_MANAGEMENT_BLOCKED`). If the device enrollment is blocked, your IT admin might have enabled the **Disable MDM Enrollment** policy. > [!NOTE] > The GPEdit console doesn't reflect the status of policies set by your IT admin on your device. It's only used by the user to set policies. -## Related topics +## Related articles - [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11)) - [Create and Edit a Group Policy Object](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754740(v=ws.11)) diff --git a/windows/client-management/enterprise-app-management.md b/windows/client-management/enterprise-app-management.md index 58aaaa6019..56d0b0809b 100644 --- a/windows/client-management/enterprise-app-management.md +++ b/windows/client-management/enterprise-app-management.md @@ -7,7 +7,7 @@ ms.date: 08/10/2023 # Enterprise app management -This article will discuss one of the key features of Windows' Mobile Device Management (MDM) capabilities: the ability to manage apps' lifecycle on all Windows devices. This includes both Store and non-Store apps, which can be managed natively through MDM. +This article discusses one of the key features of Windows' Mobile Device Management (MDM) capabilities: the ability to manage apps' lifecycle on all Windows devices. This includes both Store and non-Store apps, which can be managed natively through MDM. By using Windows MDM to manage app lifecycles, administrators can deploy and manage updates, remove outdated or unused apps, and ensure that all devices have the necessary apps installed to meet the organization's needs. This feature streamlines the app management process and saves time and effort for IT professionals. @@ -29,18 +29,18 @@ Windows offers the ability for management servers to: Windows lets you inventory all apps deployed to a user, and inventory all apps for all users of a Windows device. The [EnterpriseModernAppManagement](mdm/enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications: - **Store**: Apps that have been acquired from the Microsoft Store, either directly or delivered with the enterprise from the Store for Business. -- **nonStore**: Apps that were not acquired from the Microsoft Store. -- **System**: Apps that are part of the operating system and cannot be uninstalled. This classification is read-only and can only be inventoried. +- **nonStore**: Apps that weren't acquired from the Microsoft Store. +- **System**: Apps that are part of the operating system and can't be uninstalled. This classification is read-only and can only be inventoried. Each app is identified by one package family name and one or more package full names, and the apps are grouped based on their origin. The EnterpriseModernAppManagement CSP displays these classifications as nodes. Inventory can be run recursively at any level from the AppManagement node through the package full name. You can also choose to inventory specific attributes only. The inventory is specific to the package full name and lists bundled and resource packs as applicable under the package family name. -For more information on each node, refer to the detailed descriptions provided in the [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md). +For more information on each node, see the detailed descriptions provided in the [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md). ### App inventory -You can use the EnterpriseModernAppManagement CSP to query for all apps installed for a user or device. The query returns all apps, even if they were installed using MDM or other methods. Inventory can run at the user or device level. Inventory at the device level will return information for all users on the device. +You can use the EnterpriseModernAppManagement CSP to query for all apps installed for a user or device. The query returns all apps, even if they were installed using MDM or other methods. Inventory can run at the user or device level. Inventory at the device level returns information for all users on the device. Doing a full inventory of a device can be resource-intensive based on the hardware and number of apps that are installed. The data returned can also be large. You may want to chunk these requests to reduce the impact to clients and network traffic. @@ -74,7 +74,7 @@ Doing a full inventory of a device can be resource-intensive based on the hardwa ### Store license inventory -You can use the EnterpriseModernAppManagement CSP to query for all app licenses installed for a user or device. The query returns all app licenses, event if they were installed via MDM or other methods. Inventory can run at the user or device level. Inventory at the device level will return information for all users on the device. +You can use the EnterpriseModernAppManagement CSP to query for all app licenses installed for a user or device. The query returns all app licenses, event if they were installed via MDM or other methods. Inventory can run at the user or device level. Inventory at the device level returns information for all users on the device. For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md). @@ -228,8 +228,8 @@ Here are the changes from the previous release: 1. The `{CatID}` reference should be updated to `{ProductID}`. This value is acquired as a part of the Store for Business management tool. 1. The value for flags can be 0 or 1. - - When using "0", the management tool calls back to the Store for Business sync to assign a user a seat of an application. - - When using "1", the management tool doesn't call back in to the Store for Business sync to assign a user a seat of an application. The CSP will claim a seat if one is available. + - **0**: The management tool calls back to the Store for Business sync to assign a user a seat of an application. + - **1**: The management tool doesn't call back in to the Store for Business sync to assign a user a seat of an application. The CSP claims a seat if one is available. 1. The `skuid` is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync. ### Deploy an offline license to a user @@ -377,7 +377,7 @@ The Add command for the package family name is required to ensure proper removal ### Provision apps for all users of a device -Provisioning allows you to stage the app to the device and all users of the device can have the app registered on their next login. This feature is only supported for app purchased from the Store for Business, and the app is specified for an offline license or the app is a non-Store app. The app must be offered from a hosted location. The app is installed as a local system. To install to a local file share, the 'local system' of the device must have access to the share. +Provisioning allows you to stage the app to the device and all users of the device can have the app registered on their next sign in. This feature is only supported for app purchased from the Store for Business, and the app is specified for an offline license or the app is a non-Store app. The app must be offered from a hosted location. The app is installed as a local system. To install to a local file share, the 'local system' of the device must have access to the share. Here are the requirements for this scenario: @@ -423,7 +423,7 @@ To provision app for all users of a device from a hosted location, the managemen The HostedInstall Exec command contains a Data node that requires an embedded XML. Here are the requirements for the data XML: - Application node has a required parameter, PackageURI, which can be a local file location, UNC, or HTTPS location. - - Dependencies can be specified if required to be installed with the package. This is optional. + - Dependencies can be specified if necessary to be installed with the package. This is optional. The DeploymentOptions parameter is only available in the user context. @@ -574,7 +574,7 @@ To uninstall an app, you delete it under the origin node, package family name, a ### Removed provisioned apps from a device -You can remove provisioned apps from a device for a specific version, or for all versions of a package family. When a provisioned app is removed, it isn't available to future users for the device. Logged in users who have the app registered to them will continue to have access to the app. If you want to remove the app for those users, you must explicitly uninstall the app for those users. +You can remove provisioned apps from a device for a specific version, or for all versions of a package family. When a provisioned app is removed, it isn't available to future users for the device. Logged in users who have the app registered to them continue to have access to the app. If you want to remove the app for those users, you must explicitly uninstall the app for those users. > [!NOTE] > You can only remove an app that has an inventory value IsProvisioned = 1. @@ -746,7 +746,7 @@ The Universal Windows app can share application data between the users of the de The [ApplicationManagement/AllowSharedUserAppData](mdm/policy-csp-applicationmanagement.md) policy enables or disables app packages to share data between app packages when there are multiple users. If you enable this policy, applications can share data between packages in their package family. Data can be shared through ShareLocal folder for that package family and local machine. This folder is available through the Windows.Storage API. -If you disable this policy, applications can't share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((`/Get-ProvisionedAppxPackage` to detect if there's any shared data, and `/Remove-SharedAppxData` to remove it). +If you disable this policy, applications can't share user application data among multiple users. However, prewritten shared data persists. To clean prewritten shared data, use DISM (`/Get-ProvisionedAppxPackage` to detect if there's any shared data, and `/Remove-SharedAppxData` to remove it). The valid values are 0 (off, default value) and 1 (on). diff --git a/windows/client-management/esim-enterprise-management.md b/windows/client-management/esim-enterprise-management.md index ccbd65977d..21cae9d2ac 100644 --- a/windows/client-management/esim-enterprise-management.md +++ b/windows/client-management/esim-enterprise-management.md @@ -10,7 +10,7 @@ ms.date: 08/10/2023 The eSIM Profile Management Solution places the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already-existing solution that customers are familiar with and use to manage devices. -The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/un-assignment, etc.) the same way as they currently do device management. +The expectations from an MDM are that it uses the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/un-assignment, etc.) the same way as they currently do device management. If you're a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps: diff --git a/windows/client-management/federated-authentication-device-enrollment.md b/windows/client-management/federated-authentication-device-enrollment.md index 1cfb0ff3ad..a96b2ed7e3 100644 --- a/windows/client-management/federated-authentication-device-enrollment.md +++ b/windows/client-management/federated-authentication-device-enrollment.md @@ -63,10 +63,10 @@ After the device gets a response from the server, the device sends a POST reques The following logic is applied: -1. The device first tries HTTPS. If the server cert isn't trusted by the device, the HTTPS fails. +1. The device first tries HTTPS. If the device doesn't trust the server cert, the HTTPS attempt fails. 1. If that fails, the device tries HTTP to see whether it's redirected: - - If the device isn't redirected, it prompts the user for the server address. - - If the device is redirected, it prompts the user to allow the redirect. + - If the device isn't redirected, the user is prompted for the server address. + - If the device is redirected, the user is prompted to allow the redirect. The following example shows a request via an HTTP POST command to the discovery web service given `user@contoso.com` as the email address @@ -116,13 +116,13 @@ The following example shows the discovery service request. The discovery response is in the XML format and includes the following fields: - Enrollment service URL (EnrollmentServiceUrl) - Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory. -- Authentication policy (AuthPolicy) - Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory. +- Authentication policy (AuthPolicy) - Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user is authenticated when calling the management service URL. This field is mandatory. - In Windows, Federated is added as another supported value. This addition allows the server to use the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. > [!NOTE] > The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message. -When authentication policy is set to be Federated, Web Authentication Broker (WAB) will be used by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client will call the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage will be used by the enrollment client as the device security secret during the client certificate enrollment request call. +When authentication policy is set to be Federated, Web Authentication Broker (WAB) is used by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client calls the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage is used by the enrollment client as the device security secret during the client certificate enrollment request call. > [!NOTE] > Instead of relying on the user agent string that is passed during authentication to get information, such as the OS version, use the following guidance: @@ -139,7 +139,7 @@ A new XML tag, **AuthenticationServiceUrl**, is introduced in the DiscoveryRespo The following are the explicit requirements for the server. - The ```` element must support HTTPS. -- The authentication server must use a device trusted root certificate. Otherwise, the WAP call will fail. +- The authentication server must use a device trusted root certificate. Otherwise, the WAP call fails. - WP doesn't support Windows Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device. The enrollment client issues an HTTPS request as follows: @@ -148,8 +148,8 @@ The enrollment client issues an HTTPS request as follows: AuthenticationServiceUrl?appru=&login_hint= ``` -- `` is of the form ms-app://string -- `` is the name of the enrolling user, for example, user@constoso.com as input by the user in an enrollment sign-in page. The value of this attribute serves as a hint that can be used by the authentication server as part of the authentication. +- `` is of the form `ms-app://string` +- `` is the name of the enrolling user, for example, user@constoso.com as input by the user in an enrollment sign-in page. The value of this attribute serves as a hint that is used by the authentication server as part of the authentication. After authentication is complete, the auth server should return an HTML form document with a POST method action of appid identified in the query string parameter. @@ -183,7 +183,7 @@ Content-Length: 556 ``` -The server has to send a POST to a redirect URL of the form ms-app://string (the URL scheme is ms-app) as indicated in the POST method action. The security token value is the base64-encoded string `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary` contained in the `` EncodingType attribute. Windows does the binary encode when it sends it back to enrollment server, in the form it's just HTML encoded. This string is opaque to the enrollment client; the client doesn't interpret the string. +The server has to send a POST to a redirect URL of the form `ms-app://string` (the URL scheme is ms-app) as indicated in the POST method action. The security token value is the base64-encoded string `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary` contained in the `` EncodingType attribute. Windows does the binary encode when it sends it back to enrollment server, in the form its just HTML encoded. This string is opaque to the enrollment client; the client doesn't interpret the string. The following example shows a response received from the discovery web service that requires authentication via WAB. @@ -371,7 +371,7 @@ This web service implements the MS-WSTEP protocol. It processes the RequestSecur The RequestSecurityToken (RST) must have the user credential and a certificate request. The user credential in an RST SOAP envelope is the same as in GetPolicies, and can vary depending on whether the authentication policy is OnPremise or Federated. The BinarySecurityToken in an RST SOAP body contains a Base64-encoded PKCS\#10 certificate request, which is generated by the client based on the enrollment policy. The client could have requested an enrollment policy by using MS-XCEP before requesting a certificate using MS-WSTEP. If the PKCS\#10 certificate request is accepted by the certification authority (CA) (the key length, hashing algorithm, and so on, match the certificate template), the client can enroll successfully. -The RequestSecurityToken will use a custom TokenType (`http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken`), because our enrollment token is more than an X.509 v3 certificate. For more information, see the Response section. +The RequestSecurityToken uses a custom TokenType (`http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken`), because our enrollment token is more than an X.509 v3 certificate. For more information, see the Response section. The RST may also specify many AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration. @@ -466,14 +466,14 @@ After validating the request, the web service looks up the assigned certificate > [!NOTE] > The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message. -Similar to the TokenType in the RST, the RSTR will use a custom ValueType in the BinarySecurityToken (`http://schemas.microsoft.com/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc`), because the token is more than an X.509 v3 certificate. +Similar to the TokenType in the RST, the RSTR uses a custom ValueType in the BinarySecurityToken (`http://schemas.microsoft.com/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc`), because the token is more than an X.509 v3 certificate. The provisioning XML contains: - The requested certificates (required) - The DM client configuration (required) -The client will install the client certificate, the enterprise root certificate, and intermediate CA certificate if there's one. The DM configuration includes the name and address of the DM server, which client certificate to use, and schedules when the DM client calls back to the server. +The client installs the client certificate, the enterprise root certificate, and intermediate CA certificate if there's one. The DM configuration includes the name and address of the DM server, which client certificate to use, and schedules when the DM client calls back to the server. Enrollment provisioning XML should contain a maximum of one root certificate and one intermediate CA certificate that is needed to chain up the MDM client certificate. More root and intermediate CA certificates could be provisioned during an OMA DM session. diff --git a/windows/client-management/implement-server-side-mobile-application-management.md b/windows/client-management/implement-server-side-mobile-application-management.md index b120e7eb10..2927f3eefe 100644 --- a/windows/client-management/implement-server-side-mobile-application-management.md +++ b/windows/client-management/implement-server-side-mobile-application-management.md @@ -15,11 +15,11 @@ The Windows version of mobile application management (MAM) is a lightweight solu MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md). -MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a user's personal devices will be enrolled to MAM or MDM, depending on the user's actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices. +MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a user's personal devices are enrolled to MAM or MDM, depending on the user's actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device is enrolled to MAM. If a user joins their device to Azure AD, it's enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices. On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft 365 apps. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**. -Regular non-admin users can enroll to MAM. +Regular non administrator users can enroll to MAM. ## Integration with Windows Information Protection @@ -37,11 +37,11 @@ MICROSOFTEDPAUTOPROTECTIONALLOWEDAPPINFO EDPAUTOPROTECTIONALLOWEDAPPINFOID ## Configuring an Azure AD tenant for MAM enrollment -MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. The same cloud-based Management MDM app in Azure AD will support both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration. +MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. The same cloud-based Management MDM app in Azure AD supports both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. This screenshot illustrates the management app for an IT admin configuration. :::image type="content" alt-text="Mobile application management app." source="images/implement-server-side-mobile-application-management.png"::: -MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. +MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that contains both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. > [!NOTE] > If the MDM service in an organization isn't integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured. @@ -50,11 +50,11 @@ MAM and MDM services in an organization could be provided by different vendors. MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). MAM enrollment supports Azure AD [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method. -Below are protocol changes for MAM enrollment: +These are the protocol changes for MAM enrollment: - MDM discovery isn't supported. - APPAUTH node in [DMAcc CSP](mdm/dmacc-csp.md) is optional. -- MAM enrollment variation of [MS-MDE2] protocol doesn't support the client authentication certificate, and therefore doesn't support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication. +- MAM enrollment variation of [MS-MDE2] protocol doesn't support the client authentication certificate, and therefore doesn't support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way TLS/SSL using server certificate authentication. Here's an example provisioning XML for MAM enrollment. @@ -70,11 +70,11 @@ Here's an example provisioning XML for MAM enrollment. ``` -Since the [Poll](mdm/dmclient-csp.md#deviceproviderprovideridpoll) node isn't provided above, the device would default to once every 24 hours. +Since the [Poll](mdm/dmclient-csp.md#deviceproviderprovideridpoll) node isn't provided in this example, the device would default to once every 24 hours. ## Supported CSPs -MAM on Windows supports the following configuration service providers (CSPs). All other CSPs will be blocked. Note the list may change later based on customer feedback: +MAM on Windows supports the following configuration service providers (CSPs). All other CSPs are blocked. Note the list may change later based on customer feedback: - [AppLocker CSP](mdm/applocker-csp.md) for configuration of Windows Information Protection enterprise allowed apps. - [ClientCertificateInstall CSP](mdm/clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs. @@ -95,12 +95,12 @@ MAM on Windows supports the following configuration service providers (CSPs). Al MAM supports device lock policies similar to MDM. The policies are configured by DeviceLock area of Policy CSP and PassportForWork CSP. -We don't recommend configuring both Exchange ActiveSync (EAS) and MAM policies for the same device. However, if both are configured, the client will behave as follows: +We don't recommend configuring both Exchange ActiveSync (EAS) and MAM policies for the same device. However, if both are configured, the client behaves as follows: - When EAS policies are sent to a device that already has MAM policies, Windows evaluates whether the existing MAM policies are compliant with the configured EAS policies, and reports compliance with EAS. -- If the device is found to be compliant, EAS will report compliance with the server to allow mail to sync. MAM supports mandatory EAS policies only. Checking EAS compliance doesn't require device admin rights. -- If the device is found to be non-compliant, EAS will enforce its own policies to the device and the resultant set of policies will be a superset of both. Applying EAS policies to the device requires admin rights. -- If a device that already has EAS policies is enrolled to MAM, the device will have both sets of policies: MAM and EAS, and the resultant set of policies will be a superset of both. +- If the device is found to be compliant, EAS reports compliance with the server to allow mail to sync. MAM supports mandatory EAS policies only. Checking EAS compliance doesn't require device admin rights. +- If the device is found to be noncompliant, EAS enforces its own policies to the device and the resultant set of policies are a superset of both. Applying EAS policies to the device requires admin rights. +- If a device that already has EAS policies is enrolled to MAM, the device has both sets of policies: MAM and EAS, and the resultant set of policies are a superset of both. ## Policy sync @@ -113,7 +113,7 @@ Windows doesn't support applying both MAM and MDM policies to the same devices. > [!NOTE] > When users upgrade from MAM to MDM on Windows Home edition, they lose access to Windows Information Protection. On Windows Home edition, we don't recommend pushing MDM policies to enable users to upgrade. -To configure MAM device for MDM enrollment, the admin needs to configure the MDM Discovery URL in the DMClient CSP. This URL will be used for MDM enrollment. +To configure MAM device for MDM enrollment, the admin needs to configure the MDM Discovery URL in the DMClient CSP. This URL is used for MDM enrollment. In the process of changing MAM enrollment to MDM, MAM policies will be removed from the device after MDM policies have been successfully applied. Normally when Windows Information Protection policies are removed from the device, the user's access to WIP-protected documents is revoked (selective wipe) unless EDP CSP RevokeOnUnenroll is set to false. To prevent selective wipe on enrollment change from MAM to MDM, the admin needs to ensure that: @@ -121,4 +121,4 @@ In the process of changing MAM enrollment to MDM, MAM policies will be removed f - EDP CSP Enterprise ID is the same for both MAM and MDM. - EDP CSP RevokeOnMDMHandoff is set to false. -If the MAM device is properly configured for MDM enrollment, then the Enroll only to device management link will be displayed in **Settings > Accounts > Access work or school**. The user can select this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account won't be affected. +If the MAM device is properly configured for MDM enrollment, then the *Enroll only to device management* link is displayed in **Settings > Accounts > Access work or school**. The user can select this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account won't be affected. diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index c85ffdd241..e48e3d486a 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -38,7 +38,7 @@ As indicated in the diagram, Microsoft continues to provide support for deep man With Windows, you can continue to use traditional OS deployment, but you can also "manage out of the box". To transform new devices into fully configured, fully managed devices, you can: -- Avoid re-imaging by using dynamic provisioning, enabled by a cloud-based device management service such as [Windows Autopilot](/mem/autopilot/windows-autopilot) or [Microsoft Intune](/mem/intune/fundamentals/). +- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management service such as [Windows Autopilot](/mem/autopilot/windows-autopilot) or [Microsoft Intune](/mem/intune/fundamentals/). - Create self-contained provisioning packages built with the Windows Configuration Designer. For more information, see [Provisioning packages for Windows](/windows/configuration/provisioning-packages/provisioning-packages). @@ -100,7 +100,7 @@ There are various steps you can take to begin the process of modernizing device **Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, reevaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use [Group policy analytics in Microsoft Intune](/mem/intune/configuration/group-policy-analytics) to help determine which group policies supported by cloud-based MDM providers, including Microsoft Intune. -**Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs. +**Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you with the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs. **Review the decision trees in this article.** With the different options in Windows, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario. diff --git a/windows/client-management/mdm-collect-logs.md b/windows/client-management/mdm-collect-logs.md index 33870a7264..5756913331 100644 --- a/windows/client-management/mdm-collect-logs.md +++ b/windows/client-management/mdm-collect-logs.md @@ -15,14 +15,14 @@ To help diagnose enrollment or device management issues in Windows devices manag ## Download the MDM Diagnostic Information log from Windows devices 1. On your managed device, go to **Settings** > **Accounts** > **Access work or school**. -1. Click your work or school account, then click **Info**. +1. Select your work or school account, then select **Info**. ![Access work or school page in Settings.](images/diagnose-mdm-failures15.png) -1. At the bottom of the **Settings** page, click **Create report**. +1. At the bottom of the **Settings** page, select **Create report**. ![Access work or school page and then Create report.](images/diagnose-mdm-failures16.png) -1. A window opens that shows the path to the log files. Click **Export**. +1. A window opens that shows the path to the log files. Select **Export**. ![Access work or school log files.](images/diagnose-mdm-failures17.png) @@ -40,12 +40,12 @@ mdmdiagnosticstool.exe -area "DeviceEnrollment;DeviceProvisioning;Autopilot" -zi ### Understanding zip structure -The zip file will have logs according to the areas that were used in the command. This explanation is based on DeviceEnrollment, DeviceProvisioning and Autopilot areas. It applies to the zip files collected via command line or Feedback Hub +The zip file has logs according to the areas that were used in the command. This explanation is based on DeviceEnrollment, DeviceProvisioning and Autopilot areas. It applies to the zip files collected via command line or Feedback Hub - DiagnosticLogCSP_Collector_Autopilot_*: Autopilot etls - DiagnosticLogCSP_Collector_DeviceProvisioning_*: Provisioning etls (Microsoft-Windows-Provisioning-Diagnostics-Provider) - MDMDiagHtmlReport.html: Summary snapshot of MDM configurations and policies. Includes, management url, MDM server device ID, certificates, policies. -- MdmDiagLogMetadata, json: mdmdiagnosticstool metadata file, contains command-line arguments used to run the tool +- MdmDiagLogMetadata.json: mdmdiagnosticstool metadata file that contains command-line arguments used to run the tool. - MDMDiagReport.xml: contains a more detailed view into the MDM configurations, such as enrollment variables, provisioning packages, multivariant conditions, and others. For more information about diagnosing provisioning packages, see [Diagnose provisioning packages](/windows/configuration/provisioning-packages/diagnose-provisioning-packages). - MdmDiagReport_RegistryDump.reg: contains dumps from common MDM registry locations - MdmLogCollectorFootPrint.txt: mdmdiagnosticslog tool logs from running the command @@ -65,23 +65,23 @@ In this location, the **Admin** channel logs events by default. However, if you ### Collect admin logs -1. Right click on the **Admin** node. +1. Right-click the **Admin** node. 1. Select **Save all events as**. 1. Choose a location and enter a filename. -1. Click **Save**. +1. Select **Save**. 1. Choose **Display information for these languages** and then select **English**. -1. Click **Ok**. +1. Select **Ok**. -For more detailed logging, you can enable **Debug** logs. Right click on the **Debug** node and then click **Enable Log**. +For more detailed logging, you can enable **Debug** logs. Right-click on the **Debug** node and then select **Enable Log**. ### Collect debug logs -1. Right click on the **Debug** node. +1. Right-click on the **Debug** node. 1. Select **Save all events as**. 1. Choose a location and enter a filename. -1. Click **Save**. +1. Select **Save**. 1. Choose **Display information for these languages** and then select **English**. -1. Click **Ok**. +1. Select **Ok**. You can open the log files (.evtx files) in the Event Viewer on a Windows device. @@ -241,17 +241,17 @@ For best results, ensure that the PC or VM on which you're viewing logs matches ![event viewer screenshot.](images/diagnose-mdm-failures9.png) 1. Navigate to the etl file that you got from the device and then open the file. -1. Click **Yes** when prompted to save it to the new log format. +1. Select **Yes** when prompted to save it to the new log format. ![event viewer prompt.](images/diagnose-mdm-failures10.png) ![diagnose mdm failures.](images/diagnose-mdm-failures11.png) -1. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu. +1. The new view contains traces from the channel. Select **Filter Current Log** from the **Actions** menu. ![event viewer actions.](images/diagnose-mdm-failures12.png) -1. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**. +1. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and select **OK**. ![event filter for Device Management.](images/diagnose-mdm-failures13.png) diff --git a/windows/client-management/mdm-diagnose-enrollment.md b/windows/client-management/mdm-diagnose-enrollment.md index f8be2c3597..08c2a6ed6b 100644 --- a/windows/client-management/mdm-diagnose-enrollment.md +++ b/windows/client-management/mdm-diagnose-enrollment.md @@ -9,15 +9,15 @@ ms.date: 08/10/2023 This article provides suggestions for troubleshooting device enrollment issues for MDM. -## Verify auto-enrollment requirements and settings +## Verify autoenrollment requirements and settings -To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. The following steps demonstrate required settings using the Intune service: +To ensure that the autoenrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. The following steps demonstrate required settings using the Intune service: 1. Verify that the user who is going to enroll the device has a valid [Intune license](/mem/intune/fundamentals/licenses). :::image type="content" alt-text="Screenshot of Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png"::: -1. