diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index 9c1330bdc3..b384589f9d 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -86,24 +86,29 @@ You can configure Windows to be in shared PC mode in a couple different ways:
- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows 10 in Intune, complete the following steps:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
2. Select **Devices** > **Windows** > **Configuration profiles** > **Create profile**.
+
3. Enter the following properties:
- - **Platform**: Select **Windows 10 and later**.
- - **Profile**: Select **Templates** > **Shared multi-user device**.
+ - **Platform**: Select **Windows 10 and later**.
+ - **Profile**: Select **Templates** > **Shared multi-user device**.
4. Select **Create**.
+
5. In **Basics**, enter the following properties:
- - **Name**: Enter a descriptive name for the new profile.
- - **Description**: Enter a description for the profile. This setting is optional, but recommended.
+ - **Name**: Enter a descriptive name for the new profile.
+ - **Description**: Enter a description for the profile. This setting is optional, but recommended.
6. Select **Next**.
+
7. In **Configuration settings**, depending on the platform you chose, the settings you can configure are different. Choose your platform for detailed settings:
8. On the **Configuration settings** page, set the ‘Shared PC Mode’ value to **Enabled**.
- 
+ > [!div class="mx-imgBorder"]
+ > 
9. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 4**.
@@ -112,27 +117,27 @@ You can configure Windows to be in shared PC mode in a couple different ways:
- WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following:
-
-```
-$sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC"
-$sharedPC.EnableSharedPCMode = $True
-$sharedPC.SetEduPolicies = $True
-$sharedPC.SetPowerPolicies = $True
-$sharedPC.MaintenanceStartTime = 0
-$sharedPC.SignInOnResume = $True
-$sharedPC.SleepTimeout = 0
-$sharedPC.EnableAccountManager = $True
-$sharedPC.AccountModel = 2
-$sharedPC.DeletionPolicy = 1
-$sharedPC.DiskLevelDeletion = 25
-$sharedPC.DiskLevelCaching = 50
-$sharedPC.RestrictLocalStorage = $False
-$sharedPC.KioskModeAUMID = ""
-$sharedPC.KioskModeUserTileDisplayText = ""
-$sharedPC.InactiveThreshold = 0
-Set-CimInstance -CimInstance $sharedPC
-Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName MDM_SharedPC
-```
+
+ ```powershell
+ $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC"
+ $sharedPC.EnableSharedPCMode = $True
+ $sharedPC.SetEduPolicies = $True
+ $sharedPC.SetPowerPolicies = $True
+ $sharedPC.MaintenanceStartTime = 0
+ $sharedPC.SignInOnResume = $True
+ $sharedPC.SleepTimeout = 0
+ $sharedPC.EnableAccountManager = $True
+ $sharedPC.AccountModel = 2
+ $sharedPC.DeletionPolicy = 1
+ $sharedPC.DiskLevelDeletion = 25
+ $sharedPC.DiskLevelCaching = 50
+ $sharedPC.RestrictLocalStorage = $False
+ $sharedPC.KioskModeAUMID = ""
+ $sharedPC.KioskModeUserTileDisplayText = ""
+ $sharedPC.InactiveThreshold = 0
+ Set-CimInstance -CimInstance $sharedPC
+ Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName MDM_SharedPC
+ ```
### Create a provisioning package for shared use
@@ -209,19 +214,24 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac
## Guidance for accounts on shared PCs
* We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
+
* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out.
* On a Windows PC joined to Azure Active Directory:
* By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
* With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
+
* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign-out.
+
* If admin accounts are necessary on the PC
* Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or
* Create admin accounts before setting up shared PC mode, or
* Create exempt accounts before signing out when turning shared pc mode on.
+
* The account management service supports accounts that are exempt from deletion.
- * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key.
- * To add the account SID to the registry key using PowerShell:
- ```
+ * An account can be marked exempt from deletion by adding the account SID to the registry key:`HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\`.
+ * To add the account SID to the registry key using PowerShell:
+
+ ```powershell
$adminName = "LocalAdmin"
$adminPass = 'Pa$$word123'
iex "net user /add $adminName $adminPass"
@@ -232,8 +242,6 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac
```
-
-
## Policies set by shared PC mode
Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options.
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 355ea08482..889f6b7bbd 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -211,16 +211,17 @@ When you import drivers to the **MDT driver repository**, **MDT** creates a sing
The preceding folder names should match the actual make and model values that MDT reads from devices during deployment. You can find out the model values for your machines by using the following command in an elevated **Windows PowerShell prompt**:
-``` powershell
+```powershell
Get-WmiObject -Class:Win32_ComputerSystem
```
+
Or, you can use this command in a normal command prompt:
-```
+```console
wmic csproduct get name
```
-If you want a more standardized naming convention, try the **ModelAliasExit.vbs script** from the Deployment Guys blog post entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536).
+If you want a more standardized naming convention, try the **ModelAliasExit.vbs script** from the Deployment Guys blog post, entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536).
@@ -266,7 +267,8 @@ On **MDT01**:
For the **ThinkStation P500** model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6.
-
+> [!div class="mx-imgBorder"]
+> 
To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543).
@@ -368,60 +370,63 @@ On **MDT01**:
1. Right-click the **MDT Production** deployment share and select **Properties**.
2. Select the **Rules** tab and replace the existing rules with the following information (modify the domain name, WSUS server, and administrative credentials to match your environment):
- ```
- [Settings]
- Priority=Default
-
- [Default]
- _SMSTSORGNAME=Contoso
- OSInstall=YES
- UserDataLocation=AUTO
- TimeZoneName=Pacific Standard Time
- AdminPassword=pass@word1
- JoinDomain=contoso.com
- DomainAdmin=CONTOSO\MDT_JD
- DomainAdminPassword=pass@word1
- MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
- SLShare=\\MDT01\Logs$
- ScanStateArgs=/ue:*\* /ui:CONTOSO\*
- USMTMigFiles001=MigApp.xml
- USMTMigFiles002=MigUser.xml
- HideShell=YES
- ApplyGPOPack=NO
- WSUSServer=mdt01.contoso.com:8530
- SkipAppsOnUpgrade=NO
- SkipAdminPassword=YES
- SkipProductKey=YES
- SkipComputerName=NO
- SkipDomainMembership=YES
- SkipUserData=YES
- SkipLocaleSelection=YES
- SkipTaskSequence=NO
- SkipTimeZone=YES
- SkipApplications=NO
- SkipBitLocker=YES
- SkipSummary=YES
- SkipCapture=YES
- SkipFinalSummary=NO
- ```
+ ```
+ [Settings]
+ Priority=Default
+
+ [Default]
+ _SMSTSORGNAME=Contoso
+ OSInstall=YES
+ UserDataLocation=AUTO
+ TimeZoneName=Pacific Standard Time
+ AdminPassword=pass@word1
+ JoinDomain=contoso.com
+ DomainAdmin=CONTOSO\MDT_JD
+ DomainAdminPassword=pass@word1
+ MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
+ SLShare=\\MDT01\Logs$
+ ScanStateArgs=/ue:*\* /ui:CONTOSO\*
+ USMTMigFiles001=MigApp.xml
+ USMTMigFiles002=MigUser.xml
+ HideShell=YES
+ ApplyGPOPack=NO
+ WSUSServer=mdt01.contoso.com:8530
+ SkipAppsOnUpgrade=NO
+ SkipAdminPassword=YES
+ SkipProductKey=YES
+ SkipComputerName=NO
+ SkipDomainMembership=YES
+ SkipUserData=YES
+ SkipLocaleSelection=YES
+ SkipTaskSequence=NO
+ SkipTimeZone=YES
+ SkipApplications=NO
+ SkipBitLocker=YES
+ SkipSummary=YES
+ SkipCapture=YES
+ SkipFinalSummary=NO
+ ```
3. Click **Edit Bootstrap.ini** and modify using the following information:
-```
-[Settings]
-Priority=Default
+ ```
+ [Settings]
+ Priority=Default
-[Default]
-DeployRoot=\\MDT01\MDTProduction$
-UserDomain=CONTOSO
-UserID=MDT_BA
-UserPassword=pass@word1
-SkipBDDWelcome=YES
-```
+ [Default]
+ DeployRoot=\\MDT01\MDTProduction$
+ UserDomain=CONTOSO
+ UserID=MDT_BA
+ UserPassword=pass@word1
+ SkipBDDWelcome=YES
+ ```
4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
+
5. On the **General** sub tab (still under the main Windows PE tab), configure the following settings:
- - In the **Lite Touch Boot Image Settings** area:
+
+ In the **Lite Touch Boot Image Settings** area:
+
1. Image description: MDT Production x86
2. ISO file name: MDT Production x86.iso
@@ -430,13 +435,19 @@ SkipBDDWelcome=YES
>Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests.
6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option.
+
7. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
+
8. On the **General** sub tab, configure the following settings:
- - In the **Lite Touch Boot Image Settings** area:
+
+ In the **Lite Touch Boot Image Settings** area:
1. Image description: MDT Production x64
2. ISO file name: MDT Production x64.iso
+
9. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
+
10. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box.
+
11. Click **OK**.
>[!NOTE]
@@ -451,8 +462,7 @@ The Windows PE tab for the x64 boot image.
The rules for the MDT Production deployment share are somewhat different from those for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup.
->
->You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example we are skipping the welcome screen and providing credentials.
+You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example we are skipping the welcome screen and providing credentials.
### The Bootstrap.ini file
@@ -528,32 +538,44 @@ If your organization has a Microsoft Software Assurance agreement, you also can
If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following:
->DaRT 10 is part of [MDOP 2015](https://docs.microsoft.com/microsoft-desktop-optimization-pack/#how-to-get-mdop). Note: MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**.
+
+> [!NOTE]
+> DaRT 10 is part of [MDOP 2015](https://docs.microsoft.com/microsoft-desktop-optimization-pack/#how-to-get-mdop).
+>
+> MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**.
On **MDT01**:
1. Download MDOP 2015 and copy the DaRT 10 installer file to the D:\\Setup\\DaRT 10 folder on MDT01 (DaRT\\DaRT 10\\Installers\\\\\x64\\MSDaRT100.msi).