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For more information, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). +1. Verify that autoenrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For more information, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). ![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png) @@ -28,7 +28,7 @@ To ensure that the auto-enrollment feature is working as expected, you must veri 1. Verify that the device is running a [supported version of Windows](/windows/release-health/supported-versions-windows-client). -1. Auto-enrollment into Intune via Group Policy is valid only for devices that are hybrid Azure AD joined. This condition means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line. +1. Autoenrollment into Intune via Group Policy is valid only for devices that are hybrid Azure AD joined. This condition means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line. You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**. @@ -40,13 +40,13 @@ To ensure that the auto-enrollment feature is working as expected, you must veri This information can also be found on the Azure AD device list. -1. Verify that the MDM discovery URL during auto-enrollment is `https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc`. +1. Verify that the MDM discovery URL during autoenrollment is `https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc`. ![MDM discovery URL.](images/auto-enrollment-mdm-discovery-url.png) -1. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your auto-enrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**. +1. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your autoenrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**. - :::image type="content" alt-text="Screenshot of Mobility setting MDM intune." source="images/auto-enrollment-microsoft-intune-setting.png" lightbox="images/auto-enrollment-microsoft-intune-setting.png"::: + :::image type="content" alt-text="Screenshot of Mobility setting MDM Intune." source="images/auto-enrollment-microsoft-intune-setting.png" lightbox="images/auto-enrollment-microsoft-intune-setting.png"::: 1. When using group policy for enrollment, verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune. You may contact your domain administrators to verify if the group policy has been deployed successfully. @@ -56,7 +56,7 @@ To ensure that the auto-enrollment feature is working as expected, you must veri ## Troubleshoot group policy enrollment -Investigate the logs if you have issues even after performing all the verification steps. The first log file to investigate is the event log on the target Windows device. To collect Event Viewer logs: +Investigate the logs if you have issues even after performing all the verification steps. The first log file to investigate is the event log, on the target Windows device. To collect Event Viewer logs: 1. Open Event Viewer. @@ -65,21 +65,21 @@ Investigate the logs if you have issues even after performing all the verificati > [!TIP] > For guidance on how to collect event logs for Intune, see [Collect MDM Event Viewer Log YouTube video](https://www.youtube.com/watch?v=U_oCe2RmQEc). -1. Search for event ID 75, which represents a successful auto-enrollment. Here's an example screenshot that shows the auto-enrollment completed successfully: +1. Search for event ID 75, which represents a successful autoenrollment. Here's an example screenshot that shows the autoenrollment completed successfully: :::image type="content" alt-text="Screenshot of Event ID 75." source="images/auto-enrollment-troubleshooting-event-id-75.png" lightbox="images/auto-enrollment-troubleshooting-event-id-75.png"::: -If you can't find event ID 75 in the logs, it indicates that the auto-enrollment failed. This failure can happen because of the following reasons: +If you can't find event ID 75 in the logs, it indicates that the autoenrollment failed. This failure can happen because of the following reasons: -- The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here's an example screenshot that shows that the auto-enrollment failed: +- The enrollment failed with error. In this case, search for event ID 76, which represents failed autoenrollment. Here's an example screenshot that shows that the autoenrollment failed: :::image type="content" alt-text="Screenshot of Event ID 76." source="images/auto-enrollment-troubleshooting-event-id-76.png" lightbox="images/auto-enrollment-troubleshooting-event-id-76.png"::: To troubleshoot, check the error code that appears in the event. For more information, see [Troubleshooting Windows device enrollment problems in Microsoft Intune](/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors). -- The auto-enrollment didn't trigger at all. In this case, you'll not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described below: +- The autoenrollment didn't trigger at all. In this case, you won't find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described here: - The auto-enrollment process is triggered by a task (**Microsoft** > **Windows** > **EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM**) is successfully deployed to the target machine as shown in the following screenshot: + The autoenrollment process is triggered by a task (**Microsoft** > **Windows** > **EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM**) is successfully deployed to the target machine as shown in the following screenshot: :::image type="content" alt-text="Screenshot of Task scheduler." source="images/auto-enrollment-task-scheduler.png" lightbox="images/auto-enrollment-task-scheduler.png"::: @@ -94,16 +94,16 @@ If you can't find event ID 75 in the logs, it indicates that the auto-enrollment :::image type="content" alt-text="Screenshot of Event ID 102." source="images/auto-enrollment-event-id-102.png" lightbox="images/auto-enrollment-event-id-102.png"::: - The task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This status-display means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It doesn't indicate the success or failure of auto-enrollment. + The task scheduler log displays event ID 102 (task completed) regardless of the autoenrollment success or failure. This status-display means that the task scheduler log is only useful to confirm if the autoenrollment task is triggered or not. It doesn't indicate the success or failure of autoenrollment. If you can't see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from Azure AD is initiated, there's possibly an issue with the group policy. Immediately run the command `gpupdate /force` in a command prompt to get the group policy object applied. If this step still doesn't help, further troubleshooting on Active Directory is required. One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen: :::image type="content" alt-text="Screenshot of Outdated enrollment entries." source="images/auto-enrollment-outdated-enrollment-entries.png" lightbox="images/auto-enrollment-outdated-enrollment-entries.png"::: - By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs** > **Microsoft** > **Windows** > **Task Scheduler** > **Operational** event log file under event ID 7016. + By default, these entries are removed when the device is unenrolled, but occasionally the registry key remains even after unenrollment. In this case, `gpupdate /force` fails to initiate the autoenrollment task and error code 2149056522 is displayed in the **Applications and Services Logs** > **Microsoft** > **Windows** > **Task Scheduler** > **Operational** event log file under event ID 7016. - A resolution to this issue is to remove the registry key manually. If you don't know which registry key to remove, go for the key that displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot: + A resolution to this issue is to remove the registry key manually. If you don't know which registry key to remove, go for the key that displays most entries as the previous screenshot shows. All other keys display fewer entries as shown in the following screenshot: :::image type="content" alt-text="Screenshot showing manually deleted entries." source="images/auto-enrollment-activation-verification-less-entries.png" lightbox="images/auto-enrollment-activation-verification-less-entries.png"::: diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md index b0850f563e..9c772124fe 100644 --- a/windows/client-management/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm-enrollment-of-windows-devices.md @@ -42,11 +42,11 @@ To join a domain: 1. Type in your Azure AD username. This username is the email address you use to log into Microsoft Office 365 and similar services. - If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page will change to show the organization's custom branding, and you'll be able to enter your password directly on this page. If the tenant is part of a federated domain, you'll be redirected to the organization's on-premises federation server, such as Active Directory Federation Services (AD FS) for authentication. + If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you're able to enter your password directly on this page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as Active Directory Federation Services (AD FS) for authentication. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. - If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to [connect your device to MDM](#enroll-in-device-management-only). After you complete the flow, your device will be connected to your organization's Azure AD domain. + If your Azure AD tenant has autoenrollment configured, your device also gets enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant isn't configured for autoenrollment, you must go through the enrollment flow a second time to [connect your device to MDM](#enroll-in-device-management-only). After you complete the flow, your device will be connected to your organization's Azure AD domain. ![azure ad signin.](images/unifiedenrollment-rs1-13.png) @@ -82,7 +82,7 @@ To create a local account and connect the device: Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. - If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. + If your Azure AD tenant has autoenrollment configured, your device also gets enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for autoenrollment, you must go through the enrollment flow a second time to connect your device to MDM. After you reach the end of the flow, your device should be connected to your organization's Azure AD domain. You may now sign out of your current account and sign in using your Azure AD username. @@ -97,9 +97,9 @@ There are a few instances where your device can't be connected to an Azure AD do | Your device is connected to an Azure AD domain. | Your device can only be connected to a single Azure AD domain at a time. | | Your device is already connected to an Active Directory domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously. | | Your device already has a user connected to a work account. | You can either connect to an Azure AD domain or connect to a work or school account. You can't connect to both simultaneously. | -| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You'll need to switch to an administrator account to continue. | -| Your device is already managed by MDM. | The connect to Azure AD flow will attempt to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. | -| Your device is running Home edition. | This feature isn't available on Windows Home edition, so you'll be unable to connect to an Azure AD domain. You'll need to upgrade to Pro, Enterprise, or Education edition to continue. | +| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You must switch to an administrator account to continue. | +| Your device is already managed by MDM. | The connect to Azure AD flow attempts to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. | +| Your device is running Home edition. | This feature isn't available on Windows Home edition, so you can't connect to an Azure AD domain. You must upgrade to Pro, Enterprise, or Education edition to continue. | ## Connect personally owned devices @@ -107,7 +107,7 @@ Personally owned devices, also known as bring your own device (BYOD), can be con All Windows devices can be connected to a work or school account. You can connect to a work or school account either through the Settings app or through any of the numerous Universal Windows Platform (UWP) apps, such as the universal Office apps. -### Register device in AAD and enroll in MDM +### Register device in Azure AD and enroll in MDM To create a local account and connect the device: @@ -131,9 +131,9 @@ To create a local account and connect the device: Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. - If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to [connect your device to MDM](#enroll-in-device-management-only). + If your Azure AD tenant has autoenrollment configured, your device also gets enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for autoenrollment, you must go through the enrollment flow a second time to [connect your device to MDM](#enroll-in-device-management-only). - You'll see the status page that shows the progress of your device being set up. + You can see the status page that shows the progress of your device being set up. ![corporate sign in - screen and option](images/unifiedenrollment-rs1-26.png) @@ -151,7 +151,7 @@ There are a few instances where your device may not be able to connect to work. | We couldn't find your identity in your organization's cloud. | The username you entered wasn't found on your Azure AD tenant. | | Your device is already being managed by an organization. | Your device is either already managed by MDM or Microsoft Configuration Manager. | | You don't have the right privileges to perform this operation. Talk to your admin. | You can't enroll your device into MDM as a standard user. You must be on an administrator account. | -| We couldn't auto-discover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. | +| We couldn't autodiscover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. | ## Enroll in device management only @@ -177,27 +177,27 @@ All Windows devices can be connected to MDM. You can connect to an MDM through t ![set up work or school account screen](images/unifiedenrollment-rs1-32.png) -1. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you'll be presented with a new window that will ask you for more authentication information. +1. If the device finds an endpoint that only supports on-premises authentication, this page changes and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you're presented with a new window that asks you for more authentication information. - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. You'll see the enrollment progress on screen. + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. You can see the enrollment progress on screen. ![screen to set up your device](images/unifiedenrollment-rs1-33-b.png) - After you complete the flow, your device will be connected to your organization's MDM. + After you complete the flow, your device is connected to your organization's MDM. ## Connect your Windows device to work using a deep link -Windows devices may be connected to work using a deep link. Users will be able to select or open a link in a particular format from anywhere in Windows, and be directed to the new enrollment experience. +Windows devices may be connected to work using a deep link. Users can select or open a link in a particular format from anywhere in Windows, and be directed to the new enrollment experience. -The deep link used for connecting your device to work will always use the following format. +The deep link used for connecting your device to work uses the following format. **ms-device-enrollment:?mode={mode\_name}**: | Parameter | Description | Supported Value for Windows | |--|--|--| -| mode | Describes which mode will be executed in the enrollment app. | Mobile Device Management (MDM), Adding Work Account (AWA), and Azure Active Directory-joined. | +| mode | Describes which mode is executed in the enrollment app. | Mobile Device Management (MDM), Adding Work Account (AWA), and Azure Active Directory-joined. | | username | Specifies the email address or UPN of the user who should be enrolled into MDM. | string | -| servername | Specifies the MDM server URL that will be used to enroll the device. | string | +| servername | Specifies the MDM server URL that is used to enroll the device. | string | | accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used as a token to validate the enrollment request. | string | | deviceidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to pass in a unique device identifier. | GUID | | tenantidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to identify which tenant the device or user belongs to. | GUID or string | @@ -215,7 +215,7 @@ To connect your devices to MDM using deep links: 1. Create a link to launch the built-in enrollment app using the URI **ms-device-enrollment:?mode=mdm**, and user-friendly display text, such as **Click here to connect Windows to work**: - (This link will launch the flow equivalent to the Enroll into the device management option.) + This link launches the flow equivalent to the Enroll into the device management option. - IT admins can add this link to a welcome email that users can select to enroll into MDM. @@ -232,7 +232,7 @@ To connect your devices to MDM using deep links: ![set up a work or school account screen](images/deeplinkenrollment3.png) -1. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you'll be presented with a new window that will ask you for more authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. +1. If the device finds an endpoint that only supports on-premises authentication, this page changes and asks you for your password. If the device finds an MDM endpoint that supports federated authentication, you're presented with a new window that asks for more authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. After you complete the flow, your device will be connected to your organization's MDM. @@ -240,7 +240,7 @@ To connect your devices to MDM using deep links: ## Manage connections -To manage your work or school connections, select **Settings** > **Accounts** > **Access work or school**. Your connections will show on this page and selecting one will expand options for that connection. +To manage your work or school connections, select **Settings** > **Accounts** > **Access work or school**. Your connections are displayed on this page and selecting one expands options for that connection. ![managing work or school account.](images/unifiedenrollment-rs1-34-b.png) @@ -248,21 +248,21 @@ To manage your work or school connections, select **Settings** > **Accounts** > The **Info** button can be found on work or school connections involving MDM. This button is included in the following scenarios: -- Connecting your device to an Azure AD domain that has auto-enroll into MDM configured. -- Connecting your device to a work or school account that has auto-enroll into MDM configured. +- Connecting your device to an Azure AD domain that has autoenroll into MDM configured. +- Connecting your device to a work or school account that has autoenroll into MDM configured. - Connecting your device to MDM. -Selecting the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You'll be able to view your organization's support information (if configured) on this page. You'll also be able to start a sync session that forces your device to communicate to the MDM server and fetch any updates to policies if needed. +Selecting the **Info** button opens a new page in the Settings app that provides details about your MDM connection. You're able to view your organization's support information (if configured) on this page. You can also start a sync session that forces your device to communicate to the MDM server and fetch any updates to policies if needed. -Selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here's an example screenshot. +Selecting the **Info** button shows a list of policies and line-of-business apps installed by your organization. Here's an example screenshot. ![work or school info.](images/unifiedenrollment-rs1-35-b.png) ### Disconnect -The **Disconnect** button can be found on all work connections. Generally, selecting the **Disconnect** button will remove the connection from the device. There are a few exceptions to this functionality: +The **Disconnect** button can be found on all work connections. Generally, selecting the **Disconnect** button removes the connection from the device. There are a few exceptions to this functionality: -- Devices that enforce the AllowManualMDMUnenrollment policy won't allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command. +- Devices that enforce the AllowManualMDMUnenrollment policy don't allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command. - On mobile devices, you can't disconnect from Azure AD. These connections can only be removed by wiping the device. > [!WARNING] @@ -272,6 +272,6 @@ The **Disconnect** button can be found on all work connections. Generally, selec You can collect diagnostic logs around your work connections by going to **Settings** > **Accounts** > **Access work or school**, and then selecting the **Export your management logs** link under **Related Settings**. Next, select **Export**, and follow the path displayed to retrieve your management log files. -You can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you'll see the button to create a report. +You can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you see the button to create a report. For more information, see [Collect MDM logs](mdm-collect-logs.md). diff --git a/windows/client-management/mdm-known-issues.md b/windows/client-management/mdm-known-issues.md index ebe6d47a30..7676911fc4 100644 --- a/windows/client-management/mdm-known-issues.md +++ b/windows/client-management/mdm-known-issues.md @@ -27,7 +27,7 @@ The certificate setting under "SSL Settings" in the IIS server for SCEP must be ## MDM enrollment fails on the Windows device when traffic is going through proxy -When the Windows device is configured to use a proxy that requires authentication, the enrollment will fail. To work around this issue, the user can use a proxy that doesn't require authentication or remove the proxy setting from the connected network. +When the Windows device is configured to use a proxy that requires authentication, the enrollment fails. To work around this issue, the user can use a proxy that doesn't require authentication or remove the proxy setting from the connected network. ## Server-initiated unenrollment failure @@ -37,7 +37,7 @@ Remote server unenrollment is disabled for mobile devices enrolled via Azure Act ## Certificates causing issues with Wi-Fi and VPN -When using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This dual installation may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We're working to fix this issue. +When using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store also gets installed in the user store. This dual installation may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We're working to fix this issue. ## Version information for Windows 11 @@ -56,7 +56,7 @@ A production ready deployment must have the appropriate certificate details as p EAP XML must be updated with relevant information for your environment. This task can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows: -- For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This detail is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags, you'll find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM's guidance on how to deploy a new Wi-Fi profile. +- For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This detail is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags, you can find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM's guidance on how to deploy a new Wi-Fi profile. - For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field. For information about EAP Settings, see [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access). @@ -199,7 +199,7 @@ Alternatively you can use the following procedure to create an EAP Configuration > [!NOTE] > For PEAP or TTLS, select the appropriate method and continue following this procedure. -1. Click the **Properties** button underneath the drop-down menu. +1. Select the **Properties** button underneath the drop-down menu. 1. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button. @@ -209,7 +209,7 @@ Alternatively you can use the following procedure to create an EAP Configuration :::image type="content" alt-text="configure certificate selection window." source="images/certfiltering3.png"::: -1. Click **OK** to close the windows to get back to the main `rasphone.exe` dialog box. +1. Select **OK** to close the windows to get back to the main `rasphone.exe` dialog box. 1. Close the rasphone dialog box. diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md index 01ebde8e94..ceca839aaa 100644 --- a/windows/client-management/mdm-overview.md +++ b/windows/client-management/mdm-overview.md @@ -18,7 +18,7 @@ There are two parts to the Windows management component: - The enrollment client, which enrolls and configures the device to communicate with the enterprise management server. For more information, see [Enrollment overview](mobile-device-enrollment.md). - The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT. -Third-party MDM servers can manage Windows devices using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows users. MDM servers don't need to create or download a client to manage Windows. +Third-party MDM servers can manage Windows devices using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server has the same consistent first-party user experience for enrollment, which also provides simplicity for Windows users. MDM servers don't need to create or download a client to manage Windows. For details about the MDM protocols, see @@ -59,7 +59,7 @@ No. Only one MDM is allowed. ### How do I set the maximum number of Azure Active Directory-joined devices per user? 1. Sign in to the portal as tenant admin: . -1. Navigate to **Azure AD**, then **Devices**, and then click **Device Settings**. +1. Navigate to **Azure AD**, then **Devices**, and then select **Device Settings**. 1. Change the number under **Maximum number of devices per user**. ### What is dmwappushsvc? @@ -68,4 +68,4 @@ No. Only one MDM is allowed. | --------------- | -------------------- | | What is dmwappushsvc? | It's a Windows service that ships in Windows operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all Wireless Application Protocol (WAP) messages, which include Windows management messages, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. | | What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further. This service doesn't send telemetry. | -| How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc) and locating *Device Management Wireless Application Protocol (WAP) Push message Routing Service*. However, since this service is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail. | +| How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc) and locating *Device Management Wireless Application Protocol (WAP) Push message Routing Service*. However, since this service is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service causes your management to fail. | diff --git a/windows/client-management/mobile-device-enrollment.md b/windows/client-management/mobile-device-enrollment.md index 3feaa80acd..c69c1fb951 100644 --- a/windows/client-management/mobile-device-enrollment.md +++ b/windows/client-management/mobile-device-enrollment.md @@ -1,6 +1,6 @@ --- title: Mobile device enrollment -description: Learn how mobile device enrollment verifies that only authenticated and authorized devices can be managed by their enterprise. +description: Learn how mobile device enrollment verifies that only authenticated and authorized devices are managed by the enterprise. ms.topic: article ms.date: 08/10/2023 ms.collection: @@ -10,12 +10,12 @@ ms.collection: # Mobile device enrollment -Mobile device enrollment is the first phase of enterprise management. The device is configured to communicate with the MDM server using security precautions during the enrollment process. The enrollment service verifies that only authenticated and authorized devices can be managed by their enterprise. +Mobile device enrollment is the first phase of enterprise management. The device is configured to communicate with the MDM server using security precautions during the enrollment process. The enrollment service verifies that only authenticated and authorized devices are managed by the enterprise. The enrollment process includes the following steps: 1. **Discovery of the enrollment endpoint**: This step provides the enrollment endpoint configuration settings. -1. **Certificate installation**: This step handles user authentication, certificate generation, and certificate installation. The installed certificates will be used in the future to manage client/server Secure Sockets Layer (SSL) mutual authentication. +1. **Certificate installation**: This step handles user authentication, certificate generation, and certificate installation. The installed certificates will be used in the future to manage client/server (TLS/SSL) mutual authentication. 1. **DM Client provisioning**: This step configures the Device Management (DM) client to connect to a Mobile Device Management (MDM) server after enrollment via DM SyncML over HTTPS (also known as Open Mobile Alliance Device Management (OMA DM) XML). ## Enrollment protocol @@ -43,9 +43,9 @@ The certificate enrollment is an implementation of the MS-WSTEP protocol. ### Management configuration -The server sends provisioning XML that contains a server certificate (for SSL server authentication), a client certificate issued by enterprise CA, DM client bootstrap information (for the client to communicate with the management server), an enterprise application token (for the user to install enterprise applications), and the link to download the Company Hub application. +The server sends provisioning XML that contains a server certificate (for TLS/SSL server authentication), a client certificate issued by enterprise CA, DM client bootstrap information (for the client to communicate with the management server), an enterprise application token (for the user to install enterprise applications), and the link to download the Company Hub application. -The following topics describe the end-to-end enrollment process using various authentication methods: +The following articles describe the end-to-end enrollment process using various authentication methods: - [Federated authentication device enrollment](federated-authentication-device-enrollment.md) - [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) @@ -60,7 +60,7 @@ The following topics describe the end-to-end enrollment process using various au ## Enrollment support for domain-joined devices -Devices that are joined to an on-premises Active Directory can enroll into MDM via **Settings** > **Access work or school**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device. +Devices that are joined to an on-premises Active Directory can enroll into MDM via **Settings** > **Access work or school**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies continue to target all users of the device. ## Enrollment scenarios not supported @@ -115,7 +115,7 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma | s: | CertificateRequest | MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR | The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator. | 80180004 | | s: | EnrollmentServer | MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR | The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator. | 80180005 | | a: | InternalServiceFault | MENROLL_E_DEVICE_INTERNALSERVICE_ERROR | There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator. | 80180006 | -| a: | InvalidSecurity | MENROLL_E_DEVICE_INVALIDSECURITY_ERROR | The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator. | 80180007 | +| a: | InvalidSecurity | MENROLL_E_DEVICE_INVALIDSECURITY_ERROR | The Mobile Device Management (MDM) server wasn't able to validate your account. Try again or contact your system administrator. | 80180007 | SOAP format also includes `deviceenrollmentserviceerror` element. Here's an example: @@ -163,7 +163,7 @@ SOAP format also includes `deviceenrollmentserviceerror` element. Here's an exam TraceID is a freeform text node that is logged. It should identify the server side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment. -## Related topics +## Related articles - [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) - [Federated authentication device enrollment](federated-authentication-device-enrollment.md) diff --git a/windows/client-management/new-in-windows-mdm-enrollment-management.md b/windows/client-management/new-in-windows-mdm-enrollment-management.md index c90783b9cd..4ed6e26aaf 100644 --- a/windows/client-management/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/new-in-windows-mdm-enrollment-management.md @@ -74,7 +74,7 @@ For details about Microsoft mobile device management protocols for Windows, see | [BitLocker CSP](mdm/bitlocker-csp.md) | Added a new node AllowStandardUserEncryption.

  • Added support for Pro edition. | | [Defender CSP](mdm/defender-csp.md) | Added a new node Health/ProductStatus. | | [DevDetail CSP](mdm/devdetail-csp.md) | Added a new node SMBIOSSerialNumber. | -| [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md) | Added NonRemovable setting under AppManagement node. | +| [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md) | Added Non-Removable setting under AppManagement node. | | [Office CSP](mdm/office-csp.md) | Added FinalStatus setting. | | [PassportForWork CSP](mdm/passportforwork-csp.md) | Added new settings. | | [RemoteWipe CSP](mdm/remotewipe-csp.md) | Added new settings. | diff --git a/windows/client-management/oma-dm-protocol-support.md b/windows/client-management/oma-dm-protocol-support.md index 779c3b3a6e..ad62b88273 100644 --- a/windows/client-management/oma-dm-protocol-support.md +++ b/windows/client-management/oma-dm-protocol-support.md @@ -7,7 +7,7 @@ ms.date: 08/10/2023 # OMA DM protocol support -The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. This topic describes the OMA DM functionality that the DM client supports in general. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/OMA-TS-DM_Protocol-V1_2-20070209-A.pdf). +The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. This article describes the OMA DM functionality that the DM client supports in general. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/OMA-TS-DM_Protocol-V1_2-20070209-A.pdf). ## OMA DM standards @@ -15,11 +15,11 @@ The following table shows the OMA DM standards that Windows uses. |General area|OMA DM standard that is supported| |--- |--- | -|Data transport and session|
  • Client-initiated remote HTTPS DM session over SSL.
  • Remote HTTPS DM session over SSL.
  • Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.
  • Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.| +|Data transport and session|
  • Client-initiated remote HTTPS DM session over TLS/SSL.
  • Remote HTTPS DM session over TLS/SSL.
  • Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.
  • Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.| |Bootstrap XML|OMA Client Provisioning XML.| -|DM protocol commands|The following list shows the commands that are used by the device. For more information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.