+
2. Install DaRT 10 (MSDaRT10.msi) using the default settings.
- 
+ 
2. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively.
+
3. In the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**.
+
4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
+
5. On the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox.
- 
+ 
- Selecting the DaRT 10 feature in the deployment share.
+ Selecting the DaRT 10 feature in the deployment share.
8. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
+
9. In the **Features** sub tab, in addition to the default selected feature pack, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
+
10. Click **OK**.
### Update the deployment share
Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This is the process during which the Windows PE boot images are created.
+
1. Right-click the **MDT Production** deployment share and select **Update Deployment Share**.
+
2. Use the default options for the Update Deployment Share Wizard.
>[!NOTE]
@@ -570,12 +592,14 @@ You need to add the MDT Production Lite Touch x64 Boot image to WDS in preparati
On **MDT01**:
1. Open the Windows Deployment Services console, expand the **Servers** node and then expand **MDT01.contoso.com**.
+
2. Right-click **Boot Images** and select **Add Boot Image**.
+
3. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings.
-
+ 
-The boot image added to the WDS console.
+ The boot image added to the WDS console.
### Deploy the Windows 10 client
@@ -584,13 +608,15 @@ At this point, you should have a solution ready for deploying the Windows 10 cl
On **HV01**:
1. Create a virtual machine with the following settings:
- 1. Name: PC0005
- 2. Store the virtual machine in a different location: C:\VM
- 3. Generation: 2
- 4. Memory: 2048 MB
- 5. Network: Must be able to connect to \\MDT01\MDTProduction$
- 6. Hard disk: 60 GB (dynamic disk)
- 7. Installation Options: Install an operating system from a network-based installation server
+
+ - Name: PC0005
+ - Store the virtual machine in a different location: C:\VM
+ - Generation: 2
+ - Memory: 2048 MB
+ - Network: Must be able to connect to \\MDT01\MDTProduction$
+ - Hard disk: 60 GB (dynamic disk)
+ - Installation Options: Install an operating system from a network-based installation server
+
2. Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The VM will now load the Windows PE boot image from the WDS server.
@@ -598,15 +624,18 @@ On **HV01**:
The initial PXE boot process of PC0005.
3. After Windows PE has booted, complete the Windows Deployment Wizard using the following setting:
- 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
- 2. Computer Name: **PC0005**
- 3. Applications: Select the **Install - Adobe Reader** checkbox.
+
+ - Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
+ - Computer Name: **PC0005**
+ - Applications: Select the **Install - Adobe Reader** checkbox.
+
4. Setup now begins and does the following:
+
1. Installs the Windows 10 Enterprise operating system.
2. Installs the added application.
3. Updates the operating system via your local Windows Server Update Services (WSUS) server.
-
+ 
### Application installation
@@ -621,12 +650,14 @@ Since you have enabled the monitoring on the MDT Production deployment share, yo
On **MDT01**:
1. In the Deployment Workbench, expand the **MDT Production** deployment share folder.
+
2. Select the **Monitoring** node, and wait until you see PC0005.
+
3. Double-click PC0005, and review the information.
-
+ 
-The Monitoring node, showing the deployment progress of PC0005.
+ The Monitoring node, showing the deployment progress of PC0005.
### Use information in the Event Viewer
@@ -673,15 +704,18 @@ To filter what is being added to the media, you create a selection profile. When
On **MDT01**:
1. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click **Selection Profiles**, and select **New Selection Profile**.
+
2. Use the following settings for the New Selection Profile Wizard:
- 1. General Settings
- - Selection profile name: Windows 10 Offline Media
- 2. Folders
- 1. Applications / Adobe
- 2. Operating Systems / Windows 10
- 3. Out-Of-Box Drivers / WinPE x64
- 4. Out-Of-Box Drivers / Windows 10 x64
- 5. Task Sequences / Windows 10
+
+ - General Settings
+ - Selection profile name: Windows 10 Offline Media
+
+ - Folders
+ - Applications / Adobe
+ - Operating Systems / Windows 10
+ - Out-Of-Box Drivers / WinPE x64
+ - Out-Of-Box Drivers / Windows 10 x64
+ - Task Sequences / Windows 10
@@ -695,10 +729,11 @@ In these steps, you generate offline media from the MDT Production deployment sh
>When creating offline media, you need to create the target folder first. It is crucial that you do not create a subfolder inside the deployment share folder because it will break the offline media.
2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**.
+
3. Use the following settings for the New Media Wizard:
- General Settings
- 1. Media path: **D:\\MDTOfflineMedia**
- 2. Selection profile: **Windows 10 Offline Media**
+ - Media path: **D:\\MDTOfflineMedia**
+ - Selection profile: **Windows 10 Offline Media**
### Configure the offline media
@@ -707,16 +742,22 @@ Offline media has its own rules, its own Bootstrap.ini and CustomSettings.ini fi
On **MDT01**:
1. Copy the CustomSettings.ini file from the **D:\MDTProduction\Control** folder to **D:