  • Add (Implicit Add supported)
  • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
  • Atomic: Performing an Add command followed by Replace on the same node within an atomic element isn't supported. Nested Atomic and Get commands aren't allowed and will generate error code 500.
  • Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists
  • Exec: Invokes an executable on the client device
  • Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format
  • Replace: Overwrites data on the client device
  • Result: Returns the data results of a Get command to the DM server
  • Sequence: Specifies the order in which a group of commands must be processed
  • Status: Indicates the completion status (success or failure) of an operation

    If an XML element that isn't a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:
  • SyncBody
  • Atomic
  • Sequence

    If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.

    If Atomic elements are nested, the following status codes are returned:
  • The nested Atomic command returns 500.
  • The parent Atomic command returns 507.

    For more information about the Atomic command, see OMA DM protocol common elements.
    Performing an Add command followed by Replace on the same node within an Atomic element isn't supported.

    LocURI can't start with `/`.

    Meta XML tag in SyncHdr is ignored by the device.| +|DM protocol commands|The following list shows the commands that are used by the device. For more information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.
  • Add (Implicit Add supported)
  • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
  • Atomic: Performing an Add command followed by Replace on the same node within an atomic element isn't supported. Nested Atomic and Get commands aren't allowed and generate error code 500.
  • Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists
  • Exec: Invokes an executable on the client device
  • Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format
  • Replace: Overwrites data on the client device
  • Result: Returns the data results of a Get command to the DM server
  • Sequence: Specifies the order in which a group of commands must be processed
  • Status: Indicates the completion status (success or failure) of an operation

    If an XML element that isn't a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:
  • SyncBody
  • Atomic
  • Sequence

    If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.

    If Atomic elements are nested, the following status codes are returned:
  • The nested Atomic command returns 500.
  • The parent Atomic command returns 507.

    For more information about the Atomic command, see OMA DM protocol common elements.
    Performing an Add command followed by Replace on the same node within an Atomic element isn't supported.

    LocURI can't start with `/`.

    Meta XML tag in SyncHdr is ignored by the device.| |OMA DM standard objects|DevInfo
  • DevDetail
  • OMA DM DMS account objects (OMA DM version 1.2)| -|Security|
  • Authenticate DM server initiation notification SMS message (not used by enterprise management)
  • Application layer Basic and MD5 client authentication
  • Authenticate server with MD5 credential at application level
  • Data integrity and authentication with HMAC at application level
  • SSL level certificate-based client/server authentication, encryption, and data integrity check| +|Security|
  • Authenticate DM server initiation notification SMS message (not used by enterprise management)
  • Application layer Basic and MD5 client authentication
  • Authenticate server with MD5 credential at application level
  • Data integrity and authentication with HMAC at application level
  • TLS/SSL level certificate-based client/server authentication, encryption, and data integrity check| |Nodes|In the OMA DM tree, the following rules apply for the node name:
  • "." can be part of the node name.
  • The node name can't be empty.
  • The node name can't be only the asterisk (`*`) character.| |Provisioning Files|Provisioning XML must be well formed and follow the definition in [SyncML Representation Protocol](https://www.openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf).

    If an XML element that isn't a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
    **Note**
    To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
    | |WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This dual-format support is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://www.openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification.| @@ -45,7 +45,7 @@ Common elements are used by other OMA DM element types. The following table list | SessionID | Specifies the identifier of the OMA DM session associated with the containing message. If the server doesn't notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the client returns the SessionID in integer in decimal format. If the server supports DM session sync version 2.0, which is used in Windows, the device client returns 2 bytes. | | Source | Specifies the message source address. | | SourceRef | Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element. | -| Target | Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command. | +| Target | Specifies the address of the node in the DM Tree that is the target of the OMA DM command. | | TargetRef | Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element. | | VerDTD | Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message. | | VerProto | Specifies the major and minor version identifier of the OMA DM protocol specification used with the message. | @@ -60,8 +60,8 @@ A server sends a Get command to a client device to retrieve the contents of one A DM session can be divided into two phases: -1. **Setup phase**: In response to a trigger event, a client device sends an initiating message to a DM server. The device and server exchange needed authentication and device information. This phase is represented by steps 1, 2, and 3 in the following table. -1. **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase 2 ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table. +1. **Setup phase**: In response to a trigger event, a client device sends an initiating message to a DM server. The device and server exchange needed authentication and device information. This phase is represented by steps 1, 2, and 3. +1. **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase 2 ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5. The following information shows the sequence of events during a typical DM session. @@ -73,7 +73,7 @@ The following information shows the sequence of events during a typical DM sessi 1. The device sends a message, over an IP connection, to initiate the session. - This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level. + This message includes device information and credentials. The client and server do mutual authentication over a TLS/SSL channel or at the DM application level. 1. The DM server responds, over an IP connection (HTTPS). The server sends initial device management commands, if any. @@ -83,9 +83,9 @@ The following information shows the sequence of events during a typical DM sessi The step numbers don't represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each extra message. For more information about MsgID and OMA SyncML protocol, see [OMA Device Management Representation Protocol (DM_RepPro-V1_2-20070209-A)](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/). -During OMA DM application level mutual authentication, if the device response code to Cred element in the server request is 212, no further authentication is needed for the remainder of the DM session. If the MD5 authentication occurs, the Chal element can be returned. Then the next nonce in Chal must be used for the MD5 digest when the next DM session is started. +During OMA DM application level mutual authentication, if the device response code to Cred element in the server request is 212, no further authentication is needed for the remainder of the DM session. If the MD5 authentication occurs, the `Chal` element can be returned. Then the next nonce in `Chal` must be used for the MD5 digest when the next DM session is started. -If a request includes credentials and the response code to the request is 200, the same credential must be sent within the next request. If the Chal element is included and the MD5 authentication is required, a new digest is created by using the next nonce via the Chal element for next request. +If a request includes credentials and the response code to the request is 200, the same credential must be sent within the next request. If the `Chal` element is included and the MD5 authentication is required, a new digest is created by using the next nonce via the `Chal` element for next request. For more information about Basic or MD5 client authentication, MD5 server authentication, MD5 hash, and MD5 nonce, see the OMA Device Management Security specification (OMA-TS-DM_Security-V1_2_1-20080617-A), authentication response code handling and step-by-step samples in OMA Device Management Protocol specification (OMA-TS-DM_Protocol-V1_2_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2_1-20080617-A/). @@ -99,7 +99,7 @@ The data part of this alert could be one of following strings: - Others: another user sign in but that user doesn't have an MDM account. The server can only apply device-wide configuration, for example, configuration applies to all users in the device. - None: no active user sign in. The server can only apply device-wide configuration and available configuration is restricted to the device environment (no active user sign in). -Below is an alert example: +Here's an alert example: ```xml @@ -129,23 +129,23 @@ When using SyncML in OMA DM, there are standard response status codes that are r |---|----| | 200 | The SyncML command completed successfully. | | 202 | Accepted for processing. This code denotes an asynchronous operation, such as a request to run a remote execution of an application. | -| 212 | Authentication accepted. Normally you'll only see this code in response to the SyncHdr element (used for authentication in the OMA-DM standard). You may see this code if you look at OMA DM logs, but CSPs don't typically generate this code. | -| 214 | Operation canceled. The SyncML command completed successfully, but no more commands will be processed within the session. | +| 212 | Authentication accepted. Normally you only see this code in response to the SyncHdr element (used for authentication in the OMA-DM standard). You may see this code if you look at OMA DM logs, but CSPs don't typically generate this code. | +| 214 | Operation canceled. The SyncML command completed successfully, but no more commands are processed within the session. | | 215 | Not executed. A command wasn't executed as a result of user interaction to cancel the command. | | 216 | `Atomic` roll back OK. A command was inside an `Atomic` element and `Atomic` failed. This command was rolled back successfully. | | 400 | Bad request. The requested command couldn't be performed because of malformed syntax. CSPs don't usually generate this error, however you might see it if your SyncML is malformed. | | 401 | Invalid credentials. The requested command failed because the requestor must provide proper authentication. CSPs don't usually generate this error. | | 403 | Forbidden. The requested command failed, but the recipient understood the requested command. | -| 404 | Not found. The requested target wasn't found. This code will be generated if you query a node that doesn't exist. | -| 405 | Command not allowed. This respond code will be generated if you try to write to a read-only node. | -| 406 | Optional feature not supported. This response code will be generated if you try to access a property that the CSP doesn't support. | +| 404 | Not found. The requested target wasn't found. This code is generated if you query a node that doesn't exist. | +| 405 | Command not allowed. This respond code is generated if you try to write to a read-only node. | +| 406 | Optional feature not supported. This response code is generated if you try to access a property that the CSP doesn't support. | | 415 | Unsupported type or format. This response code can result from XML parsing or formatting errors. | | 418 | Already exists. This response code occurs if you attempt to add a node that already exists. | | 425 | Permission Denied. The requested command failed because the sender doesn't have adequate access control permissions (ACL) on the recipient. "Access denied" errors usually get translated to this response code. | -| 500 | Command failed. Generic failure. The recipient encountered an unexpected condition, which prevented it from fulfilling the request. This response code will occur when the SyncML DPU can't map the originating error code. | +| 500 | Command failed. Generic failure. The recipient encountered an unexpected condition, which prevented it from fulfilling the request. This response code occurs when the SyncML DPU can't map the originating error code. | | 507 | `Atomic` failed. One of the operations in an `Atomic` block failed. | | 516 | `Atomic` roll back failed. An `Atomic` operation failed and the command wasn't rolled back successfully. | -## Related topics +## Related articles [Configuration service provider reference](mdm/index.yml) diff --git a/windows/client-management/on-premise-authentication-device-enrollment.md b/windows/client-management/on-premise-authentication-device-enrollment.md index b8c8a73074..39e4133d55 100644 --- a/windows/client-management/on-premise-authentication-device-enrollment.md +++ b/windows/client-management/on-premise-authentication-device-enrollment.md @@ -59,10 +59,10 @@ After the device gets a response from the server, the device sends a POST reques The following logic is applied: -1. The device first tries HTTPS. If the server cert is not trusted by the device, the HTTPS fails. -1. If that fails, the device tries HTTP to see whether it is redirected: - - If the device is not redirected, it prompts the user for the server address. - - If the device is redirected, it prompts the user to allow the redirect. +1. The device first tries HTTPS. If the device doesn't trust the server certificate, the HTTPS attempt fails. +1. If that fails, the device tries HTTP to see whether it's redirected: + - If the device isn't redirected, the user is prompted for the server address. + - If the device is redirected, the user is prompted to allow the redirect. The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address: @@ -112,8 +112,8 @@ If a domain and user name are provided by the user instead of an email address, The discovery response is in the XML format and includes the following fields: - Enrollment service URL (EnrollmentServiceUrl) - Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory. -- Authentication policy (AuthPolicy) - Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory. -- Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. +- Authentication policy (AuthPolicy) - Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user is authenticated when calling the management service URL. This field is mandatory. +- Federated is added as another supported value. It allows the server to use the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. > [!NOTE] > The HTTP server response must not be chunked; it must be sent as one message. @@ -153,9 +153,7 @@ The following example shows a response received from the discovery web service f ## Enrollment policy web service -For the OnPremise authentication policy, the UsernameToken in GetPolicies contains the user credential, whose value is based on the authentication policy in discovery. A sample of the request can be found on the MSDN website; the following is another sample, with "user@contoso.com" as the user name and "mypassword" as the password. - -The following example shows the policy web service request. +For the OnPremise authentication policy, the UsernameToken in GetPolicies contains the user credential, whose value is based on the authentication policy in discovery. The following sample shows the policy web service request and uses `user@contoso.com` as the user name and `mypassword` as the password. ```xml [!NOTE] > The HTTP server response must not be chunked; it must be sent as one message. @@ -286,9 +284,9 @@ The following snippet shows the policy web service response. This web service implements the MS-WSTEP protocol. It processes the RequestSecurityToken (RST) message from the client, authenticates the client, requests the certificate from the CA, and returns it in the RequestSecurityTokenResponse (RSTR) to the client. Besides the issued certificate, the response also contains configurations needed to provision the DM client. -The RequestSecurityToken (RST) must have the user credential and a certificate request. The user credential in an RST SOAP envelope is the same as in GetPolicies, and can vary depending on whether the authentication policy is OnPremise or Federated. The BinarySecurityToken in an RST SOAP body contains a Base64-encoded PKCS\#10 certificate request, which is generated by the client based on the enrollment policy. The client could have requested an enrollment policy by using MS-XCEP before requesting a certificate using MS-WSTEP. If the PKCS\#10 certificate request is accepted by the certification authority (CA) (the key length, hashing algorithm, and so on match the certificate template), the client can enroll successfully. +The RequestSecurityToken (RST) must have the user credential and a certificate request. The user credential in an RST SOAP envelope is the same as in GetPolicies, and can vary depending on whether the authentication policy is OnPremise or Federated. The BinarySecurityToken in an RST SOAP body contains a Base64-encoded PKCS\#10 certificate request, which is generated by the client based on the enrollment policy. The client could have requested an enrollment policy by using MS-XCEP before requesting a certificate using MS-WSTEP. If the PKCS\#10 certificate request is accepted by the certification authority (CA) (the key length, hashing algorithm, and so on, match the certificate template), the client can enroll successfully. -The RequestSecurityToken will use a custom TokenType (`http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken`), because our enrollment token is more than an X.509 v3 certificate. For more details, see the Response section. +The RequestSecurityToken uses a custom TokenType (`http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken`), because our enrollment token is more than an X.509 v3 certificate. For more information, see the Response section. The RST may also specify a number of AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration. diff --git a/windows/client-management/push-notification-windows-mdm.md b/windows/client-management/push-notification-windows-mdm.md index 1d03c53563..d449bbfa9f 100644 --- a/windows/client-management/push-notification-windows-mdm.md +++ b/windows/client-management/push-notification-windows-mdm.md @@ -7,7 +7,7 @@ ms.date: 08/10/2023 # Push notification support for device management -The [DMClient CSP](mdm/dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](/windows/apps/design/shell/tiles-and-notifications/windows-push-notification-services--wns--overview), a management server can request a device to establish a management session with the server through a push notification. A device is provided with a PFN for an application. This provision results in the device getting configured, to support a push to it by the management server. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting). +The [DMClient CSP](mdm/dmclient-csp.md) supports the ability to configure push-initiated device management sessions. With [Windows Notification Services (WNS)](/windows/apps/design/shell/tiles-and-notifications/windows-push-notification-services--wns--overview), a management server can request a device to establish a management session with the server through a push notification. A device is provided with a PFN for an application. This provision results in the device getting configured, to support a push to it by the management server. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting). To initiate a device management session, the management server must first authenticate with WNS using its SID and client secret. Once authenticated, the server receives a token to initiate a raw push notification for any ChannelURI. When the management server wants to initiate a management session with a device, it can utilize the token and the device ChannelURI, and begin communicating with the device. @@ -18,10 +18,10 @@ Because a device may not always be connected to the internet, WNS supports cachi The following restrictions are related to push notifications and WNS: - Push for device management uses raw push notifications. This restriction means that these raw push notifications don't support or utilize push notification payloads. -- Receipt of push notifications is sensitive to the Battery Saver and Data Sense settings on the device. For example, if the battery drops below certain thresholds, the persistent connection of the device with WNS will be terminated. Additionally, if the user is utilizing Data Sense and has exceeded their monthly allotment of data, the persistent connection of the device with WNS will also be terminated. -- A ChannelURI provided to the management server by the device is only valid for 30 days. The device automatically renews the ChannelURI after 15 days and triggers a management session on successful renewal of the ChannelURI. It's strongly recommended that, during every management session, the management server queries the ChannelURI value to ensure that it has received the latest value. This will ensure that the management server won't attempt to use a ChannelURI that has expired. +- Receipt of push notifications is sensitive to the Battery Saver and Data Sense settings on the device. For example, if the battery drops below certain thresholds, the persistent connection of the device with WNS is terminated. Additionally, if the user is utilizing Data Sense and has exceeded their monthly allotment of data, the persistent connection of the device with WNS is also terminated. +- A ChannelURI provided to the management server by the device is only valid for 30 days. The device automatically renews the ChannelURI after 15 days and triggers a management session on successful renewal of the ChannelURI. It's recommended that, during every management session, the management server queries the ChannelURI value to ensure that it has received the latest value. This query ensures that the management server doesn't attempt to use a ChannelURI that has expired. - Push isn't a replacement for having a polling schedule. -- WNS reserves the right to block push notifications to your PFN if improper use of notifications is detected. Any devices being managed using this PFN will cease to have push initiated device management support. +- WNS reserves the right to block push notifications to your PFN if improper use of notifications is detected. Any devices being managed using this PFN cease to have push initiated device management support. - In Windows 10, version 1511, we use the following retry logic for the DMClient: @@ -29,7 +29,7 @@ The following restrictions are related to push notifications and WNS: - If ExpiryTime is between now and 15 days, a schedule set for 4 +/- 1 hours from now. - If ExpiryTime has passed, a schedule is set for 1 day +/- 4 hours from now. -- In Windows 10, version 1607 and later, we check for network connectivity before retrying. We don't check for internet connectivity. If network connectivity isn't available, we'll skip the retry and set schedule for 4+/-1 hours to try again. +- In Windows 10, version 1607 and later, we check for network connectivity before retrying. We don't check for internet connectivity. If network connectivity isn't available, the retry is skipped and a schedule is set for 4+/-1 hours to try again. ## Get WNS credentials and PFN for MDM push notification @@ -40,10 +40,10 @@ To get a PFN and WNS credentials, you must create a Microsoft Store app. 1. Reserve an app name. 1. Select **Product Identity** under Product Management to view the **Package Family Name (PFN)** of your app. 1. Select **WNS/MPNS** under Product Management. - 1. Click the **App Registration portal** link. A new window opens showing your app in the Azure Portal. - 1. In the Application Registration Portal page, you'll see the properties for the app that you created, such as: + 1. Select the **App Registration portal** link. A new window opens showing your app in the Azure portal. + 1. In the Application Registration Portal page, you see the properties for the app that you created, such as: - Application ID - Application Secrets - Redirect URIs -For more information see, [Tutorial: Send notifications to Universal Windows Platform apps using Azure Notification Hubs](/azure/notification-hubs/notification-hubs-windows-store-dotnet-get-started-wns-push-notification). +For more information, see [Tutorial: Send notifications to Universal Windows Platform apps using Azure Notification Hubs](/azure/notification-hubs/notification-hubs-windows-store-dotnet-get-started-wns-push-notification). diff --git a/windows/client-management/server-requirements-windows-mdm.md b/windows/client-management/server-requirements-windows-mdm.md index 857b9332ba..e3cafbd896 100644 --- a/windows/client-management/server-requirements-windows-mdm.md +++ b/windows/client-management/server-requirements-windows-mdm.md @@ -11,7 +11,7 @@ The following list shows the general server requirements for using OMA DM to man - The OMA DM server must support the OMA DM v1.1.2 or later protocol. -- Secure Sockets Layer (SSL) must be on the OMA DM server, and it must provide server certificate-based authentication, data integrity check, and data encryption. If the certificate isn't issued by a commercial Certification Authority whose root certificate is pre-installed in the device, you must provision the enterprise root certificate in the device's Root store. +- Secure Sockets Layer (TLS/SSL) must be on the OMA DM server, and it must provide server certificate-based authentication, data integrity check, and data encryption. If the certificate isn't issued by a commercial Certification Authority whose root certificate is preinstalled in the device, you must provision the enterprise root certificate in the device's Root store. - To authenticate the client at the application level, you must use either Basic or MD5 client authentication. diff --git a/windows/client-management/structure-of-oma-dm-provisioning-files.md b/windows/client-management/structure-of-oma-dm-provisioning-files.md index 2e7feed7fd..c239b9d0fd 100644 --- a/windows/client-management/structure-of-oma-dm-provisioning-files.md +++ b/windows/client-management/structure-of-oma-dm-provisioning-files.md @@ -22,7 +22,7 @@ The following table shows the OMA DM versions that are supported. ## File format -The following example shows the general structure of the XML document sent by the server using OMA DM version 1.2.1 for demonstration purposes only. The initial XML packages exchanged between client and server could contain additional XML tags. For a detailed description and samples for those packages, see the [OMA Device Management Protocol 1.2.1](https://www.openmobilealliance.org/release/DM/V1_2_1-20080617-A/OMA-TS-DM_Protocol-V1_2_1-20080617-A.pdf) specification. +The following example shows the general structure of the XML document sent by the server using OMA DM version 1.2.1 for demonstration purposes only. The initial XML packages exchanged between client and server could contain more XML tags. For a detailed description and samples for those packages, see the [OMA Device Management Protocol 1.2.1](https://www.openmobilealliance.org/release/DM/V1_2_1-20080617-A/OMA-TS-DM_Protocol-V1_2_1-20080617-A.pdf) specification. ```xml @@ -97,7 +97,7 @@ SyncBody contains one or more DM commands. The SyncBody can contain multiple DM **Code example** -The following example shows the body component of a DM message. In this example, SyncBody contains only one command, Get. This command is indicated by the <Final /> tag that occurs immediately after the terminating tag for the Get command. +The following example shows the body component of a DM message. In this example, SyncBody contains only one command, Get. This command is indicated by the `` tag that occurs immediately after the terminating tag for the Get command. ```xml diff --git a/windows/client-management/understanding-admx-backed-policies.md b/windows/client-management/understanding-admx-backed-policies.md index 6b4e1ac228..e7bccddb07 100644 --- a/windows/client-management/understanding-admx-backed-policies.md +++ b/windows/client-management/understanding-admx-backed-policies.md @@ -23,9 +23,9 @@ Depending on the specific category of the settings that they control (OS or appl In a domain controller/Group Policy ecosystem, Group Policies are automatically added to the registry of the client computer or user profile by the Administrative Templates Client Side Extension (CSE) whenever the client computer processes a Group Policy. Conversely, in an MDM-managed client, ADMX files are applied to define policies independent of Group Policies. Therefore, in an MDM-managed client, a Group Policy infrastructure, including the Group Policy Service (gpsvc.exe), isn't required. -An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policydefinitions`) or it can be ingested to a device through the Policy CSP URI (`./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`). Inbox ADMX files are processed into MDM policies at OS-build time. ADMX files that are ingested are processed into MDM policies post-OS shipment through the Policy CSP. Because the Policy CSP doesn't rely upon any aspect of the Group Policy client stack, including the PC's Group Policy Service (GPSvc), the policy handlers that are ingested to the device are able to react to policies that are set by the MDM. +An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policydefinitions`) or it can be ingested to a device through the Policy CSP URI (`./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`). Inbox ADMX files are processed into MDM policies at OS-build time. ADMX files that are ingested are processed into MDM policies post-OS shipment through the Policy CSP. Because the Policy CSP doesn't rely upon any aspect of the Group Policy client stack, including the PC's Group Policy Service (GPSvc), the policy handlers that are ingested to the device are able to react to policies set by the MDM. -Windows maps the name and category path of a Group Policy to an MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX policies supported by MDM, see [Policy CSP - ADMX policies](mdm/policy-configuration-service-provider.md). +Windows maps the name and category path of a Group Policy to an MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy contains a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX policies supported by MDM, see [Policy CSP - ADMX policies](mdm/policy-configuration-service-provider.md). @@ -38,15 +38,15 @@ The ADMX file that the MDM ISV uses to determine what UI to display to the IT ad Group Policy option button setting: -- If **Enabled** is selected, the necessary data entry controls are displayed for the user in the UI. When IT administrator enters the data and clicks **Apply**, the following events occur: +- If **Enabled** is selected, the necessary data entry controls are displayed for the user in the UI. When IT administrator enters the data and select **Apply**, the following events occur: - The MDM ISV server sets up a Replace SyncML command with a payload that contains the user-entered data. - The MDM client stack receives this data, which causes the Policy CSP to update the device's registry per the ADMX policy definition. -- If **Disabled** is selected and you click **Apply**, the following events occur: +- If **Disabled** is selected and you select **Apply**, the following events occur: - The MDM ISV server sets up a Replace SyncML command with a payload set to ``. - The MDM client stack receives this command, which causes the Policy CSP to either delete the device's registry settings, set the registry keys, or both, per the state change directed by the ADMX policy definition. -- If **Not Configured** is selected and you click **Apply**, the following events occur: +- If **Not Configured** is selected and you select **Apply**, the following events occur: - MDM ISV server sets up a Delete SyncML command. - The MDM client stack receives this command, which causes the Policy CSP to delete the device's registry settings per the ADMX policy definition. @@ -236,7 +236,7 @@ This section describes sample SyncML for the various ADMX elements like Text, Mu ### How a Group Policy policy category path and name are mapped to an MDM area and policy name -Below is the internal OS mapping of a Group Policy to an MDM area and name. This mapping is part of a set of Windows manifest that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store. ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User. +Here's the internal OS mapping of a Group Policy to an MDM area and name. This mapping is part of a set of Windows manifest that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store. ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User. `./[Device|User]/Vendor/MSFT/Policy/Config/[config|result]//` @@ -261,7 +261,7 @@ The **LocURI** for the above GP policy is: `./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2` -To construct SyncML for your area/policy using the samples below, you need to update the **data id** and the **value** in the `` section of the SyncML. The items prefixed with an '&' character are the escape characters needed and can be retained as shown. +To construct SyncML for your area/policy using the following samples, you need to update the **data id** and the **value** in the `` section of the SyncML. The items prefixed with an '&' character are the escape characters needed and can be retained as shown. ### Text Element @@ -346,12 +346,12 @@ The `multiText` element simply corresponds to a REG_MULTISZ registry string and ### List Element (and its variations) -The `list` element simply corresponds to a hive of REG_SZ registry strings and correspondingly to a grid to enter multiple strings in a policy panel display by gpedit.msc. How this element is represented in SyncML is as a string containing pairs of strings. Each pair is a REG_SZ name/value key. It's best to apply the policy through gpedit.msc (run as Administrator) and go to the registry hive location and see how the list values are stored. This location will give you an idea of the way the name/value pairs are stored to express it through SyncML. +The `list` element simply corresponds to a hive of REG_SZ registry strings and correspondingly to a grid to enter multiple strings in a policy panel display by gpedit.msc. How this element is represented in SyncML is as a string containing pairs of strings. Each pair is a REG_SZ name/value key. It's best to apply the policy through gpedit.msc (run as Administrator) and go to the registry hive location and see how the list values are stored. This location gives you an idea of the way the name/value pairs are stored to express it through SyncML. > [!NOTE] > It's expected that each string in the SyncML is to be separated by the Unicode character 0xF000 (encoded version: ``). -Variations of the `list` element are dictated by attributes. These attributes are ignored by the Policy Manager runtime. It's expected that the MDM server manages the name/value pairs. See below for a simple write-up of Group Policy List. +Variations of the `list` element are dictated by attributes. These attributes are ignored by the Policy Manager runtime. It's expected that the MDM server manages the name/value pairs. Here are some samples for the Group Policy List. **ADMX file: inetres.admx**: diff --git a/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md b/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md index d13e5b475e..4c631e20f5 100644 --- a/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md +++ b/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md @@ -1,13 +1,13 @@ --- title: Using PowerShell scripting with the WMI Bridge Provider -description: This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the WMI Bridge Provider. +description: This article covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the WMI Bridge Provider. ms.topic: article ms.date: 08/10/2023 --- # Using PowerShell scripting with the WMI Bridge Provider -This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). +This article covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). ## Configuring per-device policy settings @@ -85,7 +85,7 @@ If accessing or modifying settings for a different user, then the PowerShell scr > [!NOTE] > All commands must executed under local system. -A user SID can be obtained by Windows command `wmic useraccount get name, sid`. The following script example assumes the user SID is S-1-5-21-4017247134-4237859428-3008104844-1001. +Windows command `wmic useraccount get name, sid` can be used to obtain the user SID. The following script example assumes the user SID is` S-1-5-21-4017247134-4237859428-3008104844-1001`. ```PowerShell $namespaceName = "root\cimv2\mdm\dmmap" @@ -208,6 +208,6 @@ catch [Exception] } ``` -## Related topics +## Related articles [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) diff --git a/windows/client-management/win32-and-centennial-app-policy-configuration.md b/windows/client-management/win32-and-centennial-app-policy-configuration.md index 719aa09af2..0cab615908 100644 --- a/windows/client-management/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/win32-and-centennial-app-policy-configuration.md @@ -18,7 +18,7 @@ Starting from the following Windows versions `Replace` command is supported: - Windows 10, version 1803 with KB4512509 and KB installed - Windows 10, version 1709 with KB4516071 and KB installed -When the ADMX policies are ingested, the registry keys to which each policy is written are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies are not allowed to write to locations within the **System**, **Software\Microsoft**, and **Software\Policies\Microsoft** keys, except for the following locations: +When the ADMX policies are ingested, the registry keys to which each policy is written are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, aren't overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies aren't allowed to write to locations within the **System**, **Software\Microsoft**, and **Software\Policies\Microsoft** keys, except for the following locations: - Software\Policies\Microsoft\Office\ - Software\Microsoft\Office\ @@ -190,7 +190,7 @@ The following ADMX file example shows how to ingest a Win32 or Desktop Bridge ap **Request Syncml**: The ADMX file is escaped and sent in SyncML format through the Policy CSP URI, `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingType}/{FileUid or AdmxFileName}`. -When the ADMX file is imported, the policy states for each new policy are the same as those in a regular MDM policy: Enabled, Disabled, or Not Configured. +When the ADMX file is imported, the policy states for each new policy are the same as the ones in a regular MDM policy: Enabled, Disabled, or Not Configured. The following example shows an ADMX file in SyncML format: @@ -356,7 +356,7 @@ The following example shows an ADMX file in SyncML format: The following example shows how to derive a Win32 or Desktop Bridge app policy name and policy area name: -```XML +```xml @@ -396,9 +396,9 @@ The policy {AreaName} format is {AppName}~{SettingType}~{CategoryPathFromAdmx}. Therefore, from the example: -- Class: User -- Policy name: L_PolicyPreventRun_1 -- Policy area name: ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3 +- Class: `User` +- Policy name: `L_PolicyPreventRun_1` +- Policy area name: `ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3` - URI: `./user/Vendor/MSFT/Policy/Config/ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3/L_PolicyPreventRun_1` ## ADMX-backed app policy examples diff --git a/windows/client-management/windows-mdm-enterprise-settings.md b/windows/client-management/windows-mdm-enterprise-settings.md index e389098154..e3503a278f 100644 --- a/windows/client-management/windows-mdm-enterprise-settings.md +++ b/windows/client-management/windows-mdm-enterprise-settings.md @@ -11,7 +11,7 @@ The actual management interaction between the device and server is done via the Enterprise MDM settings are exposed via various configuration service providers to the DM client. For the list of available configuration service providers, see [Configuration service provider reference](mdm/index.yml). -Windows currently supports one MDM server. The DM client that is configured via the enrollment process is granted access to enterprise related settings. The DM client is configured during the enrollment process to be invoked by the task scheduler to periodically poll the MDM server. +Windows currently supports one MDM server. The DM client that is configured via the enrollment process is granted access to enterprise related settings. During the enrollment process, the task scheduler is configured to invoke the DM client to periodically poll the MDM server. The following diagram shows the work flow between server and client. @@ -21,7 +21,7 @@ The following diagram shows the work flow between server and client. This protocol defines an HTTPS-based client/server communication with DM SyncML XML as the package payload that carries management requests and execution results. The configuration request is addressed via a managed object (MO). The settings supported by the managed object are represented in a conceptual tree structure. This logical view of configurable device settings simplifies the way the server addresses the device settings by isolating the implementation details from the conceptual tree structure. -To facilitate security-enhanced communication with the remote server for enterprise management, Windows supports certificate-based mutual authentication over an encrypted SSL HTTP channel between the DM client and management service. The server and client certificates are provisioned during the enrollment process. +To facilitate security-enhanced communication with the remote server for enterprise management, Windows supports certificate-based mutual authentication over an encrypted TLS/SSL HTTP channel between the DM client and management service. The server and client certificates are provisioned during the enrollment process. The DM client configuration, company policy enforcement, business application management, and device inventory are all exposed or expressed via configuration service providers (CSPs). CSPs are the Windows term for managed objects. The DM client communicates with the server and sends configuration request to CSPs. The server only needs to know the logical local URIs defined by those CSP nodes in order to use the DM protocol XML to manage the device. diff --git a/windows/client-management/wmi-providers-supported-in-windows.md b/windows/client-management/wmi-providers-supported-in-windows.md index a3968023ff..ab34b9d0c7 100644 --- a/windows/client-management/wmi-providers-supported-in-windows.md +++ b/windows/client-management/wmi-providers-supported-in-windows.md @@ -12,7 +12,7 @@ Windows Management Infrastructure (WMI) providers (and the classes they support) > [!NOTE] > Applications installed using WMI classes are not removed when the MDM account is removed from device. -The child node names of the result from a WMI query are separated by a forward slash (/) and not URI escaped. Here is an example query. +The child node names of the result from a WMI query are separated by a forward slash (/) and not URI escaped. Here's an example query. Get the list of network adapters from the device. @@ -169,7 +169,7 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw | [**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) | | | **Win32\_WindowsUpdateAgentVersion** | | -## Related topics +## Related articles [CIM Video Controller](/windows/win32/cimwin32prov/cim-videocontroller) [Configuration service provider reference](mdm/index.yml) From e164788b8c520474c16b791ede655cf133732b40 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 10 Aug 2023 15:50:38 -0400 Subject: [PATCH 095/110] Minor update --- .../client-management/client-tools/windows-version-search.md | 2 +- .../manage-windows-10-in-your-organization-modern-management.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/client-tools/windows-version-search.md b/windows/client-management/client-tools/windows-version-search.md index fefbaf36f1..a9ff816f27 100644 --- a/windows/client-management/client-tools/windows-version-search.md +++ b/windows/client-management/client-tools/windows-version-search.md @@ -2,7 +2,7 @@ title: What version of Windows am I running? description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel. ms.date: 08/10/2023 -ms.topic: troubleshooting +ms.topic: article --- # What version of Windows am I running? diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index e48e3d486a..5b432d5e1d 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -3,7 +3,7 @@ title: Manage Windows devices in your organization - transitioning to modern man description: This article offers strategies for deploying and managing Windows devices, including deploying Windows in a mixed environment. ms.localizationpriority: medium ms.date: 08/10/2023 -ms.topic: overview +ms.topic: article --- # Manage Windows devices in your organization - transitioning to modern management From eacbe32292890368f29bef4f8b2137e8d0f451f0 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 10 Aug 2023 15:56:55 -0400 Subject: [PATCH 096/110] Fix link --- .../client-management/client-tools/mandatory-user-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/client-tools/mandatory-user-profile.md b/windows/client-management/client-tools/mandatory-user-profile.md index 8e65545d6c..e83331a476 100644 --- a/windows/client-management/client-tools/mandatory-user-profile.md +++ b/windows/client-management/client-tools/mandatory-user-profile.md @@ -47,7 +47,7 @@ First, you create a default user profile with the customizations that you want, 1. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on. > [!NOTE] - > Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics). + > Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-articles). 1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user's profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. From 5e9689ca0a1b73d7241d5b044c624d1e1ac48888 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 10 Aug 2023 17:44:42 -0700 Subject: [PATCH 097/110] Correct mangled data block This commit corrects the data block, which was mangled by commit 9ae1db2bbbd74973d24bf33d672b0d7abe73bcac. This resulted in the content of the metadata block being rendered in the pages that use the include file. --- .../windows-information-protection/includes/wip-deprecation.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/includes/wip-deprecation.md b/windows/security/information-protection/windows-information-protection/includes/wip-deprecation.md index 4fb46d1559..398ac1dfdc 100644 --- a/windows/security/information-protection/windows-information-protection/includes/wip-deprecation.md +++ b/windows/security/information-protection/windows-information-protection/includes/wip-deprecation.md @@ -1,4 +1,5 @@ ----author: aczechowski +--- +author: aczechowski ms.author: aaroncz ms.prod: windows ms.topic: include From 969f1659443d9ea9bbbcd1e16c7828a463960433 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 11 Aug 2023 08:43:20 -0400 Subject: [PATCH 098/110] changed TOCs --- .../device-management/toc.yml | 2 -- .../operating-system-security/system-security/toc.yml | 2 ++ windows/security/operating-system-security/toc.yml | 10 +++++----- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/operating-system-security/device-management/toc.yml b/windows/security/operating-system-security/device-management/toc.yml index 913340c2fb..5af1dc4845 100644 --- a/windows/security/operating-system-security/device-management/toc.yml +++ b/windows/security/operating-system-security/device-management/toc.yml @@ -1,6 +1,4 @@ items: - - name: Assigned Access (kiosk mode) - href: /windows/configuration/kiosk-methods - name: Security baselines href: windows-security-configuration-framework/windows-security-baselines.md items: diff --git a/windows/security/operating-system-security/system-security/toc.yml b/windows/security/operating-system-security/system-security/toc.yml index 2b6feab9aa..b9ce4be880 100644 --- a/windows/security/operating-system-security/system-security/toc.yml +++ b/windows/security/operating-system-security/system-security/toc.yml @@ -13,6 +13,8 @@ items: href: ../../threat-protection/security-policy-settings/security-policy-settings.md - name: Security auditing href: ../../threat-protection/auditing/security-auditing-overview.md +- name: Assigned Access (kiosk mode) 🔗 + href: /windows/configuration/kiosk-methods - name: Windows Security settings href: windows-defender-security-center/windows-defender-security-center.md items: diff --git a/windows/security/operating-system-security/toc.yml b/windows/security/operating-system-security/toc.yml index 641a049390..1e8df2650f 100644 --- a/windows/security/operating-system-security/toc.yml +++ b/windows/security/operating-system-security/toc.yml @@ -3,11 +3,11 @@ items: href: index.md - name: System security href: system-security/toc.yml -- name: Virus and threat protection - href: virus-and-threat-protection/toc.yml -- name: Network security - href: network-security/toc.yml - name: Encryption and data protection href: data-protection/toc.yml - name: Device management - href: device-management/toc.yml \ No newline at end of file + href: device-management/toc.yml +- name: Network security + href: network-security/toc.yml +- name: Virus and threat protection + href: virus-and-threat-protection/toc.yml \ No newline at end of file From d4a2f81c9751bfc6304e43ce907282f97cd7b392 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Fri, 11 Aug 2023 10:05:48 -0400 Subject: [PATCH 099/110] add spelling experience --- windows/configuration/windows-accessibility-for-ITPros.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/configuration/windows-accessibility-for-ITPros.md b/windows/configuration/windows-accessibility-for-ITPros.md index 34434f0a9d..8504146c68 100644 --- a/windows/configuration/windows-accessibility-for-ITPros.md +++ b/windows/configuration/windows-accessibility-for-ITPros.md @@ -16,6 +16,8 @@ appliesto: - ✅ Windows 11 --- + + # Accessibility information for IT professionals Microsoft is dedicated to making its products and services accessible and usable for everyone. Windows includes accessibility features that benefit all users. These features make it easier to customize the computer and give users with different abilities options to improve their experience with Windows. @@ -111,6 +113,8 @@ Windows 11, version 22H2, includes improvements for people with disabilities: sy - [Use voice recognition](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). +- Text authoring tasks are the most important jobs to be done with voice access. With Spellings experience in voice access, users can dictate complex , non-standard words letter by letter and add it to Windows dictionary. The next time users try to dictate the same word, voice access improves it’s recognition. + - [Save time with keyboard shortcuts](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec). - [Use voice access to control your PC and author text with your voice](https://support.microsoft.com/en-us/topic/use-voice-access-to-control-your-pc-author-text-with-your-voice-4dcd23ee-f1b9-4fd1-bacc-862ab611f55d). From 2af9695bcae83a8eff53de1706203df0bfaadf67 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Fri, 11 Aug 2023 10:14:23 -0400 Subject: [PATCH 100/110] Update windows-accessibility-for-ITPros.md fix formatting --- windows/configuration/windows-accessibility-for-ITPros.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/windows-accessibility-for-ITPros.md b/windows/configuration/windows-accessibility-for-ITPros.md index 8504146c68..4a88f42941 100644 --- a/windows/configuration/windows-accessibility-for-ITPros.md +++ b/windows/configuration/windows-accessibility-for-ITPros.md @@ -113,7 +113,7 @@ Windows 11, version 22H2, includes improvements for people with disabilities: sy - [Use voice recognition](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). -- Text authoring tasks are the most important jobs to be done with voice access. With Spellings experience in voice access, users can dictate complex , non-standard words letter by letter and add it to Windows dictionary. The next time users try to dictate the same word, voice access improves it’s recognition. +- With spellings experience in voice access, users can dictate complex, non-standard words letter-by-letter and add it to Windows dictionary. The next time users try to dictate the same word, voice access improves it’s recognition. - [Save time with keyboard shortcuts](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec). From 284bea95fe1d22ab2e94d4345700c8253ad3b838 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Fri, 11 Aug 2023 10:20:36 -0400 Subject: [PATCH 101/110] Update windows-accessibility-for-ITPros.md fix grammar --- windows/configuration/windows-accessibility-for-ITPros.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/windows-accessibility-for-ITPros.md b/windows/configuration/windows-accessibility-for-ITPros.md index 4a88f42941..89794e0b11 100644 --- a/windows/configuration/windows-accessibility-for-ITPros.md +++ b/windows/configuration/windows-accessibility-for-ITPros.md @@ -113,7 +113,7 @@ Windows 11, version 22H2, includes improvements for people with disabilities: sy - [Use voice recognition](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). -- With spellings experience in voice access, users can dictate complex, non-standard words letter-by-letter and add it to Windows dictionary. The next time users try to dictate the same word, voice access improves it’s recognition. +- With spellings experience in voice access, you can dictate a complex or non-standard word letter-by-letter and add it to Windows dictionary. The next time you try to dictate the same word, voice access improves its recognition. - [Save time with keyboard shortcuts](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec). From 08e3cd0d1015625fdea740f54e0b09ae8d1f102e Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Fri, 11 Aug 2023 12:16:21 -0400 Subject: [PATCH 102/110] Freshness review and other updates --- .../cryptography-certificate-mgmt.md | 2 +- ...-the-health-of-windows-10-based-devices.md | 201 +++++++++--------- .../secure-the-windows-10-boot-process.md | 16 +- .../system-security/trusted-boot.md | 4 +- .../wdsc-account-protection.md | 8 +- .../wdsc-app-browser-control.md | 12 +- .../wdsc-customize-contact-information.md | 24 ++- .../wdsc-device-performance-health.md | 8 +- .../wdsc-device-security.md | 12 +- .../wdsc-family-options.md | 10 +- .../wdsc-firewall-network-protection.md | 8 +- .../wdsc-hide-notifications.md | 14 +- .../wdsc-virus-threat-protection.md | 14 +- .../windows-defender-security-center.md | 8 +- .../available-settings.md | 4 +- .../enhanced-phishing-protection.md | 10 +- .../microsoft-defender-smartscreen/index.md | 4 +- 17 files changed, 185 insertions(+), 174 deletions(-) diff --git a/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md b/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md index 191b2d7c9c..3dab6e2b51 100644 --- a/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md +++ b/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md @@ -2,7 +2,7 @@ title: Cryptography and Certificate Management description: Get an overview of cryptography and certificate management in Windows ms.topic: conceptual -ms.date: 09/07/2021 +ms.date: 08/11/2023 ms.reviewer: skhadeer, raverma --- diff --git a/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index 5152344cde..65b3843328 100644 --- a/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -1,7 +1,7 @@ --- title: Control the health of Windows devices description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows devices. -ms.date: 10/13/2017 +ms.date: 08/11/2023 ms.topic: conceptual --- @@ -13,7 +13,7 @@ This article details an end-to-end solution that helps you protect high-value as For Bring Your Own Device (BYOD) scenarios, employees bring commercially available devices to access both work-related resources and their personal data. Users want to use the device of their choice to access the organization's applications, data, and resources not only from the internal network but also from anywhere. This phenomenon is also known as the consumerization of IT. -Users want to have the best productivity experience when accessing corporate applications and working on organization data from their devices. That means they won't tolerate being prompted to enter their work credentials each time they access an application or a file server. From a security perspective, it also means that users will manipulate corporate credentials and corporate data on unmanaged devices. +Users want to have the best productivity experience when accessing corporate applications and working on organization data from their devices. That means they don't tolerate being prompted to enter their work credentials each time they access an application or a file server. From a security perspective, it also means that users manipulate corporate credentials and corporate data on unmanaged devices. With the increased use of BYOD, there will be more unmanaged and potentially unhealthy systems accessing corporate services, internal resources, and cloud apps. @@ -21,7 +21,7 @@ Even managed devices can be compromised and become harmful. Organizations need t As Microsoft moves forward, security investments are increasingly focused on security preventive defenses and also on detection and response capabilities. -Windows 10 is an important component of an end-to-end security solution that focuses not only on the implementation of security preventive defenses, but adds device health attestation capabilities to the overall security strategy. +Windows is an important component of an end-to-end security solution that focuses not only on the implementation of security preventive defenses, but adds device health attestation capabilities to the overall security strategy. ## Description of a robust end-to-end security solution @@ -31,7 +31,7 @@ During recent years, one particular category of threat has become prevalent: adv With the BYOD phenomena, a poorly maintained device represents a target of choice. For an attacker, it's an easy way to breach the security network perimeter, gain access to, and then steal high-value assets. -The attackers target individuals, not specifically because of who they are, but because of who they work for. An infected device will bring malware into an organization, even if the organization has hardened the perimeter of networks or has invested in its defensive posture. A defensive strategy isn't sufficient against these threats. +The attackers target individuals, not specifically because of who they are, but because of who they work for. An infected device brings malware into an organization, even if the organization has hardened the perimeter of networks or has invested in its defensive posture. A defensive strategy isn't sufficient against these threats. ### A different approach @@ -67,15 +67,15 @@ Access to content is then authorized to the appropriate level of trust for whate Depending on the requirements and the sensitivity of the managed asset, device health status can be combined with user identity information when processing an access request. Access to content is then authorized to the appropriate level of trust. The Conditional Access engine may be structured to allow more verification as needed by the sensitivity of the managed asset. For example, if access to high-value data is requested, further security authentication may need to be established by querying the user to answer a phone call before access is granted. -### Microsoft's security investments in Windows 10 +### Microsoft's security investments in Windows -In Windows 10, there are three pillars of investments: +In Windows, there are three pillars of investments: - **Secure identities.** Microsoft is part of the FIDO alliance that aims to provide an interoperable method of secure authentication by moving away from the use of passwords for authentication, both on the local system and for services like on-premises resources and cloud resources. -- **Information protection.** Microsoft is making investments to allow organizations to have better control over who has access to important data and what they can do with that data. With Windows 10, organizations can take advantage of policies that specify which applications are considered to be corporate applications and can be trusted to access secure data. +- **Information protection.** Microsoft is making investments to allow organizations to have better control over who has access to important data and what they can do with that data. With Windows, organizations can take advantage of policies that specify which applications are considered to be corporate applications and can be trusted to access secure data. - **Threat resistance.** Microsoft is helping organizations to better secure enterprise assets against the threats of malware and attacks by using security defenses relying on hardware. -### Protect, control, and report on the security status of Windows 10-based devices +### Protect, control, and report on the security status of Windows-based devices This section is an overview that describes different parts of the end-to-end security solution that helps protect high-value assets and information from attackers and malware. @@ -83,39 +83,38 @@ This section is an overview that describes different parts of the end-to-end sec | Number | Part of the solution | Description | | - | - | - | -| **1** | Windows 10-based device | The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.
    A Windows 10-based device with TPM can report health status at any time by using the Health Attestation Service available with all editions of Windows 10.| +| **1** | Windows-based device | The first time a Windows-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.
    A Windows-based device with TPM can report health status at any time by using the Health Attestation Service available with all supported editions of Windows.| | **2** | Identity provider | Azure AD contains users, registered devices, and registered application of organization's tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status.
    Azure AD is more than a repository. Azure AD is able to authenticate users and devices and can also authorize access to managed resources. Azure AD has a conditional access control engine that uses the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision.| -| **3**|Mobile device management| Windows 10 has MDM support that enables the device to be managed out-of-box without deploying any agent.
    MDM can be Microsoft Intune or any third-party MDM solution that is compatible with Windows 10.| -| **4** | Remote health attestation | The Health Attestation Service is a trusted cloud service operated by Microsoft that performs a series of health checks and reports to MDM what Windows 10 security features are enabled on the device.
    Security verification includes boot state (WinPE, Safe Mode, Debug/test modes) and components that manage security and integrity of runtime operations (BitLocker, Device Guard).| +| **3**|Mobile device management| Windows has MDM support that enables the device to be managed out-of-box without deploying any agent.
    MDM can be Microsoft Intune or any third-party MDM solution that is compatible with Windows.| +| **4** | Remote health attestation | The Health Attestation Service is a trusted cloud service operated by Microsoft that performs a series of health checks and reports to MDM what Windows security features are enabled on the device.
    Security verification includes boot state (WinPE, Safe Mode, Debug/test modes) and components that manage security and integrity of runtime operations (BitLocker, Device Guard).| | **5** | Enterprise managed asset | Enterprise managed asset is the resource to protect.
    For example, the asset can be Office 365, other cloud apps, on-premises web resources published by Azure AD, or even VPN access.| -The combination of Windows 10-based devices, identity provider, MDM, and remote health attestation creates a robust end-to-end-solution that provides validation of health and compliance of devices that access high-value assets. +The combination of Windows-based devices, identity provider, MDM, and remote health attestation creates a robust end-to-end-solution that provides validation of health and compliance of devices that access high-value assets. ## Protect devices and enterprise credentials against threats -This section describes what Windows 10 offers in terms of security defenses and what control can be measured and reported to. +This section describes what Windows offers in terms of security defenses and what control can be measured and reported to. -### Windows 10 hardware-based security defenses +### Windows hardware-based security defenses -The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that they can take control of the operating system early and prevent protection mechanisms and antimalware software from working. This type of malicious code is often called a rootkit or bootkit. The best way to avoid having to deal with low-level malware is to secure the boot process so that the device is protected from the very start. -Windows 10 supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-requirements) section. +The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that they can take control of the operating system early and prevent protection mechanisms and antimalware software from working. This type of malicious code is often called a rootkit or bootkit. The best way to avoid having to deal with low-level malware is to secure the boot process so that the device is protected from the very start. Windows supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-requirements) section. :::image type="content" alt-text="figure 4." source="images/hva-fig4-hardware.png"::: -Windows 10 supports features to help prevent sophisticated low-level malware like rootkits and bootkits from loading during the startup process: +Windows supports features to help prevent sophisticated low-level malware like rootkits and bootkits from loading during the startup process: - **Trusted Platform Module.** A Trusted Platform Module (TPM) is a hardware component that provides unique security features. - Windows 10 uses security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation. + Windows uses security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation. A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that aren't compatible with each other: - The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard. - The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015. - Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](/windows-hardware/design/minimum/minimum-hardware-requirements-overview). + Windows uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows](/windows-hardware/design/minimum/minimum-hardware-requirements-overview). - Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. + Windows recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows supports only TPM 2.0. TPM 2.0 provides a major revision to the capabilities over TPM 1.2: @@ -136,22 +135,21 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik - **Secure Boot.** Devices with UEFI firmware can be configured to load only trusted operating system bootloaders. Secure Boot doesn't require a TPM. - The most basic protection is the Secure Boot feature, which is a standard part of the UEFI 2.2+ architecture. On a PC with conventional BIOS, anyone who can take control of the boot process can boot by using an alternative OS loader, and potentially gain access to system resources. When Secure Boot is enabled, you can boot using only an OS loader that's signed using a certificate stored in the UEFI Secure Boot DB. Naturally, the Microsoft certificate used to digitally sign the Windows 10 OS loaders are in that store, which allows UEFI to validate the certificate as part of its security policy. Secure Boot must be enabled by default on all computers that are certified for Windows 10 under the Windows Hardware Compatibility Program. + The most basic protection is the Secure Boot feature, which is a standard part of the UEFI 2.2+ architecture. On a PC with conventional BIOS, anyone who can take control of the boot process can boot by using an alternative OS loader, and potentially gain access to system resources. When Secure Boot is enabled, you can boot using only an OS loader that's signed using a certificate stored in the UEFI Secure Boot DB. Naturally, the Microsoft certificate used to digitally sign the Windows OS loaders are in that store, which allows UEFI to validate the certificate as part of its security policy. Secure Boot must be enabled by default on all computers that are certified for Windows under the Windows Hardware Compatibility Program. - Secure Boot is a UEFI firmware-based feature, which allows for the signing and verification of critical boot files and drivers at boot time. Secure Boot checks signature values of the Windows Boot Manager, BCD store, Windows OS loader file, and other boot critical DLLs at boot time before the system is allowed to fully boot into a usable operating system by using policies that are defined by the OEM at build time. Secure Boot prevents many types of boot-based rootkit, malware, and other security-related attacks against the Windows platform. Secure Boot protects the operating system boot process whether booting from local hard disk, USB, PXE, or DVD, or into full Windows or Windows Recovery Environment (RE). - Secure Boot protects the boot environment of a Windows 10 installation by verifying the signatures of the critical boot components to confirm malicious activity didn't compromise them. Secure Boot protection ends after the Windows kernel file (ntoskrnl.exe) has been loaded. + Secure Boot is a UEFI firmware-based feature, which allows for the signing and verification of critical boot files and drivers at boot time. Secure Boot checks signature values of the Windows Boot Manager, BCD store, Windows OS loader file, and other boot critical DLLs at boot time before the system is allowed to fully boot into a usable operating system by using policies that are defined by the OEM at build time. Secure Boot prevents many types of boot-based rootkit, malware, and other security-related attacks against the Windows platform. Secure Boot protects the operating system boot process whether booting from local hard disk, USB, PXE, or DVD, or into full Windows or Windows Recovery Environment (RE). Secure Boot protects the boot environment of a Windows installation by verifying the signatures of the critical boot components to confirm malicious activity didn't compromise them. Secure Boot protection ends after the Windows kernel file (ntoskrnl.exe) has been loaded. > [!NOTE] > Secure Boot protects the platform until the Windows kernel is loaded. Then protections like ELAM take over. -- **Secure Boot configuration policy.** Extends Secure Boot functionality to critical Windows 10 configuration. +- **Secure Boot configuration policy.** Extends Secure Boot functionality to critical Windows configuration. Examples of protected configuration information include protecting Disable Execute bit (NX option) or ensuring that the test signing policy (code integrity) can't be enabled. This protective action ensures that the binaries and configuration of the computer can be trusted after the boot process has completed. Secure Boot configuration policy does this protective action with UEFI policy. These signatures for these policies are signed in the same way that operating system binaries are signed for use with Secure Boot. - The Secure Boot configuration policy must be signed by a private key that corresponds to one of the public keys stored in the Key Exchange Key (KEK) list. The Microsoft Certificate Authority (CA) will be present in the KEK list of all Windows certified Secure Boot systems. By default, a policy signed by the Microsoft KEK shall be work on all Secure Boot systems. BootMgr must verify the signature against the KEK list before applying a signed policy. With Windows 10, the default Secure Boot configuration policy is embedded in bootmgr. + The Secure Boot configuration policy must be signed by a private key that corresponds to one of the public keys stored in the Key Exchange Key (KEK) list. The Microsoft Certificate Authority (CA) will be present in the KEK list of all Windows certified Secure Boot systems. By default, a policy signed by the Microsoft KEK shall be work on all Secure Boot systems. BootMgr must verify the signature against the KEK list before applying a signed policy. With Windows, the default Secure Boot configuration policy is embedded in bootmgr. - The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and the ELAM component. This step is important and protects the rest of the boot process by verifying that all Windows boot components have integrity and can be trusted. + The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and the ELAM component. This step is important and protects the rest of the boot process by verifying that all Windows boot components have integrity and can be trusted. - **Early Launch Antimalware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading. @@ -160,37 +158,37 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik ELAM can load a Microsoft or non-Microsoft antimalware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasn't started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: Examine every boot driver and determine whether it is on the list of trusted drivers. If it's not trusted, Windows won't load it. > [!NOTE] - > Windows Defender, Microsoft's antimalware included by default in Windows 10, supports ELAM; it can be replaced with a third-party antimalware compatible solution. The name of the Windows Defender ELAM driver is WdBoot.sys. Windows Defender in Windows 10 uses its ELAM driver to roll back any malicious changes made to the Windows Defender driver at the next reboot. This prevents kernel mode malware making lasting changes to Windows Defender's mini-filter driver before shutdown or reboot. + > Windows Defender, Microsoft's antimalware included by default in Windows, supports ELAM; it can be replaced with a third-party antimalware compatible solution. The name of the Windows Defender ELAM driver is WdBoot.sys. Windows Defender uses its ELAM driver to roll back any malicious changes made to the Windows Defender driver at the next reboot. This prevents kernel mode malware making lasting changes to Windows Defender's mini-filter driver before shutdown or reboot. The ELAM signed driver is loaded before any other third-party drivers or applications, which allows the antimalware software to detect and block any attempts to tamper with the boot process by trying to load unsigned or untrusted code. The ELAM driver is a small driver with a small policy database that has a narrow scope, focused on drivers that are loaded early at system launch. The policy database is stored in a registry hive that is also measured to the TPM, to record the operational parameters of the ELAM driver. An ELAM driver must be signed by Microsoft and the associated certificate must contain the complementary EKU (1.3.6.1.4.1.311.61.4.1). -- **Virtualization-based security (Hyper-V + Secure Kernel).** Virtualization-based security is a new enforced security boundary that allows you to protect critical parts of Windows 10. +- **Virtualization-based security (Hyper-V + Secure Kernel).** Virtualization-based security is a new enforced security boundary that allows you to protect critical parts of Windows. Virtualization-based security isolates sensitive code like Kernel Mode Code Integrity or sensitive corporate domain credentials from the rest of the Windows operating system. For more information, see [Virtualization-based security](#virtualization-based-security) section. - **Hypervisor-protected Code Integrity (HVCI).** Hypervisor-protected Code Integrity is a feature of Device Guard that ensures only drivers, executables, and DLLs that comply with the Device Guard Code Integrity policy are allowed to run. - When enabled and configured, Windows 10 can start the Hyper-V virtualization-based security services. HVCI helps protect the system core (kernel), privileged drivers, and system defenses, like antimalware solutions, by preventing malware from running early in the boot process, or after startup. + When enabled and configured, Windows can start the Hyper-V virtualization-based security services. HVCI helps protect the system core (kernel), privileged drivers, and system defenses, like antimalware solutions, by preventing malware from running early in the boot process, or after startup. HVCI uses virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification. This dependency on verification means that kernel memory pages can never be Writable and Executable (W+X) and executable code can't be directly modified. > [!NOTE] - > Device Guard devices that run Kernel Mode Code Integrity with virtualization-based security must have compatible drivers. For additional information, please read the [Driver compatibility with Device Guard in Windows 10](https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-compatibility-with-device-guard-in-windows-10/ba-p/364865) blog post. + > Device Guard devices that run Kernel Mode Code Integrity with virtualization-based security must have compatible drivers. For additional information, please read the [Driver compatibility with Device Guard in Windows](https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-compatibility-with-device-guard-in-windows-10/ba-p/364865) blog post. The Device Guard Code Integrity feature lets organizations control what code is trusted to run into the Windows kernel and what applications are approved to run in user mode. It's configurable by using a policy. Device Guard Code Integrity policy is a binary file that Microsoft recommends you sign. The signing of the Code Integrity policy aids in the protection against a malicious user with Administrator privileges trying to modify or remove the current Code Integrity policy. - **Credential Guard.** Credential Guard protects corporate credentials with hardware-based credential isolation. - In Windows 10, Credential Guard aims to protect domain corporate credentials from theft and reuse by malware. With Credential Guard, Windows 10 implemented an architectural change that fundamentally prevents the current forms of the pass-the-hash (PtH) attack. + In Windows, Credential Guard aims to protect domain corporate credentials from theft and reuse by malware. With Credential Guard, Windows implemented an architectural change that fundamentally prevents the current forms of the pass-the-hash (PtH) attack. This attack-free state is accomplished by using Hyper-V and the new virtualization-based security feature to create a protected container where trusted code and secrets are isolated from the Windows kernel. This accomplishment means that even if the Windows kernel is compromised, an attacker has no way to read and extract the data required to initiate a PtH attack. Credential Guard prevents this unauthorized access because the memory where secrets are stored is no longer accessible from the regular OS, even in kernel mode - the hypervisor controls who can access the memory. -- **Health attestation.** The device's firmware logs the boot process, and Windows 10 can send it to a trusted server that can check and assess the device's health. +- **Health attestation.** The device's firmware logs the boot process, and Windows can send it to a trusted server that can check and assess the device's health. - Windows 10 takes measurements of the UEFI firmware and each of the Windows and antimalware components are made as they load during the boot process. Additionally, they're taken and measured sequentially, not all at once. When these measurements are complete, their values are digitally signed and stored securely in the TPM and can't be changed unless the system is reset. + Windows takes measurements of the UEFI firmware and each of the Windows and antimalware components are made as they load during the boot process. Additionally, they're taken and measured sequentially, not all at once. When these measurements are complete, their values are digitally signed and stored securely in the TPM and can't be changed unless the system is reset. For more information, see [Secured Boot and Measured Boot: Hardening Early Boot Components Against Malware](/previous-versions/windows/hardware/design/dn653311(v=vs.85)). @@ -200,26 +198,26 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik ### Virtualization-based security -Virtualization-based security provides a new trust boundary for Windows 10 and uses Hyper-V hypervisor technology to enhance platform security. Virtualization-based security provides a secure execution environment to run specific Windows trusted code (trustlet) and to protect sensitive data. +Virtualization-based security provides a new trust boundary for Windows and uses Hyper-V hypervisor technology to enhance platform security. Virtualization-based security provides a secure execution environment to run specific Windows trusted code (trustlet) and to protect sensitive data. Virtualization-based security helps to protect against a compromised kernel or a malicious user with Administrator privileges. Virtualization-based security isn't trying to protect against a physical attacker. -The following Windows 10 services are protected with virtualization-based security: +The following Windows services are protected with virtualization-based security: - **Credential Guard** (LSA Credential Isolation): prevents pass-the-hash attacks and enterprise credential theft that happens by reading and dumping the content of lsass memory -- **Device Guard** (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container. +- **Device Guard** (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container. - **Other isolated services**: for example, on Windows Server 2016, there's the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers. > [!NOTE] -> Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional, but recommended. +> Virtualization-based security is only available with Enterprise edition. Virtualization-based security requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional, but recommended. -The schema below is a high-level view of Windows 10 with virtualization-based security. +The schema below is a high-level view of Windows with virtualization-based security. :::image type="content" alt-text="figure 5." source="images/hva-fig5-virtualbasedsecurity.png"::: ### Credential Guard -In Windows 10, when Credential Guard is enabled, Local Security Authority Subsystem Service (lsass.exe) runs a sensitive code in an Isolated user mode to help protect data from malware that may be running in the normal user mode. This code execution helps ensure that protected data isn't stolen and reused on +In Windows, when Credential Guard is enabled, Local Security Authority Subsystem Service (lsass.exe) runs a sensitive code in an Isolated user mode to help protect data from malware that may be running in the normal user mode. This code execution helps ensure that protected data isn't stolen and reused on remote machines, which mitigates many PtH-style attacks. Credential Guard helps protect credentials by encrypting them with either a per-boot or persistent key: @@ -231,18 +229,18 @@ credential isolation is enabled, it then spawns LsaIso.exe as an isolated proces ### Device Guard -Device Guard is a new feature of Windows 10 Enterprise that allows organizations to lock down a device to help protect it from running untrusted software. In this configuration, the only applications allowed to run are those applications that are trusted by the organization. +Device Guard is a feature of Windows Enterprise that allows organizations to lock down a device to help protect it from running untrusted software. In this configuration, the only applications allowed to run are those applications that are trusted by the organization. The trust decision to execute code is performed by using Hyper-V Code Integrity, which runs in virtualization-based security, a Hyper-V protected container that runs alongside regular Windows. -Hyper-V Code Integrity is a feature that validates the integrity of a driver or system file each time it's loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with Administrator privileges. On x64-based versions of Windows 10, kernel-mode drivers must be digitally signed. +Hyper-V Code Integrity is a feature that validates the integrity of a driver or system file each time it's loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with Administrator privileges. On x64-based versions of Windows, kernel-mode drivers must be digitally signed. > [!NOTE] -> Independently of activation of Device Guard Policy, Windows 10 drivers must be signed by Microsoft, and more specifically, by the WHQL (Windows Hardware Quality Labs) portal. Additionally, starting in October 2015, the WHQL portal will only accept driver submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation ("EV") Code Signing Certificate. +> Independently of activation of Device Guard Policy, Windows drivers must be signed by Microsoft, and more specifically, by the WHQL (Windows Hardware Quality Labs) portal. Additionally, starting in October 2015, the WHQL portal will only accept driver submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation ("EV") Code Signing Certificate. -With Device Guard in Windows 10, organizations are now able to define their own Code Integrity policy for use on x64 systems running Windows 10 Enterprise. Organizations have the ability to configure the policy that determines what is trusted to run. These include drivers and system files, and traditional desktop applications and scripts. The system is then locked down to only run applications that the organization trusts. +With Device Guard, organizations are now able to define their own Code Integrity policy for use on x64 systems running Windows Enterprise. Organizations have the ability to configure the policy that determines what is trusted to run. These include drivers and system files, and traditional desktop applications and scripts. The system is then locked down to only run applications that the organization trusts. -Device Guard is a built-in feature of Windows 10 Enterprise that prevents the execution of unwanted code and applications. Device Guard can be configured using two rule actions - allow and deny: +Device Guard is a built-in feature of Windows Enterprise that prevents the execution of unwanted code and applications. Device Guard can be configured using two rule actions - allow and deny: - **Allow** limits execution of applications to an allowed list of code or trusted publisher and blocks everything else. - **Deny** completes the allow trusted publisher approach by blocking the execution of a specific application. @@ -251,10 +249,10 @@ At the time of this writing, and according to Microsoft's latest research, more Device Guard needs to be planned and configured to be truly effective. It isn't just a protection that is enabled or disabled. Device Guard is a combination of hardware security features and software security features that, when configured together, can lock down a computer to help ensure the most secure and resistant system possible. -There are three different parts that make up the Device Guard solution in Windows 10: +There are three different parts that make up the Device Guard solution in Windows: - The first part is a base **set of hardware security features** introduced with the previous version of Windows. TPM for hardware cryptographic operations and UEFI with modern firmware, along with Secure Boot, allows you to control what the device is running when the systems start. -- After the hardware security feature, there's the code integrity engine. In Windows 10, **Code Integrity is now fully configurable** and now resides in Isolated user mode, a part of the memory that is protected by virtualization-based security. +- After the hardware security feature, there's the code integrity engine. In Windows, **Code Integrity is now fully configurable** and now resides in Isolated user mode, a part of the memory that is protected by virtualization-based security. - The last part of Device Guard is **manageability**. Code Integrity configuration is exposed through specific Group Policy Objects, PowerShell cmdlets, and MDM configuration service providers (CSPs). For more information on how to deploy Device Guard in an enterprise, see the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). @@ -274,10 +272,10 @@ Similarly, on corporate fully managed workstations, where applications are insta It could be challenging to use Device Guard on corporate, lightly managed workstations where the user is typically allowed to install software on their own. When an organization offers great flexibility, it's difficult to run Device Guard in enforcement mode. Nevertheless, Device Guard can be run in Audit mode, and in that case, the event log will contain a record of any binaries that violated the Device Guard policy. When Device Guard is used in Audit mode, organizations can get rich data about drivers and applications that users install and run. -Before you can benefit from the protection included in Device Guard, Code Integrity policy must be created by using tools provided by Microsoft, but the policy can be deployed with common management tools, like Group Policy. The Code Integrity policy is a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10, along with restrictions on Windows 10 script hosts. Device Guard Code Integrity policy restricts what code can run on a device. +Before you can benefit from the protection included in Device Guard, Code Integrity policy must be created by using tools provided by Microsoft, but the policy can be deployed with common management tools, like Group Policy. The Code Integrity policy is a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows, along with restrictions on Windows script hosts. Device Guard Code Integrity policy restricts what code can run on a device. > [!NOTE] -> Device Guard policy can be signed in Windows 10, which adds additional protection against administrative users changing or removing this policy. +> Device Guard policy can be signed in Windows, which adds additional protection against administrative users changing or removing this policy. Signed Device Guard policy offers stronger protection against a malicious local administrator trying to defeat Device Guard. @@ -286,14 +284,14 @@ Device Guard policy into the UpdateSigner section. ### The importance of signing applications -On computers with Device Guard, Microsoft proposes to move from a world where unsigned apps can be run without restriction to a world where only signed and trusted code is allowed to run on Windows 10. +On computers with Device Guard, Microsoft proposes to move from a world where unsigned apps can be run without restriction to a world where only signed and trusted code is allowed to run on Windows. -With Windows 10, organizations will make line-of-business (LOB) apps available to members of the organization through the Microsoft Store infrastructure. More specifically, LOB apps will be available in a private store within the public Microsoft Store. Microsoft Store signs and distributes Universal +With Windows, organizations will make line-of-business (LOB) apps available to members of the organization through the Microsoft Store infrastructure. More specifically, LOB apps will be available in a private store within the public Microsoft Store. Microsoft Store signs and distributes Universal Windows apps and Classic Windows apps. All apps downloaded from the Microsoft Store are signed. In organizations today, many LOB applications are unsigned. Code signing is frequently viewed as a tough problem to solve for various reasons, like the lack of code signing expertise. Even if code signing is a best practice, many internal applications aren't signed. -Windows 10 includes tools that allow IT pros to take applications that have been already packaged and run them through a process to create more signatures that can be distributed along with existing applications. +Windows includes tools that allow IT pros to take applications that have been already packaged and run them through a process to create more signatures that can be distributed along with existing applications. ### Why are antimalware and device management solutions still necessary? @@ -307,15 +305,15 @@ To combat these threats, patching is the single most effective control, with ant Most application software has no facility for updating itself, so even if the software vendor publishes an update that fixes the vulnerability, the user may not know that the update is available or how to obtain it, and therefore remains vulnerable to attack. Organizations still need to manage devices and to patch vulnerabilities. -MDM solutions are becoming prevalent as a light-weight device management technology. Windows 10 extends the management capabilities that have become available for MDMs. One key feature Microsoft has added to Windows 10 is the ability for MDMs to acquire a strong statement of device health from managed and registered devices. +MDM solutions are becoming prevalent as a light-weight device management technology. Windows extends the management capabilities that have become available for MDMs. One key feature Microsoft has added to Windows is the ability for MDMs to acquire a strong statement of device health from managed and registered devices. ### Device health attestation Device health attestation uses the TPM to provide cryptographically strong and verifiable measurements of the chain of software used to boot the device. -For Windows 10-based devices, Microsoft introduces a new public API that will allow MDM software to access a remote attestation service called Windows Health Attestation Service. A health attestation result, in addition with other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy. +For Windows-based devices, Microsoft introduces a new public API that will allow MDM software to access a remote attestation service called Windows Health Attestation Service. A health attestation result, in addition with other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy. -For more information on device health attestation, see the [Detect an unhealthy Windows 10-based device](#detect-an-unhealthy-windows-10-based-device) section. +For more information on device health attestation, see the [Detect an unhealthy Windows-based device](#detect-an-unhealthy-windows-based-device) section. [!INCLUDE [device-health-attestation-service](../../../../includes/licensing/device-health-attestation-service.md)] @@ -325,21 +323,21 @@ The following table details the hardware requirements for both virtualization-ba |Hardware|Motivation| |--- |--- | -|UEFI 2.3.1 or later firmware with Secure Boot enabled|Required to support UEFI Secure Boot. UEFI Secure Boot ensures that the device boots only authorized code. Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows 10 under the subsection: "System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby"| +|UEFI 2.3.1 or later firmware with Secure Boot enabled|Required to support UEFI Secure Boot. UEFI Secure Boot ensures that the device boots only authorized code. Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows under the subsection: "System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby"| |Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled|Required to support virtualization-based security. **Note:** Device Guard can be enabled without using virtualization-based security.| |X64 processor|Required to support virtualization-based security that uses Windows Hypervisor. Hyper-V is supported only on x64 processor (and not on x86). Direct Memory Access (DMA) protection can be enabled to provide extra memory protection but requires processors to include DMA protection technologies.| -|IOMMU, such as Intel VT-d, AMD-Vi|Support for the IOMMU in Windows 10 enhances system resiliency against DMA attacks.| +|IOMMU, such as Intel VT-d, AMD-Vi|Support for the IOMMU in Windows enhances system resiliency against DMA attacks.| |Trusted Platform Module (TPM)|Required to support health attestation and necessary for other key protections for virtualization-based security. TPM 2.0 is supported. Support for TPM 1.2 was added beginning in Windows 10, version 1607 (RS1)| -This section presented information about several closely related controls in Windows 10. The multi-layer defenses and in-depth approach help to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them. +This section presented information about several closely related controls in Windows . The multi-layer defenses and in-depth approach help to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them. -## Detect an unhealthy Windows 10-based device +## Detect an unhealthy Windows-based device As of today, many organizations only consider devices to be compliant with company policy after they've passed various checks that show, for example, that the operating system is in the correct state, properly configured, and has security protection enabled. Unfortunately, with today's systems, this form of reporting isn't entirely reliable because malware can spoof a software statement about system health. A rootkit, or a similar low-level exploit, can report a false healthy state to traditional compliance tools. The biggest challenge with rootkits is that they can be undetectable to the client. Because they start before antimalware, and they have system-level privileges, they can completely disguise themselves while continuing to access system resources. As a result, traditional computers infected with rootkits appear to be healthy, even with antimalware running. -As previously discussed, the health attestation feature of Windows 10 uses the TPM hardware component to securely record a measurement of every boot-related component, including firmware, Windows 10 kernel, and even early boot drivers. Because health attestation uses the hardware-based security capabilities of TPM, the log of all boot measured components remains out of the reach of any malware. +As previously discussed, the health attestation feature of Windows uses the TPM hardware component to securely record a measurement of every boot-related component, including firmware, Windows kernel, and even early boot drivers. Because health attestation uses the hardware-based security capabilities of TPM, the log of all boot measured components remains out of the reach of any malware. After the devices attest a trusted boot state, they can prove that they aren't running low-level malware that could spoof later compliance checks. TPM-based health attestation provides a reliable anchor of trust for assets that contain high-value data. @@ -357,16 +355,16 @@ But health attestation only provides information, which is why an MDM solution i ### Remote device health attestation -In Windows 10, health attestation refers to a feature where Measured Boot data generated during the boot process is sent to a remote device health attestation service operated by Microsoft. +In Windows, health attestation refers to a feature where Measured Boot data generated during the boot process is sent to a remote device health attestation service operated by Microsoft. -This approach is the most secure one available for Windows 10-based devices to detect when security defenses are down. During the boot process, the TCG log and PCRs' values are sent to a remote Microsoft cloud service. Logs are then checked by the Health Attestation Service to determine what changes have occurred on the device. +This approach is the most secure one available for Windows-based devices to detect when security defenses are down. During the boot process, the TCG log and PCRs' values are sent to a remote Microsoft cloud service. Logs are then checked by the Health Attestation Service to determine what changes have occurred on the device. A relying party like an MDM can inspect the report generated by the remote health attestation service. > [!NOTE] -> To use the health attestation feature of Windows 10, the device must be equipped with a discrete or firmware TPM. There is no restriction on any particular edition of Windows 10. +> To use the health attestation feature of Windows, the device must be equipped with a discrete or firmware TPM. There is no restriction on any particular edition of Windows. -Windows 10 supports health attestation scenarios by allowing applications access to the underlying health attestation configuration service provider (CSP) so that applications can request a health attestation token. The measurement of the boot sequence can be checked at any time locally by an antimalware or an MDM agent. +Windows supports health attestation scenarios by allowing applications access to the underlying health attestation configuration service provider (CSP) so that applications can request a health attestation token. The measurement of the boot sequence can be checked at any time locally by an antimalware or an MDM agent. Remote device health attestation combined with an MDM provides a hardware-rooted method for reporting the current security status and detecting any changes, without having to trust the software running on the system. @@ -378,7 +376,7 @@ Health attestation logs the measurements in various TPM Platform Configuration R :::image type="content" alt-text="figure 6." source="images/hva-fig6-logs.png"::: -When you start a device equipped with TPM, a measurement of different components is performed. These components include firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log. +When you start a device equipped with TPM, a measurement of different components is performed. These components include firmware, UEFI drivers, CPU microcode, and also all the Windows drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log. :::image type="content" alt-text="figure 7." source="images/hva-fig7-measurement.png"::: @@ -399,7 +397,7 @@ The number of retained logs may be set with the registry **REG\_DWORD** value ** The following process describes how health boot measurements are sent to the health attestation service: -1. The client (a Windows 10-based device with TPM) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client. +1. The client (a Windows-based device with TPM) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client. 2. The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate information. 3. The remote device heath attestation service then: @@ -442,7 +440,7 @@ The endorsement key is often accompanied by one or two digital certificates: - One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service. - The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device. -For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10. +For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows. > [!NOTE] > Secure Boot protects the platform until the Windows kernel is loaded. Then protections like Trusted Boot, Hyper-V Code Integrity and ELAM take over. A device that uses Intel TPM or Qualcomm TPM gets a signed certificate online from the manufacturer that has created the chip and then stores the signed certificate in TPM storage. For the operation to succeed, if you are filtering Internet access from your client devices, you must authorize the following URLs: @@ -452,17 +450,17 @@ For certain devices that use firmware-based TPM produced by Intel or Qualcomm, t ### Attestation Identity Keys -Because the endorsement certificate is unique for each device and doesn't change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows 10 issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service. +Because the endorsement certificate is unique for each device and doesn't change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service. > [!NOTE] -> Before the device can report its health using the TPM attestation functions, an AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK. +> Before the device can report its health using the TPM attestation functions, an AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK. The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations. -Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft is hosting a cloud service called Microsoft Cloud CA to establish cryptographically that it's communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft -Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10-based device. +Windows creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft is hosting a cloud service called Microsoft Cloud CA to establish cryptographically that it's communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft +Cloud CA service has established these facts, it will issue an AIK certificate to the Windows-based device. -Many existing devices that will upgrade to Windows 10 won't have a TPM, or the TPM won't contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates aren't issued by Microsoft Cloud CA. These certificates aren't as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM. +Many existing devices that will upgrade to Windows 10 won't have a TPM, or the TPM won't contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate**. Such AIK certificates aren't issued by Microsoft Cloud CA. These certificates aren't as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM. In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be used by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that isn't backed by an endorsement certificate. @@ -482,9 +480,9 @@ The value of a PCR on its own is hard to interpret (it's just a hash value), but ### TPM provisioning -For the TPM of a Windows 10-based device to be usable, it must first be provisioned. The process of provisioning differs based on TPM versions, but, when successful, it results in the TPM being usable and the owner authorization data (ownerAuth) for the TPM being stored locally on the registry. +For the TPM of a Windows-based device to be usable, it must first be provisioned. The process of provisioning differs based on TPM versions, but, when successful, it results in the TPM being usable and the owner authorization data (ownerAuth) for the TPM being stored locally on the registry. -When the TPM is provisioned, Windows 10 will first attempt to determine the EK and locally stored **ownerAuth** values by looking in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Endorsement** +When the TPM is provisioned, Windows will first attempt to determine the EK and locally stored **ownerAuth** values by looking in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Endorsement** During the provisioning process, the device may need to be restarted. @@ -493,16 +491,16 @@ The **Get-TpmEndorsementKeyInfo PowerShell** cmdlet can be used with administrat If the TPM ownership isn't known but the EK exists, the client library will provision the TPM and will store the resulting **ownerAuth** value into the registry if the policy allows it will store the SRK public portion at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Admin\\SRKPub** -As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is performed, the resulting AIK public portion is stored in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\WindowsAIKPub** +As part of the provisioning process, Windows will create an AIK with the TPM. When this operation is performed, the resulting AIK public portion is stored in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\WindowsAIKPub** > [!NOTE] > For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: `https://\*.microsoftaik.azure.net` -### Windows 10 Health Attestation CSP +### Windows Health Attestation CSP -Windows 10 contains a configuration service provider (CSP) specialized for interacting with the health attestation feature. A CSP is a component that plugs into the Windows MDM client and provides a published protocol for how MDM servers can configure settings and manage Windows-based devices. The management protocol is represented as a tree structure that can be specified as URIs with functions to perform on the URIs such as "get", "set", "delete", and so on. +Windows contains a configuration service provider (CSP) specialized for interacting with the health attestation feature. A CSP is a component that plugs into the Windows MDM client and provides a published protocol for how MDM servers can configure settings and manage Windows-based devices. The management protocol is represented as a tree structure that can be specified as URIs with functions to perform on the URIs such as "get", "set", "delete", and so on. -The following list is that of the functions performed by the Windows 10 Health Attestation CSP: +The following list is that of the functions performed by the Windows Health Attestation CSP: - Collects data that is used to verify a device's health status - Forwards the data to the Health Attestation Service @@ -540,11 +538,18 @@ The Health Attestation Service provides the following information to an MDM solu For completeness of the measurements, see [Health Attestation CSP](/windows/client-management/mdm/healthattestation-csp). -The following table presents some key items that can be reported back to MDM depending on the type of Windows 10-based device. +The following list shows some key items that can be reported back to MDM for Windows-based devices: -|OS type|Key items that can be reported| -|--- |--- | -|Windows 10 for desktop editions|
  • PCR0 measurement
  • Secure Boot Enabled
  • Secure Boot db matches Expected
  • Secure Boot dbx is up to date
  • Secure Boot policy GUID matches Expected
  • BitLocker enabled
  • Virtualization-based security enabled
  • ELAM was loaded
  • Code Integrity version is up to date
  • Code Integrity policy hash matches Expected| +- PCR0 measurement +- Secure Boot Enabled +- Secure Boot db matches Expected +- Secure Boot dbx is up to date +- Secure Boot policy GUID matches Expected +- BitLocker enabled +- Virtualization-based security enabled +- ELAM was loaded +- Code Integrity version is up to date +- Code Integrity policy hash matches expected ### Use MDM and the Health Attestation Service @@ -558,7 +563,7 @@ A solution that uses MDM and the Health Attestation Service consists of three ma :::image type="content" alt-text="figure 9." source="images/hva-fig8-evaldevicehealth8.png"::: -Interaction between a Windows 10-based device, the Health Attestation Service, and MDM can be performed as follows: +Interaction between a Windows-based device, the Health Attestation Service, and MDM can be performed as follows: 1. The client initiates a session with the MDM server. The URI for the MDM server would be part of the client app that initiates the request. The MDM server at this time could request the health attestation data by using the appropriate CSP URI. 2. The MDM server specifies a nonce along with the request. @@ -584,14 +589,14 @@ Setting the requirements for device compliance is the first step to ensure that Devices that attempt to connect to resources must have their health evaluated so that unhealthy and noncompliant devices can be detected and reported. To be fully efficient, an end-to-end security solution must impose a consequence for unhealthy devices like refusing access to high-value assets. That consequence for an unhealthy device is the purpose of conditional access control, which is detailed in the next section. -## Control the security of a Windows 10-based device before access is granted +## Control the security of a Windows-based device before access is granted Today's access control technology, in most cases, focuses on ensuring that the right people get access to the right resources. If users can authenticate, they get access to resources using a device that the organization's IT staff and systems know little about. Perhaps there's some check such as ensuring that a device is encrypted before giving access to email, but what if the device is infected with malware? The remote device health attestation process uses measured boot data to verify the health status of the device. The health of the device is then available for an MDM solution like Intune. > [!NOTE] -> For the latest information on Intune and Windows 10 features support, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new). +> For the latest information on Intune and Windows features support, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new). The figure below shows how the Health Attestation Service is expected to work with Microsoft's cloud-based Intune MDM service. @@ -602,24 +607,24 @@ firewall is running, and the devices patch state is compliant. Finally, resources can be protected by denying access to endpoints that are unable to prove they're healthy. This feature is much needed for BYOD devices that need to access organizational resources. -### Built-in support of MDM in Windows 10 +### Built-in support of MDM in Windows -Windows 10 has an MDM client that ships as part of the operating system. This MDM client enables MDM servers to manage Windows 10-based devices without requiring a separate agent. +Windows has an MDM client that ships as part of the operating system. This MDM client enables MDM servers to manage Windows-based devices without requiring a separate agent. ### Third-party MDM server support -Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise management tasks. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm). +Third-party MDM servers can manage Windows by using the MDM protocol. The built-in management client is able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise management tasks. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm). > [!NOTE] -> MDM servers do not need to create or download a client to manage Windows 10. For more information, see [Mobile device management](/windows/client-management/mdm/). +> MDM servers do not need to create or download a client to manage Windows. For more information, see [Mobile device management](/windows/client-management/mdm/). -The third-party MDM server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. +The third-party MDM server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows users. ### Management of Windows Defender by third-party MDM -This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that aren't domain joined. IT pros will be able to manage and configure all of the actions and settings they're familiar with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that currently only manage domain joined devices through Group Policy will find it easy to transition to managing Windows 10-based devices by using MDM because many of the settings and actions are shared across both mechanisms. +This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage health attestation, Device Guard, or Windows Defender on Windows-based devices, including BYODs that aren't domain joined. IT pros will be able to manage and configure all of the actions and settings they're familiar with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that currently only manage domain joined devices through Group Policy will find it easy to transition to managing Windows-based devices by using MDM because many of the settings and actions are shared across both mechanisms. -For more information on how to manage Windows 10 security and system settings with an MDM solution, see [Custom URI settings for Windows 10 devices](/mem/intune/configuration/custom-settings-windows-10). +For more information on how to manage Windows security and system settings with an MDM solution, see [Custom URI settings for Windows devices](/mem/intune/configuration/custom-settings-windows-10). ### Conditional access control @@ -641,7 +646,7 @@ When a user requests access to an Office 365 service from a supported device pla When a user enrolls, the device is registered with Azure AD, and enrolled with a compatible MDM solution like Intune. > [!NOTE] -> Microsoft is working with third-party MDM ISVs to support automated MDM enrollment and policy based access checks. Steps to turn on auto-MDM enrollment with Azure AD and Intune are explained in the [Windows 10, Azure AD And Microsoft Intune: Automatic MDM Enrollment Powered By The Cloud!](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067) blog post. +> Microsoft is working with third-party MDM ISVs to support automated MDM enrollment and policy based access checks. Steps to turn on auto-MDM enrollment with Azure AD and Intune are explained in the [Windows, Azure AD And Microsoft Intune: Automatic MDM Enrollment Powered By The Cloud!](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067) blog post. When a user enrolls a device successfully, the device becomes trusted. Azure AD provides single-sign-on to access company applications and enforces conditional access policy to grant access to a service not only the first time the user requests access, but every time the user requests to renew access. @@ -657,14 +662,14 @@ Clients that attempt to access Office 365 will be evaluated for the following pr - Is the device registered with Azure AD? - Is the device compliant? -To get to a compliant state, the Windows 10-based device needs to: +To get to a compliant state, the Windows-based device needs to: - Enroll with an MDM solution. - Register with Azure AD. - Be compliant with the device policies set by the MDM solution. > [!NOTE] -> At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Azure AD, Microsoft Intune and Windows 10 – Using the cloud to modernize enterprise mobility!](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-microsoft-intune-and-windows-10-8211-using-the-cloud-to/ba-p/244012) blog post. +> At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Azure AD, Microsoft Intune and Windows - Using the cloud to modernize enterprise mobility!](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-microsoft-intune-and-windows-10-8211-using-the-cloud-to/ba-p/244012) blog post. ### Cloud and on-premises apps conditional access control @@ -701,7 +706,7 @@ The following process describes how Azure AD conditional access works: 13. If the device is compliant and the user is authorized, an access token is generated. 14. User can access the corporate managed asset. -For more information about Azure AD join, see [Azure AD & Windows 10: Better Together for Work or School](https://go.microsoft.com/fwlink/p/?LinkId=691619), a white paper. +For more information about Azure AD join, see [Azure AD & Windows: Better Together for Work or School](https://go.microsoft.com/fwlink/p/?LinkId=691619), a white paper. Conditional access control is a topic that many organizations and IT pros may not know and they should. The different attributes that describe a user, a device, compliance, and context of access are powerful when used with a conditional access engine. Conditional access control is an essential step that helps organizations secure their environment. @@ -723,7 +728,7 @@ The following list contains high-level key takeaways to improve the security pos - **Use Device Guard** - Device Guard is a real advance in security and an effective way to help protect against malware. The new Device Guard feature in Windows 10 blocks untrusted apps (apps not authorized by your organization). + Device Guard is a real advance in security and an effective way to help protect against malware. The Device Guard feature in Windows blocks untrusted apps (apps not authorized by your organization). - **Sign Device Guard policy** @@ -747,9 +752,9 @@ The following list contains high-level key takeaways to improve the security pos - **Lock down firmware and configuration** - After Windows 10 is installed, lock down firmware boot options access. This lockdown prevents a user with physical access from modifying UEFI settings, disabling Secure Boot, or booting other operating systems. Also, in order to protect against an administrator trying to disable Device Guard, add a rule in the current Device Guard policy that will deny and block execution of the **C:\\Windows\\System32\\SecConfig.efi** tool. + After Windows is installed, lock down firmware boot options access. This lockdown prevents a user with physical access from modifying UEFI settings, disabling Secure Boot, or booting other operating systems. Also, in order to protect against an administrator trying to disable Device Guard, add a rule in the current Device Guard policy that will deny and block execution of the **C:\\Windows\\System32\\SecConfig.efi** tool. -Health attestation is a key feature of Windows 10 that includes client and cloud components to control access to high-value assets based on a user and their device's identity and compliance with corporate governance policy. Organizations can choose to detect and report unhealthy devices, or to configure health enforcement rules based on their needs. Health attestation provides an end-to-end security model and integration points, which vendors and software developers can use to build and integrate a customized solution. +Health attestation is a key feature of Windows that includes client and cloud components to control access to high-value assets based on a user and their device's identity and compliance with corporate governance policy. Organizations can choose to detect and report unhealthy devices, or to configure health enforcement rules based on their needs. Health attestation provides an end-to-end security model and integration points, which vendors and software developers can use to build and integrate a customized solution. ## Related topics diff --git a/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md index 536e09924d..b0da2402b2 100644 --- a/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md +++ b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md @@ -2,7 +2,7 @@ title: Secure the Windows boot process description: This article describes how Windows security features help protect your PC from malware, including rootkits and other applications. ms.topic: conceptual -ms.date: 03/09/2023 +ms.date: 08/11/2023 ms.collection: - highpri - tier1 @@ -16,9 +16,9 @@ Windows has multiple levels of protection for desktop apps and data, too. Window Those components are just some of the ways that Windows protects you from malware. However, those security features protect you only after Windows starts. Modern malware, and bootkits specifically, are capable of starting before Windows, completely bypassing OS security, and remaining hidden. -When you run Windows 10 or Windows 11 on a PC or any PC that supports Unified Extensible Firmware Interface (UEFI), Trusted Boot protects your PC from malware from the moment you power on your PC until your anti-malware starts. In the unlikely event that malware does infect a PC, it can't remain hidden; Trusted Boot can prove the system's integrity to your infrastructure in a way that malware can't disguise. Even on PCs without UEFI, Windows provides even better startup security than previous versions of Windows. +Running Windows 10 or Windows 11 on a PC with Unified Extensible Firmware Interface (UEFI) support ensures that Trusted Boot safeguards your PC against malware right from the moment you power it on. This protection continues until your anti-malware software takes over. If, by any chance, malware manages to infect your PC, it won't be able to stay hidden. Trusted Boot can verify the system's integrity to your infrastructure in a manner that malware can't mask. Even for PCs without UEFI, Windows offers enhanced startup security compared to earlier Windows versions. -First, let's examine what rootkits are and how they work. Then, we'll show you how Windows can protect you. +To begin, let's take a closer look at rootkits and their functioning. Following that, we'll illustrate how Windows can ensure your protection. ## The threat: rootkits @@ -74,14 +74,14 @@ These requirements help protect you from rootkits while allowing you to run any To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software can't change the Secure Boot settings. -The default state of Secure Boot has a wide circle of trust which can result in customers trusting boot components they may not need. Since the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for all Linux distributions, trusting the Microsoft 3rd Party UEFI CA signature in the UEFI database increase s the attack surface of systems. A customer who intended to only trust and boot a single Linux distribution will trust all distributions – much more than their desired configuration. A vulnerability in any of the bootloaders exposes the system and places the customer at risk of exploit for a bootloader they never intended to use, as seen in recent vulnerabilities, for example [with the GRUB bootloader](https://msrc.microsoft.com/security-guidance/advisory/ADV200011) or [firmware-level rootkit]( https://www.darkreading.com/threat-intelligence/researchers-uncover-dangerous-new-firmware-level-rootkit) affecting boot components. [Secured-core PCs](/windows-hardware/design/device-experiences/OEM-highly-secure-11) require Secure Boot to be enabled and configured to distrust the Microsoft 3rd Party UEFI CA signature, by default, to provide customers with the most secure configuration of their PCs possible. +The default state of Secure Boot has a wide circle of trust, which can result in customers trusting boot components they may not need. Since the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for all Linux distributions, trusting the Microsoft 3rd Party UEFI CA signature in the UEFI database increase s the attack surface of systems. A customer who intended to only trust and boot a single Linux distribution will trust all distributions - much more than their desired configuration. A vulnerability in any of the bootloaders exposes the system and places the customer at risk of exploit for a bootloader they never intended to use, as seen in recent vulnerabilities, for example [with the GRUB bootloader](https://msrc.microsoft.com/security-guidance/advisory/ADV200011) or [firmware-level rootkit]( https://www.darkreading.com/threat-intelligence/researchers-uncover-dangerous-new-firmware-level-rootkit) affecting boot components. [Secured-core PCs](/windows-hardware/design/device-experiences/OEM-highly-secure-11) require Secure Boot to be enabled and configured to distrust the Microsoft 3rd Party UEFI CA signature, by default, to provide customers with the most secure configuration of their PCs possible. To trust and boot operating systems, like Linux, and components signed by the UEFI signature, Secured-core PCs can be configured in the BIOS menu to add the signature in the UEFI database by following these steps: 1. Open the firmware menu, either: - Boot the PC, and press the manufacturer's key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, there's often a screen that mentions the key. If there's not one, or if the screen goes by too fast to see it, check your manufacturer's site. - Or, if Windows is already installed, from either the Sign on screen or the Start menu, select Power ( ) > hold Shift while selecting Restart. Select Troubleshoot > Advanced options > UEFI Firmware settings. -2. From the firmware menu navigate to Security > Secure Boot and select the option to trust the "3rd Party CA". +2. From the firmware menu, navigate to Security > Secure Boot and select the option to trust the "3rd Party CA". 3. Save changes and exit. Microsoft continues to collaborate with Linux and IHV ecosystem partners to design least privileged features to help you stay secure and opt-in trust for only the publishers and components you trust. @@ -96,7 +96,7 @@ Trusted Boot takes over where Secure Boot ends. The bootloader verifies the digi Because Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel, the next opportunity for malware to start is by infecting a non-Microsoft boot driver. Traditional anti-malware apps don't start until after the boot drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work. -Early Launch Anti-Malware (ELAM) can load a Microsoft or non-Microsoft anti-malware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the OS hasn't started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: examine every boot driver and determine whether it is on the list of trusted drivers. If it's not trusted, Windows won't load it. +Early Launch Anti-Malware (ELAM) can load a Microsoft or non-Microsoft anti-malware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the OS hasn't started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: examine every boot driver and determine whether it is on the list of trusted drivers. If it's not trusted, Windows doesn't load it. An ELAM driver isn't a full-featured anti-malware solution; that loads later in the boot process. Windows Defender (included with Windows) supports ELAM, as does several non-Microsoft anti-malware apps. @@ -108,7 +108,7 @@ As a result, PCs infected with rootkits appear to be healthy, even with anti-mal Measured Boot works with the TPM and non-Microsoft software in Windows. It allows a trusted server on the network to verify the integrity of the Windows startup process. Measured Boot uses the following process: -1. The PC's UEFI firmware stores in the TPM a hash of the firmware, bootloader, boot drivers, and everything that will be loaded before the anti-malware app. +1. The PC's UEFI firmware stores in the TPM a hash of the firmware, bootloader, boot drivers, and everything that is loaded before the anti-malware app. 2. At the end of the startup process, Windows starts the non-Microsoft remote attestation client. The trusted attestation server sends the client a unique key. 3. The TPM uses the unique key to digitally sign the log recorded by the UEFI. 4. The client sends the log to the server, possibly with other security information. @@ -121,7 +121,7 @@ Figure 2 illustrates the Measured Boot and remote attestation process. *Figure 2. Measured Boot proves the PC's health to a remote server*: -Windows includes the application programming interfaces to support Measured Boot, but you'll need non-Microsoft tools to implement a remote attestation client and trusted attestation server to take advantage of it. For example, see the following tools from Microsoft Research: +Windows includes the application programming interfaces to support Measured Boot. However, to take advanted of it, you need non-Microsoft tools to implement a remote attestation client and trusted attestation server. For example, see the following tools from Microsoft Research: - [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487) - [TSS.MSR](https://github.com/microsoft/TSS.MSR#tssmsr) diff --git a/windows/security/operating-system-security/system-security/trusted-boot.md b/windows/security/operating-system-security/system-security/trusted-boot.md index a5b511cc48..364719eebb 100644 --- a/windows/security/operating-system-security/system-security/trusted-boot.md +++ b/windows/security/operating-system-security/system-security/trusted-boot.md @@ -18,11 +18,11 @@ Secure Boot and Trusted Boot help prevent malware and corrupted components from The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments. -As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader's digital signature to ensure that it's trusted by the Secure Boot policy and hasn't been tampered with. +As the PC begins the boot process, it first verifies that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader's digital signature to ensure that it's trusted by the Secure Boot policy and hasn't been tampered with. ## Trusted Boot -Trusted Boot picks up the process that started with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your antimalware product's early-launch antimalware (ELAM) driver. If any of these files were tampered, the bootloader detects the problem and refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application environments. +Trusted Boot picks up the process that started with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your anti-malware product's early-launch anti-malware (ELAM) driver. If any of these files were tampered, the bootloader detects the problem and refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application environments. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally. diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md index 1cc228a906..0282a7bcb2 100644 --- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md +++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md @@ -1,7 +1,7 @@ --- title: Account protection in Windows Security description: Use the Account protection section to manage security for your account and sign in to Microsoft. -ms.date: 07/31/2023 +ms.date: 08/11/2023 ms.topic: article --- @@ -14,11 +14,11 @@ The **Account protection** section contains information and settings for account - [Windows Hello for Business](../../../identity-protection/hello-for-business/hello-identity-verification.md) - [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from) -You can also choose to hide the section from users of the device. This is useful if you don't want your employees to access or view user-configured options for these features. +You can also choose to hide the section from users of the device, if you don't want your employees to access or view user-configured options for these features. ## Hide the Account protection section -You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of **Windows Security**, and its icon won't be shown on the navigation bar on the side. +You can choose to hide the entire section by using Group Policy. When hidden, this section doesn't appear on the home page of **Windows Security**, and its icon isn't shown on the navigation bar on the side. You can only configure these settings by using Group Policy. @@ -26,7 +26,7 @@ You can only configure these settings by using Group Policy. > You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**. -1. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**. +1. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. 1. Expand the tree to **Windows components > Windows Security > Account protection**. 1. Open the **Hide the Account protection area** setting and set it to **Enabled**. Select **OK**. 1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md index cc471dcd0a..6ede491eeb 100644 --- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md +++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md @@ -1,7 +1,7 @@ --- title: App & browser control in Windows Security description: Use the App & browser control section to see and configure Windows Defender SmartScreen and Exploit protection settings. -ms.date: 07/31/2023 +ms.date: 08/11/2023 ms.topic: article --- @@ -22,10 +22,10 @@ You can only prevent users from modifying Exploit protection settings by using G > [!IMPORTANT] > You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. -1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration**, select **Policies** and then **Administrative templates**. +1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**. +2. In the **Group Policy Management Editor**, go to **Computer configuration**, select **Policies** and then **Administrative templates**. 3. Expand the tree to **Windows components > Windows Security > App and browser protection**. -4. Open the **Prevent users from modifying settings** setting and set it to **Enabled**. Click **OK**. +4. Open the **Prevent users from modifying settings** setting and set it to **Enabled**. Select **OK**. 5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). ## Hide the App & browser control section @@ -37,10 +37,10 @@ This section can be hidden only by using Group Policy. > [!IMPORTANT] > You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. -1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**. 2. In the **Group Policy Management Editor** go to **Computer configuration**, select **Policies** and then **Administrative templates**. 3. Expand the tree to **Windows components > Windows Security > App and browser protection**. -4. Open the **Hide the App and browser protection area** setting and set it to **Enabled**. Click **OK**. +4. Open the **Hide the App and browser protection area** setting and set it to **Enabled**. Select **OK**. 5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). > [!NOTE] diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md index 425b654097..70c71bc872 100644 --- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md +++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md @@ -1,7 +1,7 @@ --- title: Customize Windows Security contact information in Windows Security description: Provide information to your employees on how to contact your IT department when a security issue occurs -ms.date: 07/31/2023 +ms.date: 08/11/2023 ms.topic: article --- @@ -21,34 +21,40 @@ Users can select the displayed information to initiate a support request: ## Requirements -You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. +You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows don't include these Group Policy settings. ## Use Group Policy to enable and customize contact information There are two stages to using the contact card and customized notifications. First, you have to enable the contact card or custom notifications (or both), and then you must specify at least a name for your organization and one piece of contact information. -1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**. +2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. 3. Expand the tree to **Windows components > Windows Security > Enterprise Customization**. -4. Enable the contact card and the customized notifications by configuring two separate Group Policy settings. They will both use the same source of information (explained in Steps 5 and 6). You can enable both, or select one or the other: +4. Enable the contact card and the customized notifications by configuring two separate Group Policy settings. They'll both use the same source of information (explained in Steps 5 and 6). You can enable both, or select one or the other: - 1. To enable the contact card, open the **Configure customized contact information** setting and set it to **Enabled**. Click **OK**. + 1. To enable the contact card, open the **Configure customized contact information** setting and set it to **Enabled**. Select **OK**. > [!NOTE] > This can only be done in Group Policy. - 2. To enable the customized notifications, open the **Configure customized notifications** setting and set it to **Enabled**. Click **OK**. + 2. To enable the customized notifications, open the **Configure customized notifications** setting and set it to **Enabled**. Select **OK**. -5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**. +5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Select **OK**. 6. To ensure the custom notifications or contact card appear, you must also configure at least one of the following settings. Open the setting, select **Enabled**, and then add the contact information in the field under **Options**: 1. **Specify contact email address or Email ID** 2. **Specify contact phone number or Skype ID** 3. **Specify contact website** + > [!NOTE] + > If you enable **Configure customized notifications** and **Specify contact website** policies, the contact website must begin with `http:` or `https:` (for example, `https://contoso.com/help`) to allow the user to interact with the notification and navigate to the specified URL. + 7. Select **OK** after you configure each setting to save your changes. -To enable the customized notifications and add the contact information in Intune, see [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy) and [Settings for the Windows Security experience profile in Microsoft Intune](/mem/intune/protect/antivirus-security-experience-windows-settings). +To enable the customized notifications and add the contact information in Intune, see these articles: + +- [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy). +- [Settings for the Windows Security experience profile in Microsoft Intune](/mem/intune/protect/antivirus-security-experience-windows-settings). > [!IMPORTANT] > You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized. diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md index f604b8d41f..b34941e7bb 100644 --- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md +++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md @@ -10,7 +10,7 @@ ms.topic: article The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they're seeing, such as the [configure the Load and unload device drivers security policy setting](/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Configuration Manager](/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager). -The [Windows 10 IT pro troubleshooting topic](/windows/client-management/windows-10-support-solutions), and the main [Windows 10 documentation library](/windows/windows-10/) can also be helpful for resolving issues. +The [Windows 10 IT pro troubleshooting article](/windows/client-management/windows-10-support-solutions), and the main [Windows 10 documentation library](/windows/windows-10/) can also be helpful for resolving issues. This section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. @@ -23,10 +23,10 @@ This section can be hidden only by using Group Policy. > [!IMPORTANT] > You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. -1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. -1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. +1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**. +1. In **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. 1. Expand the tree to **Windows components > Windows Security > Device performance and health**. -1. Open the **Hide the Device performance and health area** setting and set it to **Enabled**. Click **OK**. +1. Open the **Hide the Device performance and health area** setting and set it to **Enabled**. Select **OK**. 1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). > [!NOTE] diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md index ddbe4db12c..0c75434023 100644 --- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md +++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md @@ -1,7 +1,7 @@ --- title: Device security in Windows Security -description: Use the Device security section to manage security built into your device, including virtualization-based security. -ms.date: 07/31/2023 +description: Use the Device security section to manage security built into your device, including Virtualization-based security. +ms.date: 08/11/2023 ms.topic: article --- @@ -18,7 +18,7 @@ You can choose to hide the entire section by using Group Policy. The section won > [!IMPORTANT] > You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. -1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**. 2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**. 3. Expand the tree to **Windows components** > **Windows Security** > **Device security**. 4. Open the **Hide the Device security area** setting and set it to **Enabled**. Select **OK**. @@ -31,12 +31,12 @@ You can choose to hide the entire section by using Group Policy. The section won ## Disable the Clear TPM button -If you don't want users to be able to click the **Clear TPM** button in **Windows Security**, you can disable it. +If you don't want users to be able to select the **Clear TPM** button in **Windows Security**, you can disable it. > [!IMPORTANT] > You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. -1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**. 2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**. 3. Expand the tree to **Windows components** > **Windows Security** > **Device security**. 4. Open the **Disable the Clear TPM button** setting and set it to **Enabled**. Select **OK**. @@ -46,7 +46,7 @@ If you don't want users to be able to click the **Clear TPM** button in **Window If you don't want users to see the recommendation to update TPM firmware, you can disable it. -1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**. 2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**. 3. Expand the tree to **Windows components** > **Windows Security** > **Device security**. 4. Open the **Hide the TPM Firmware Update recommendation** setting and set it to **Enabled**. Select **OK**. diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md index 55662338f9..7ba7b42e75 100644 --- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md +++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md @@ -1,7 +1,7 @@ --- title: Family options in Windows Security description: Learn how to hide the Family options section of Windows Security for enterprise environments. Family options aren't intended for business environments. -ms.date: 07/31/2023 +ms.date: 08/11/2023 ms.topic: article --- @@ -10,7 +10,7 @@ ms.topic: article The **Family options** section contains links to settings and further information for parents of a Windows PC. It isn't intended for enterprise or business environments. -Home users can learn more at the [Help protection your family online in Windows Security topic at support.microsoft.com](https://support.microsoft.com/help/4013209/windows-10-protect-your-family-online-in-windows-defender) +Home users can learn more at the [Help protection your family online in Windows Security article at support.microsoft.com](https://support.microsoft.com/help/4013209/windows-10-protect-your-family-online-in-windows-defender) This section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to this section. @@ -23,10 +23,10 @@ This section can be hidden only by using Group Policy. > [!IMPORTANT] > You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. -1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. -1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. +1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**. +1. In **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. 1. Expand the tree to **Windows components > Windows Security > Family options**. -1. Open the **Hide the Family options area** setting and set it to **Enabled**. Click **OK**. +1. Open the **Hide the Family options area** setting and set it to **Enabled**. Select **OK**. 1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). > [!NOTE] diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md index 9153c4e5b5..713b98447c 100644 --- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md +++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md @@ -1,7 +1,7 @@ --- title: Firewall and network protection in Windows Security description: Use the Firewall & network protection section to see the status of and make changes to firewalls and network connections for the machine. -ms.date: 07/31/2023 +ms.date: 08/11/2023 ms.topic: article --- @@ -20,10 +20,10 @@ This section can be hidden only by using Group Policy. > [!IMPORTANT] > You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. -1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click **Edit**. -1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. +1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and select **Edit**. +1. In **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. 1. Expand the tree to **Windows components > Windows Security > Firewall and network protection**. -1. Open the **Hide the Firewall and network protection area** setting and set it to **Enabled**. Click **OK**. +1. Open the **Hide the Firewall and network protection area** setting and set it to **Enabled**. Select **OK**. 1. Deploy the updated GPO as you normally do. > [!NOTE] diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md index 56fa5c9cf1..6e0c20b83c 100644 --- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md @@ -16,7 +16,7 @@ There are two levels to hiding notifications: 1. Hide non-critical notifications, such as regular updates about the number of scans Microsoft Defender Antivirus ran in the past week 2. Hide all notifications -If you set **Hide all notifications** to **Enabled**, changing the **Hide non-critical notifications** setting will have no effect. +If you set **Hide all notifications** to **Enabled**, changing the **Hide non-critical notifications** setting has no effect. You can only use Group Policy to change these settings. @@ -30,10 +30,10 @@ These notifications can be hidden only by using Group Policy. > You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 1. Download the latest [Administrative Templates (.admx) for Windows 10, v2004](https://www.microsoft.com/download/101445). -1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. -1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. +1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**. +1. In **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. 1. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications** -1. Open the **Hide non-critical notifications** setting and set it to **Enabled**. Click **OK**. +1. Open the **Hide non-critical notifications** setting and set it to **Enabled**. Select **OK**. 1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). ## Use Group Policy to hide all notifications @@ -45,14 +45,14 @@ These notifications can be hidden only by using Group Policy. > [!IMPORTANT] > You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. -1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. -1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. +1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**. +1. In **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. 1. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**. > [!NOTE] > For Windows 10 version 2004 and above the path would be **Windows components > Windows Security > Notifications**. -1. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**. +1. Open the **Hide all notifications** setting and set it to **Enabled**. Select **OK**. 1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). > [!NOTE] diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md index 1bc56621cb..cc0979c845 100644 --- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md +++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md @@ -1,7 +1,7 @@ --- title: Virus and threat protection in Windows Security description: Use the Virus & threat protection section to see and configure Microsoft Defender Antivirus, Controlled folder access, and 3rd-party AV products. -ms.date: 07/31/2023 +ms.date: 08/11/2023 ms.topic: article --- @@ -31,10 +31,10 @@ This section can be hidden only by using Group Policy. > [!IMPORTANT] > You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. -1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. -1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. +1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**. +1. In **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. 1. Expand the tree to **Windows components > Windows Security > Virus and threat protection**. -1. Open the **Hide the Virus and threat protection area** setting and set it to **Enabled**. Click **OK**. +1. Open the **Hide the Virus and threat protection area** setting and set it to **Enabled**. Select **OK**. 1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). > [!NOTE] @@ -51,8 +51,8 @@ This area can be hidden only by using Group Policy. > [!IMPORTANT] > You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. -1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. -1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. +1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**. +1. In **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. 1. Expand the tree to **Windows components > Windows Security > Virus and threat protection**. -1. Open the **Hide the Ransomware data recovery area** setting and set it to **Enabled**. Click **OK**. +1. Open the **Hide the Ransomware data recovery area** setting and set it to **Enabled**. Select **OK**. 1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md index 8944c3ef1b..1970d566b4 100644 --- a/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md @@ -1,7 +1,7 @@ --- title: Windows Security description: Windows Security brings together common Windows security features into one place. -ms.date: 07/31/2023 +ms.date: 08/11/2023 ms.topic: article ms.collection: - highpri @@ -82,13 +82,13 @@ For more information about each section, options for configuring the sections, a > > This will significantly lower the protection of your device and could lead to malware infection. -**Windows Security** operates as a separate app or process from each of the individual features, and will display notifications through the Action Center. +**Windows Security** operates as a separate app or process from each of the individual features, and displays notifications through the Action Center. It acts as a collector or single place to see the status and perform some configuration for each of the features. -If you disable any of the individual features, it will prevent that feature from reporting its status in **Windows Security**. For example, if you disable a feature through group policy or other management tools, such as Microsoft Configuration Manager, **Windows Security** itself will still run and show status for the other security features. +If you disable any of the individual features, it prevents that feature from reporting its status in **Windows Security**. For example, if you disable a feature through group policy or other management tools, such as Microsoft Configuration Manager, **Windows Security** itself still runs and shows status for the other security features. > [!IMPORTANT] > If you individually disable any of the services, it won't disable the other services or **Windows Security** itself. -For example, [using a third-party antivirus will disable Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility). However, **Windows Security** will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall. +For example, [using a third-party antivirus disables Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility). However, **Windows Security** still runs, shows its icon in the taskbar, and displays information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall. diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md index 1b896b0738..5968d29a6c 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md @@ -1,7 +1,7 @@ --- title: Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings description: A list of all available settings for Microsoft Defender SmartScreen using Group Policy and mobile device management (MDM) settings. -ms.date: 05/31/2023 +ms.date: 08/11/2023 ms.topic: reference --- # Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings @@ -29,7 +29,7 @@ Setting|Supported on|Description| If you manage your policies using Microsoft Intune, use these MDM policy settings. All settings support desktop computers running Windows 10/11 Pro or Windows 10/11 Enterprise, enrolled with Microsoft Intune. -For Microsoft Defender SmartScreen Edge MDM policies, see [Policy CSP - Browser](/windows/client-management/mdm/policy-csp-browser). +For Microsoft Defender SmartScreen Microsoft Edge MDM policies, see [Policy CSP - Browser](/windows/client-management/mdm/policy-csp-browser). |Setting|Supported versions|Details| |--- |--- |--- | diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md index f474a45688..a16db47b99 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md @@ -1,7 +1,7 @@ --- title: Enhanced Phishing Protection in Microsoft Defender SmartScreen description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps. -ms.date: 05/31/2023 +ms.date: 08/11/2023 ms.topic: conceptual appliesto: - ✅ Windows 11, version 22H2 @@ -13,8 +13,8 @@ Starting in Windows 11, version 22H2, Enhanced Phishing Protection in Microsoft If a user signs into Windows using a password, Enhanced Phishing Protection works alongside Windows security protections, and helps protect typed work or school password used to sign into Windows 11 in these ways: -- If users type their work or school password on any Chromium browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection alerts them. It also prompts them to change their password so attackers can't gain access to their account. -- Reusing work or school passwords makes it easy for attackers who compromise a user's password to gain access to their other accounts. Enhanced Phishing Protection can warn users if they reuse their work or school Microsoft account password on sites and apps and prompt them to change their password. +- If users type their work or school password on any Chromium browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection alerts them. It also alerts them to change their password so attackers can't gain access to their account. +- Reusing work or school passwords makes it easy for attackers who compromise a user's password to gain access to their other accounts. Enhanced Phishing Protection can warn users if they reuse their work or school Microsoft account password on sites and apps and alert them to change their password. - Since it's unsafe to store plaintext passwords in text editors, Enhanced Phishing Protection can warn users if they store their work or school password in Notepad, Word, or any Microsoft 365 Office app, and recommends they delete their password from the file. > [!NOTE] @@ -46,7 +46,7 @@ To configure devices using Microsoft Intune, create a [**Settings catalog** poli |---------|---------| |Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.
  • If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
  • If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.
    • | |Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
  • If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they type their work or school password into one of the malicious scenarios described above.| -|Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
  • If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password.| +|Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
  • If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work, or school password and encourages them to change it.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password.| |Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
  • If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they store their password in Notepad or Microsoft 365 Office Apps.| Assign the policy to a security group that contains as members the devices or users that you want to configure. @@ -59,7 +59,7 @@ Enhanced Phishing Protection can be configured using the following Administrativ |---------|---------| |Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.
  • If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
  • If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.
    • | |Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
  • If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they type their work or school password into one of the malicious scenarios described above.| -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
  • If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password.| +|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
  • If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work, or school password and encourages them to change it.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password.| |Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
  • If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they store their password in Notepad or Microsoft 365 Office Apps.| #### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp) diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md index 3940c5070c..9b52d9fb84 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md @@ -1,7 +1,7 @@ --- title: Microsoft Defender SmartScreen overview description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. -ms.date: 05/31/2023 +ms.date: 08/11/2023 ms.topic: article ms.localizationpriority: high ms.collection: @@ -45,7 +45,7 @@ Microsoft Defender SmartScreen provide an early warning system against websites ## Submit files to Microsoft Defender SmartScreen for review -If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more information, see [Submit files for analysis](/microsoft-365/security/intelligence/submission-guide). +If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more information, see [Submit files for analysis](/microsoft-365/security/intelligence/submission-guide). When submitting a file for Microsoft Defender SmartScreen, make sure to select **Microsoft Defender SmartScreen** from the product menu. From d64e00b8f4491c20abe603f18cf0814bf0ca8474 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 11 Aug 2023 12:27:46 -0400 Subject: [PATCH 103/110] Update Boot Image with CU Article 55 --- ...-boot-image.md => customize-boot-image.md} | 175 +++++++++++------- 1 file changed, 108 insertions(+), 67 deletions(-) rename windows/deployment/{update-boot-image.md => customize-boot-image.md} (92%) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/customize-boot-image.md similarity index 92% rename from windows/deployment/update-boot-image.md rename to windows/deployment/customize-boot-image.md index 8397d13a9f..41a1c4926a 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/customize-boot-image.md @@ -1,6 +1,6 @@ --- -title: Update Windows PE boot image with the latest cumulative updates -description: This article describes how to update a Windows PE (WinPE) boot image with the latest cumulative update. +title: Customize Windows PE boot images +description: This article describes how to customize a Windows PE (WinPE) boot image including updating with the latest cumulative update, adding drivers, and adding optional components. ms.prod: windows-client ms.localizationpriority: medium author: frankroj @@ -17,11 +17,15 @@ appliesto: - ✅ Windows Server 2016 --- -# Update Windows PE boot image with the latest cumulative update +# Customize Windows PE boot images -Microsoft recommends updating Windows PE (WinPE) boot images with the latest cumulative update for maximum security and protection. The latest cumulative updates may also resolve known issues. This walkthrough describes how to update a WinPE boot image with the latest cumulative update. +Thw Windows PE (WinPE) boot images that are included with the Windows ADK have a minimal amount of features and drivers. However the boot images can be customized by adding drivers, optional components, and applying the latest cumulative update. + +Microsoft recommends updating Windows PE boot images with the latest cumulative update for maximum security and protection. The latest cumulative updates may also resolve known issues. For example, the Windows PE boot image can be updated with the latest cumulative update to address the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932). + +This walkthrough describes how to customize a Windows PE boot image including updating with the latest cumulative update, adding drivers, and adding optional components. Additionally this walkthrough will go over how customizations in boot images affect several different popular products that utilize boot images, such as Microsoft Configuration Manager, Microsoft Deployment Toolkit (MDT), and Windows Deployment Services (WDS). ## Prerequisites @@ -72,7 +76,7 @@ Microsoft recommends updating Windows PE (WinPE) boot images with the latest cum 1. Go to the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site and search for the latest cumulative update. The Windows version of the cumulative update should match the version of the Windows PE boot image that is being updated. -1. When searching the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site, use the search term `"- cumulative update for windows "` where `year` is the four digit current year, `` is the two digit current month, and `` is the version of Windows that Windows PE is based on. Make sure to include the quotes (`"`). For example, to search for the latest cumulative update for Windows 11 in July 2023, use the search term `"2023-07 cumulative update for windows 11"`, again making sure to include the quotes. If the cumulative update hasn't been released yet for the current month, then search on the previous month. +1. When searching the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site, use the search term `"- cumulative update for windows "` where `year` is the four digit current year, `` is the two digit current month, and `` is the version of Windows that Windows PE is based on. Make sure to include the quotes (`"`). For example, to search for the latest cumulative update for Windows 11 in August 2023, use the search term `"2023-08 cumulative update for windows 11"`, again making sure to include the quotes. If the cumulative update hasn't been released yet for the current month, then search on the previous month. 1. Once the cumulative update has been found, download the appropriate version for the version and architecture of Windows that matches the Windows PE boot image. For example, if the version of the Windows PE boot image is Windows 11 22H2 64-bit, then download the **Cumulative Update for Windows 11 Version 22H2 for x64-based Systems** version of the update. @@ -394,7 +398,7 @@ Add-WindowsPackage -PackagePath "\.msu" -Path "" /Add-Package /PackagePath:"\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files ```powershell Copy-Item "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.bak.efi" -Copy-Item "C:\Mount\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" -Force +Copy-Item "C:\Mount\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" Copy-Item "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.bak.efi" -Copy-Item "C:\Mount\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" -Force +Copy-Item "C:\Mount\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" ``` To overwrite the bootmgr boot files and any backed up bootmgr boot file without confirmation, for example in a script, add the `-Force` parameter to the end of the command lines. @@ -647,18 +651,17 @@ copy "C:\Mount\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Ki To overwrite the bootmgr boot files and any backed up bootmgr boot file without confirmation, for example in a script, add the `/Y` parameter to the end of the command lines. - For more information, see [copy](/windows-server/administration/windows-commands/copy). --- -This step doesn't update or change the boot image. However, it makes sure that the latest bootmgr boot files are available to the Windows ADK when creating bootable media via the Windows ADK. When these files are updated in the Windows ADK, products that use the Windows ADK to create bootable media also have access to the updated bootmgr boot files. +This step doesn't update or change the boot image. However, it makes sure that the latest bootmgr boot files are available to the Windows ADK when creating bootable media via the Windows ADK. When these files are updated in the Windows ADK, products that use the Windows ADK to create bootable media, such as **Microsoft Deployment Toolkit (MDT)**, also have access to the updated bootmgr boot files. In particular, this step is needed when addressing the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932). > [!NOTE] > -> Both **Microsoft Configuration Manager** and **Microsoft Deployment Toolkit (MDT)** will automatically extract these bootmgr boot files from the boot images as needed. No additional steps are needed for these products. +> **Microsoft Configuration Manager** automatically extracts these bootmgr boot files from the boot images as needed. No additional steps are needed for **Microsoft Configuration Manager**. ## Step 9: Perform component cleanup @@ -682,7 +685,7 @@ Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:"C:\Mount" /Cleanup-image /StartComponentCleanup /Resetbase" -Wait -LoadUserProfile ``` -For more information, see [Modify a Windows image using DISM: Reduce the size of an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#reduce-the-size-of-an-image) and [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Cleanup-Image](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#cleanup-image). +For more information, see [Modify a Windows image using DISM: Reduce the size of an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#reduce-the-size-of-an-image), [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Cleanup-Image](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#cleanup-image), and [Start-Process](/powershell/module/microsoft.powershell.management/start-process). ### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) @@ -845,13 +848,13 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag From an elevated **Deployment and Imaging Tools Environment** command prompt, run the following command to delete the original updated boot image: ```cmd - del "\.wim" /Y + del "\.wim" /F ``` **Example**: ```cmd - del "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" /Y + del "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" /F ``` For more information, see [del](/windows-server/administration/windows-commands/del). @@ -952,34 +955,6 @@ The `winpe.wim` boot image from the Windows ADK should be updated because if `bo Updating `winpe.wim` from the Windows ADK ensures that the cumulative update stays applied regardless of what changes are made to the `boot.wim` boot image via Configuration Manager. -### Updating the boot image in Configuration Manager - -After updating the `winpe.wim` boot image from the Windows ADK, generate a new `boot.wim` boot image for Configuration Manager so that it contains the cumulative update. A new `boot.wim` boot image can be generated by using the following steps: - -1. Open the Microsoft Configuration manager console. - -1. In the Microsoft Configuration manager console, navigate to **Software Library** > **Overview** > **Operating Systems** > **Boot Images**. - -1. In the **Boot Images** pane, select the desired boot image. - -1. In the toolbar, select **Update Distribution Points**. - -1. When the **Update Distribution Points Wizard** window that appears: - - 1. In the **General**/**Update distribution points with this image** page, select the **Reload this boot image with the current Windows PE version from the Windows ADK** option, and then select the **Next >** button. - - 1. In the **Summary** page, select the **Next >** button. - - 1. The **Progress** page appears while the boot image builds. - - 1. Once the boot image finishes building, the **The task "Update Distribution Points Wizard" completed successfully**/**Completion** page appears. Select the **Close** button. - -This process updates the boot image used by Configuration Manager. It also updates the boot image and the bootmgr boot files used by any PXE enabled distribution points. - -> [!IMPORTANT] -> -> If there are multiple boot images used in the environment for PXE enabled distribution points, make sure to update all of the PXE enabled boot images with the same cumulative update. This will ensure that the PXE enabled distribution points all use the version of the bootmgr boot files extracted from the boot images (if applicable). - ### Add optional components manually to Configuration Manager boot images For Microsoft Configuration Manager boot images, when applying a cumulative update to a boot image, make sure to add any desired optional components manually using the command lines from the walkthrough instead of adding them through Configuration Manager. Optional components are added to boot images in Configuration Manager via the **Optional Components** tab in the **Properties** of the boot image. @@ -1009,9 +984,37 @@ When adding optional components to any boot image used by Configuration Manager For a list of all available WinPE optional components including descriptions for each component, see [WinPE Optional Components (OC) Reference: WinPE Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#winpe-optional-components). +### Updating the boot image in Configuration Manager + +After updating the `winpe.wim` boot image from the Windows ADK, generate a new `boot.wim` boot image for Configuration Manager so that it contains the cumulative update. A new `boot.wim` boot image can be generated by using the following steps: + +1. Open the Microsoft Configuration manager console. + +1. In the Microsoft Configuration manager console, navigate to **Software Library** > **Overview** > **Operating Systems** > **Boot Images**. + +1. In the **Boot Images** pane, select the desired boot image. + +1. In the toolbar, select **Update Distribution Points**. + +1. When the **Update Distribution Points Wizard** window that appears: + + 1. In the **General**/**Update distribution points with this image** page, select the **Reload this boot image with the current Windows PE version from the Windows ADK** option, and then select the **Next >** button. + + 1. In the **Summary** page, select the **Next >** button. + + 1. The **Progress** page appears while the boot image builds. + + 1. Once the boot image finishes building, the **The task "Update Distribution Points Wizard" completed successfully**/**Completion** page appears. Select the **Close** button. + +This process updates the boot image used by Configuration Manager. It also updates the boot image and the bootmgr boot files used by any PXE enabled distribution points. + +> [!IMPORTANT] +> +> If there are multiple boot images used in the environment for PXE enabled distribution points, make sure to update all of the PXE enabled boot images with the same cumulative update. This will ensure that the PXE enabled distribution points all use the version of the bootmgr boot files extracted from the boot images (if applicable). + ### Updating Configuration Manager boot media -After completing the walkthrough, including updating boot images in Configuration Manager, update any Configuration Manager task sequence media. Updating any Configuration Manager task sequence media ensures that the task sequence media has both the updated boot image and if applicable, updated boot files. For more information, see [Create task sequence media](/mem/configmgr/osd/deploy-use/create-task-sequence-media). +After completing the walkthrough, including updating boot images in Configuration Manager, update any Configuration Manager task sequence media. Updating any Configuration Manager task sequence media ensures that the task sequence media has both the updated boot image. If applicable, it will also updat bootmgr boot files on the media by extracting the latest versions from the boot image. For more information on creating Configuration Manager task sequence media, see [Create task sequence media](/mem/configmgr/osd/deploy-use/create-task-sequence-media). ## Microsoft Deployment Toolkit (MDT) considerations @@ -1019,28 +1022,6 @@ When adding a cumulative update to a Microsoft Deployment Toolkit (MDT) boot ima The `winpe.wim` boot image from the Windows ADK should be updated because if `LiteTouchPE_.wim` is updated instead, then the next time the MDT Deployment Share is updated, the changes made to `LiteTouchPE_.wim`, including the applied cumulative update, will be lost. If the `winpe.wim` boot image from the Windows ADK is updated with the cumulative update instead, then the cumulative update persists and is preserved even when the MDT Deployment Share is updated. -### Updating the boot image and boot media in MDT - -After updating the `winpe.wim` boot image from the Windows ADK, generate a new `LiteTouchPE_.wim` boot image for MDT that contains the cumulative update by using the following steps: - -1. Open the Microsoft Deployment Toolkit (MDT) Deployment Workbench console. - -1. In the Deployment Workbench console, navigate to **Deployment Workbench** > **Deployment Shares** > **MDT Deployment Share**. - -1. Right click on **MDT Deployment Share** and select **Update Deployment Share**. - -1. In the **Update Deployment Share Wizard** window that appears: - - 1. In the **Options** page, select the **Completely regenerate the boot images** option, and then select the **Next >** button. - - 1. In the **Summary** page, select the **Next >** button. - - 1. The **Progress** page appears while the boot image and deployment share build. - - 1. Once the boot image and deployment share finish building, the **The process completed successfully**/**Confirmation** page appears. Select the **Finish** button. - -These steps also update the MDT boot media in the MDT Deployment Share. After following the above steps, use the newly updated ISO files in the `\Boot` folder to create new MDT boot media. - ### MDT and Windows ADK versions Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Windows ADK beyond Windows 10. When MDT is used, the recommendation is to use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads) instead of the latest version of the Windows ADK. **ADK for Windows 10, version 2004** was the last version of the Windows ADK supported by MDT. @@ -1061,10 +1042,70 @@ When adding optional components to any boot image used by MDT during the [Step 6 For a list of all available WinPE optional components including descriptions for each component, see [WinPE Optional Components (OC) Reference: WinPE Optional Components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference#winpe-optional-components). +### Updating the boot image and boot media in MDT + +After updating the `winpe.wim` boot image from the Windows ADK, generate a new `LiteTouchPE_.wim` boot image for MDT that contains the cumulative update followed by creating new MDT boot media. New MDT boot images and MDT boot media can be generated by using the following steps: + +1. Make sure [Step 8: Copy boot files from mounted boot image to ADK installation path](#step-8-copy-boot-files-from-mounted-boot-image-to-adk-installation-path) has been completed. MDT copies the bootmgr boot files from the Windows ADK installation path to its deployment share. Following this step makes sure that the deployment share has the latest bootmgr boot files which are needed when creating MDT boot media. + +1. Open the Microsoft Deployment Toolkit (MDT) Deployment Workbench console. + +1. In the Deployment Workbench console, navigate to **Deployment Workbench** > **Deployment Shares** > **MDT Deployment Share**. + +1. Right click on **MDT Deployment Share** and select **Update Deployment Share**. + +1. In the **Update Deployment Share Wizard** window that appears: + + 1. In the **Options** page, select the **Completely regenerate the boot images** option, and then select the **Next >** button. + + 1. In the **Summary** page, select the **Next >** button. + + 1. The **Progress** page appears while the boot image and deployment share build. + + 1. Once the boot image and deployment share finish building, the **The process completed successfully**/**Confirmation** page appears. Select the **Finish** button. + +These steps also update the MDT boot media in the MDT Deployment Share. After following the above steps, use the newly updated ISO files in the `\Boot` folder to create new MDT boot media. + ## Windows Deployment Services (WDS) considerations +### Update boot image and boot files in WDS + +If the WDS boot image modified was the original WDS boot image in the folder, then the only additional step to take is to restart `Windows Deployment Services Server` service. This can be done using the following command lines: + +### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) + +From an elevated **PowerShell** command prompt, run the following command to to restart the `Windows Deployment Services Server` service: + +```powershell +Restart-Service -Name WDSServer +``` + +For more information, see [Restart-Service](/powershell/module/microsoft.powershell.management/restart-service). + +### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) + +From an elevated command prompt, run the following command to `Windows Deployment Services Server` service: + +```cmd +wdsutil.exe /Stop-Server +wdsutil.exe /Start-Server +``` + +or + +```cmd +net.exe stop WDSServer +net.exe start WDSServer +``` + +For more information, see [wdsutil stop-server](/windows-server/administration/windows-commands/wdsutil-stop-server) and [wdsutil start-server](/windows-server/administration/windows-commands/wdsutil-start-server). + +--- + +## Boot.wim support + The **boot.wim** that is part of Windows installation media isn't supported for deploying Windows 11 with Windows Deployment Services (WDS). Additionally, the **boot.wim** from Windows 11 installation media isn't supported for deploying any version of Windows with Windows Deployment Services (WDS). For more information, see [Windows Deployment Services (WDS) boot.wim support](wds-boot-support.md). ## Windows Server 2012 R2 -This walk-through isn't intended for use with Windows Server 2012 R2. Although the steps in this article may work with Windows Server 2012 R2 older versions of the Windows ADK, it may have compatibility problems with versions of the Windows ADK that are newer than the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). For server OSes, it's recommended to use Windows Server 2016 or later for this walk-through. For more information, see [Windows Server 2012 R2 Lifecycle](/lifecycle/products/windows-server-2012-r2). +This walk-through isn't intended for use with Windows Server 2012 R2. Although the steps in this article may work with Windows Server 2012 R2 when using older versions of the Windows ADK, it may have compatibility problems with versions of the Windows ADK that are newer than the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). For server OSes, it's recommended to use Windows Server 2016 or later for this walk-through. For more information, see [Windows Server 2012 R2 Lifecycle](/lifecycle/products/windows-server-2012-r2). From 0195bf678371c73170eda2190be968a60312e6cf Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 11 Aug 2023 12:51:54 -0400 Subject: [PATCH 104/110] update --- windows/security/index.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 8c8d647a5a..8001fed62a 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -13,7 +13,7 @@ metadata: author: paolomatarazzo ms.author: paoloma manager: aaroncz - ms.date: 07/28/2023 + ms.date: 08/11/2023 highlightedContent: items: @@ -23,9 +23,9 @@ highlightedContent: - title: Windows 11, version 22H2 itemType: whats-new url: /windows/whats-new/whats-new-windows-11-version-22H2 - - title: Windows 11, version 22H2 group policy settings reference - itemType: download - url: https://www.microsoft.com/en-us/download/details.aspx?id=104594 + - title: Advance your security posture with Microsoft Intune from chip to cloud + itemType: learn + url: https://learn.microsoft.com/training/modules/m365-advance-organization-security-posture/ - title: Security features licensing and edition requirements itemType: overview url: /windows/security/licensing-and-edition-requirements From 37620bedc15c9bece1525a64092f18680112422d Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Fri, 11 Aug 2023 15:03:17 -0400 Subject: [PATCH 105/110] Revert "add spelling experience" --- windows/configuration/windows-accessibility-for-ITPros.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/windows/configuration/windows-accessibility-for-ITPros.md b/windows/configuration/windows-accessibility-for-ITPros.md index 89794e0b11..34434f0a9d 100644 --- a/windows/configuration/windows-accessibility-for-ITPros.md +++ b/windows/configuration/windows-accessibility-for-ITPros.md @@ -16,8 +16,6 @@ appliesto: - ✅ Windows 11 --- - - # Accessibility information for IT professionals Microsoft is dedicated to making its products and services accessible and usable for everyone. Windows includes accessibility features that benefit all users. These features make it easier to customize the computer and give users with different abilities options to improve their experience with Windows. @@ -113,8 +111,6 @@ Windows 11, version 22H2, includes improvements for people with disabilities: sy - [Use voice recognition](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). -- With spellings experience in voice access, you can dictate a complex or non-standard word letter-by-letter and add it to Windows dictionary. The next time you try to dictate the same word, voice access improves its recognition. - - [Save time with keyboard shortcuts](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec). - [Use voice access to control your PC and author text with your voice](https://support.microsoft.com/en-us/topic/use-voice-access-to-control-your-pc-author-text-with-your-voice-4dcd23ee-f1b9-4fd1-bacc-862ab611f55d). From 57fd4f30d120c45123230c3109f20df05bc737cb Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 11 Aug 2023 16:40:16 -0400 Subject: [PATCH 106/110] Update Boot Image with CU Article 56 --- windows/deployment/customize-boot-image.md | 170 ++++++++++++++++++++- 1 file changed, 165 insertions(+), 5 deletions(-) diff --git a/windows/deployment/customize-boot-image.md b/windows/deployment/customize-boot-image.md index 41a1c4926a..3258bd0efb 100644 --- a/windows/deployment/customize-boot-image.md +++ b/windows/deployment/customize-boot-image.md @@ -1070,11 +1070,13 @@ These steps also update the MDT boot media in the MDT Deployment Share. After fo ### Update boot image and boot files in WDS -If the WDS boot image modified was the original WDS boot image in the folder, then the only additional step to take is to restart `Windows Deployment Services Server` service. This can be done using the following command lines: +### Boot image in WDS is updated -### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) +If the WDS boot image modified was the original WDS boot image in the `` folder, then the only additional step to take is to restart `Windows Deployment Services Server` service. This can be done using the following command lines: -From an elevated **PowerShell** command prompt, run the following command to to restart the `Windows Deployment Services Server` service: +#### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) + +From an elevated **PowerShell** command prompt, run the following command to restart the `Windows Deployment Services Server` service: ```powershell Restart-Service -Name WDSServer @@ -1082,9 +1084,9 @@ Restart-Service -Name WDSServer For more information, see [Restart-Service](/powershell/module/microsoft.powershell.management/restart-service). -### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) +#### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) -From an elevated command prompt, run the following command to `Windows Deployment Services Server` service: +From an elevated command prompt, run the following command to restart the `Windows Deployment Services Server` service: ```cmd wdsutil.exe /Stop-Server @@ -1102,6 +1104,164 @@ For more information, see [wdsutil stop-server](/windows-server/administration/w --- +### Existing boot image in WDS is updated with a new update boot image + +In the following boot image replacement scenario for WDS: + +- The boot image modified as part of this guide is outside of the `` folder, for example the `winpe.wim` boot image that comes with the Windows ADK +- An existing boot image in WDS is being replaced with the updated boot image + +then follow these steps to update the boot image in WDS: + +1. Replace the existing boot image in WDS with the modified boot image using the following command lines: + + #### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) + + In PowerShell, the original boot image needs to be removed first and then replaced with a new image. From an elevated **PowerShell** command prompt, run the following commands to replace an existing boot image in WDS with a new boot image: + + ```powershell + Remove-WdsBootImage -Architecture -ImageName "" + Import-WdsBootImage -Path "\.wim" -NewImageName "" + ``` + + **Example**: + + ```powershell + Remove-WdsBootImage -Architecture x64 -ImageName "Microsoft Windows PE (amd64)" + Import-WdsBootImage -Path "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" -NewImageName "Microsoft Windows PE (amd64)" + ``` + + For more information, see [Remove-WdsBootImage](/powershell/module/wds/remove-wdsbootimage) and [Import-WdsBootImage](/powershell/module/wds/import-wdsbootimage). + + #### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) + + From an elevated command prompt, run the following command to replace an existing boot image in WDS with a new boot image: + + ```cmd + wdsutil.exe /Verbose /Progress /Replace-Image /Image:"" /ImageType:Boot /Architecture: /ReplacementImage /ImageFile:"\.wim" + ``` + + **Example**: + + ```cmd + wdsutil.exe /Verbose /Progress /Replace-Image /Image:"Microsoft Windows PE (amd64)" /ImageType:Boot /Architecture:x64 /ReplacementImage /ImageFile:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" + ``` + + For more information, see [wdsutil replace-image](/windows-server/administration/windows-commands/wdsutil-replace-image). + + --- + +2. Once the existing boot image in WDS has been replaced, restart the WDS service: + + #### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) + + From an elevated **PowerShell** command prompt, run the following command to to restart the `Windows Deployment Services Server` service: + + ```powershell + Restart-Service -Name WDSServer + ``` + + For more information, see [Restart-Service](/powershell/module/microsoft.powershell.management/restart-service). + + #### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) + + From an elevated command prompt, run the following command to restart the `Windows Deployment Services Server` service: + + ```cmd + wdsutil.exe /Stop-Server + wdsutil.exe /Start-Server + ``` + + or + + ```cmd + net.exe stop WDSServer + net.exe start WDSServer + ``` + + For more information, see [wdsutil stop-server](/windows-server/administration/windows-commands/wdsutil-stop-server) and [wdsutil start-server](/windows-server/administration/windows-commands/wdsutil-start-server). + + --- + +### Updated boot image is added as a new boot image in WDS + +In the following boot image scenario for WDS: + +- The boot image modified as part of this guide is outside of the `` folder, for example the `winpe.wim` boot image that comes with the Windows ADK +- The updated boot image is being added as a new boot image in WDS + +then follow these steps to add the boot image in WDS: + +1. Add the updated boot image to WDS using the following command lines: + + #### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) + + From an elevated **PowerShell** command prompt, run the following commands to add the updated boot image in WDS as a new boot image: + + ```powershell + Import-WdsBootImage -Path "\.wim" -NewImageName "" + ``` + + **Example**: + + ```powershell + Import-WdsBootImage -Path "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" -NewImageName "Microsoft Windows PE (amd64) - Updated" + ``` + + For more information, see [Import-WdsBootImage](/powershell/module/wds/import-wdsbootimage). + + #### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) + + From an elevated command prompt, run the following command to replace an existing boot image in WDS with a new boot image: + + ```cmd + wdsutil.exe /Verbose /Progress /Add-Image /ImageFile:"\.wim" /ImageType:Boot /Name:"" + + ``` + + **Example**: + + ```cmd + wdsutil.exe /Verbose /Progress /Add-Image /ImageFile:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" /ImageType:Boot /Name:"Microsoft Windows PE (amd64) - Updated" + + ``` + + For more information, see [wdsutil add-image](/windows-server/administration/windows-commands/wdsutil-add-image). + + --- + +2. Once the existing boot image in WDS has been replaced, restart the WDS service: + + #### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) + + From an elevated **PowerShell** command prompt, run the following command to to restart the `Windows Deployment Services Server` service: + + ```powershell + Restart-Service -Name WDSServer + ``` + + For more information, see [Restart-Service](/powershell/module/microsoft.powershell.management/restart-service). + + #### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line) + + From an elevated command prompt, run the following command to restart the `Windows Deployment Services Server` service: + + ```cmd + wdsutil.exe /Stop-Server + wdsutil.exe /Start-Server + ``` + + or + + ```cmd + net.exe stop WDSServer + net.exe start WDSServer + ``` + + For more information, see [wdsutil stop-server](/windows-server/administration/windows-commands/wdsutil-stop-server) and [wdsutil start-server](/windows-server/administration/windows-commands/wdsutil-start-server). + + --- + ## Boot.wim support The **boot.wim** that is part of Windows installation media isn't supported for deploying Windows 11 with Windows Deployment Services (WDS). Additionally, the **boot.wim** from Windows 11 installation media isn't supported for deploying any version of Windows with Windows Deployment Services (WDS). For more information, see [Windows Deployment Services (WDS) boot.wim support](wds-boot-support.md). From 8ad805d05ac72730cf7b29a25e54b82ed8326f6c Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Fri, 11 Aug 2023 13:42:35 -0700 Subject: [PATCH 107/110] bump date for freshness --- windows/whats-new/whats-new-windows-11-version-22H2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/whats-new-windows-11-version-22H2.md b/windows/whats-new/whats-new-windows-11-version-22H2.md index dbefc450e8..4e91dc9a19 100644 --- a/windows/whats-new/whats-new-windows-11-version-22H2.md +++ b/windows/whats-new/whats-new-windows-11-version-22H2.md @@ -11,7 +11,7 @@ ms.collection: - highpri - tier2 ms.technology: itpro-fundamentals -ms.date: 12/31/2017 +ms.date: 08/11/2023 appliesto: - ✅ Windows 11, version 22H2 --- From e508a5f1e0fbd8872aac62b63258e83876fbdb48 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 11 Aug 2023 16:56:12 -0400 Subject: [PATCH 108/110] Update Boot Image with CU Article 57 --- windows/deployment/customize-boot-image.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/deployment/customize-boot-image.md b/windows/deployment/customize-boot-image.md index 3258bd0efb..18cfcfb983 100644 --- a/windows/deployment/customize-boot-image.md +++ b/windows/deployment/customize-boot-image.md @@ -21,11 +21,11 @@ appliesto: -Thw Windows PE (WinPE) boot images that are included with the Windows ADK have a minimal amount of features and drivers. However the boot images can be customized by adding drivers, optional components, and applying the latest cumulative update. +The Windows PE (WinPE) boot images that are included with the Windows ADK have a minimal number of features and drivers. However the boot images can be customized by adding drivers, optional components, and applying the latest cumulative update. Microsoft recommends updating Windows PE boot images with the latest cumulative update for maximum security and protection. The latest cumulative updates may also resolve known issues. For example, the Windows PE boot image can be updated with the latest cumulative update to address the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932). -This walkthrough describes how to customize a Windows PE boot image including updating with the latest cumulative update, adding drivers, and adding optional components. Additionally this walkthrough will go over how customizations in boot images affect several different popular products that utilize boot images, such as Microsoft Configuration Manager, Microsoft Deployment Toolkit (MDT), and Windows Deployment Services (WDS). +This walkthrough describes how to customize a Windows PE boot image including updating with the latest cumulative update, adding drivers, and adding optional components. Additionally this walkthrough goes over how customizations in boot images affect several different popular products that utilize boot images, such as Microsoft Configuration Manager, Microsoft Deployment Toolkit (MDT), and Windows Deployment Services (WDS). ## Prerequisites @@ -1046,7 +1046,7 @@ For a list of all available WinPE optional components including descriptions for After updating the `winpe.wim` boot image from the Windows ADK, generate a new `LiteTouchPE_.wim` boot image for MDT that contains the cumulative update followed by creating new MDT boot media. New MDT boot images and MDT boot media can be generated by using the following steps: -1. Make sure [Step 8: Copy boot files from mounted boot image to ADK installation path](#step-8-copy-boot-files-from-mounted-boot-image-to-adk-installation-path) has been completed. MDT copies the bootmgr boot files from the Windows ADK installation path to its deployment share. Following this step makes sure that the deployment share has the latest bootmgr boot files which are needed when creating MDT boot media. +1. Make sure [Step 8: Copy boot files from mounted boot image to ADK installation path](#step-8-copy-boot-files-from-mounted-boot-image-to-adk-installation-path) has been completed. MDT copies the bootmgr boot files from the Windows ADK installation path to its deployment share. Following this step makes sure that the deployment share has the latest bootmgr boot files that are needed when creating MDT boot media. 1. Open the Microsoft Deployment Toolkit (MDT) Deployment Workbench console. @@ -1072,7 +1072,7 @@ These steps also update the MDT boot media in the MDT Deployment Share. After fo ### Boot image in WDS is updated -If the WDS boot image modified was the original WDS boot image in the `` folder, then the only additional step to take is to restart `Windows Deployment Services Server` service. This can be done using the following command lines: +If the WDS boot image modified was the original WDS boot image in the `` folder, then the only additional step to take is to restart `Windows Deployment Services Server` service. WDS can be restarted by using the following command lines: #### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) @@ -1108,7 +1108,7 @@ For more information, see [wdsutil stop-server](/windows-server/administration/w In the following boot image replacement scenario for WDS: -- The boot image modified as part of this guide is outside of the `` folder, for example the `winpe.wim` boot image that comes with the Windows ADK +- The boot image modified as part of this guide is outside of the `` folder. For example, the `winpe.wim` boot image that comes with the Windows ADK - An existing boot image in WDS is being replaced with the updated boot image then follow these steps to update the boot image in WDS: @@ -1155,7 +1155,7 @@ then follow these steps to update the boot image in WDS: #### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) - From an elevated **PowerShell** command prompt, run the following command to to restart the `Windows Deployment Services Server` service: + From an elevated **PowerShell** command prompt, run the following command to restart the `Windows Deployment Services Server` service: ```powershell Restart-Service -Name WDSServer @@ -1187,7 +1187,7 @@ then follow these steps to update the boot image in WDS: In the following boot image scenario for WDS: -- The boot image modified as part of this guide is outside of the `` folder, for example the `winpe.wim` boot image that comes with the Windows ADK +- The boot image modified as part of this guide is outside of the `` folder. For example, the `winpe.wim` boot image that comes with the Windows ADK - The updated boot image is being added as a new boot image in WDS then follow these steps to add the boot image in WDS: @@ -1234,7 +1234,7 @@ then follow these steps to add the boot image in WDS: #### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) - From an elevated **PowerShell** command prompt, run the following command to to restart the `Windows Deployment Services Server` service: + From an elevated **PowerShell** command prompt, run the following command to restart the `Windows Deployment Services Server` service: ```powershell Restart-Service -Name WDSServer @@ -1268,4 +1268,4 @@ The **boot.wim** that is part of Windows installation media isn't supported for ## Windows Server 2012 R2 -This walk-through isn't intended for use with Windows Server 2012 R2. Although the steps in this article may work with Windows Server 2012 R2 when using older versions of the Windows ADK, it may have compatibility problems with versions of the Windows ADK that are newer than the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). For server OSes, it's recommended to use Windows Server 2016 or later for this walk-through. For more information, see [Windows Server 2012 R2 Lifecycle](/lifecycle/products/windows-server-2012-r2). +This walk-through isn't intended for use with Windows Server 2012 R2. Although the steps in this article may work with Windows Server 2012 R2 when using older versions of the Windows ADK. However it may have compatibility problems with versions of the Windows ADK that are newer than the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). For server OSes, it's recommended to use Windows Server 2016 or later for this walk-through. For more information, see [Windows Server 2012 R2 Lifecycle](/lifecycle/products/windows-server-2012-r2). From 6c7ffadf0a1bf1d6b093db1334c9d10c37281c2b Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 11 Aug 2023 17:03:08 -0400 Subject: [PATCH 109/110] Update Boot Image with CU Article 58 --- windows/deployment/customize-boot-image.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/deployment/customize-boot-image.md b/windows/deployment/customize-boot-image.md index 18cfcfb983..64a27ccf8e 100644 --- a/windows/deployment/customize-boot-image.md +++ b/windows/deployment/customize-boot-image.md @@ -85,8 +85,10 @@ This walkthrough describes how to customize a Windows PE boot image including up > [!TIP] > > It is recommended to use the full cumulative update when updating boot images with a cumulative update. However, instead of downloading the full cumulative update, the cumulative update for SafeOS can be downloaded and used instead. This will reduce the size of the final updated boot image. If any issues occur with a boot image updated with the SafeOS cumulative update, then use the full cumulative update instead. + +> [!NOTE] > -> The SafeOS cumulative update can be found in the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site by searching on... +> When updating the boot image in the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads), download the cumulative update for Windows 10 Version 22H2. ## Step 3: Backup existing boot image @@ -1024,7 +1026,7 @@ The `winpe.wim` boot image from the Windows ADK should be updated because if `Li ### MDT and Windows ADK versions -Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Windows ADK beyond Windows 10. When MDT is used, the recommendation is to use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads) instead of the latest version of the Windows ADK. **ADK for Windows 10, version 2004** was the last version of the Windows ADK supported by MDT. +Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Windows ADK beyond Windows 10. When MDT is used, the recommendation is to use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads) instead of the latest version of the Windows ADK. **ADK for Windows 10, version 2004** was the last version of the Windows ADK supported by MDT. When updating the boot image for the ADK for Windows 10, version 2004 with a cumulative update, use the cumulative update for Windows 10 Version 22H2. ### MDT boot image required components From 4ba3085c2a915dd0979a01f91e59ccda3f261436 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 11 Aug 2023 17:37:16 -0400 Subject: [PATCH 110/110] Update Boot Image with CU Article 59 --- windows/deployment/TOC.yml | 2 ++ windows/deployment/customize-boot-image.md | 13 +++++++------ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 20d9752fdf..b8da7a6027 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -591,3 +591,5 @@ - name: Install fonts in Windows client href: windows-10-missing-fonts.md + - name: Customize Windows PE boot images + href: customize-boot-image.md diff --git a/windows/deployment/customize-boot-image.md b/windows/deployment/customize-boot-image.md index 64a27ccf8e..deed6bd549 100644 --- a/windows/deployment/customize-boot-image.md +++ b/windows/deployment/customize-boot-image.md @@ -663,7 +663,7 @@ In particular, this step is needed when addressing the BlackLotus UEFI bootkit v > [!NOTE] > -> **Microsoft Configuration Manager** automatically extracts these bootmgr boot files from the boot images as needed. No additional steps are needed for **Microsoft Configuration Manager**. +> **Microsoft Configuration Manager** and **Windows Deployment Services (WDS)** automatically extract the bootmgr boot files from the boot images when the boot images are updated in these products. They don't use the bootmgr boot files from the Windows ADK. ## Step 9: Perform component cleanup @@ -906,6 +906,9 @@ After the default `winpe.wim` boot image from the Windows ADK has been updated, - [Microsoft Configuration Manager](#updating-the-boot-image-in-configuration-manager) - [Microsoft Deployment Toolkit (MDT)](#updating-the-boot-image-and-boot-media-in-mdt) - Windows Deployment Services + - [Original WDS boot image is updated](#original-wds-boot-image-is-updated) + - [WDS boot image is replaced with new updated boot image](#wds-boot-image-is-replaced-with-new-updated-boot-image) + - [Add updated boot image as a new boot image in WDS](#add-updated-boot-image-as-a-new-boot-image-in-wds) For any other products that utilize boot images, consult the product's documentation on updating the boot image. @@ -1070,9 +1073,7 @@ These steps also update the MDT boot media in the MDT Deployment Share. After fo ## Windows Deployment Services (WDS) considerations -### Update boot image and boot files in WDS - -### Boot image in WDS is updated +### Original WDS boot image is updated If the WDS boot image modified was the original WDS boot image in the `` folder, then the only additional step to take is to restart `Windows Deployment Services Server` service. WDS can be restarted by using the following command lines: @@ -1106,7 +1107,7 @@ For more information, see [wdsutil stop-server](/windows-server/administration/w --- -### Existing boot image in WDS is updated with a new update boot image +### WDS boot image is replaced with new updated boot image In the following boot image replacement scenario for WDS: @@ -1185,7 +1186,7 @@ then follow these steps to update the boot image in WDS: --- -### Updated boot image is added as a new boot image in WDS +### Add updated boot image as a new boot image in WDS In the following boot image scenario for WDS: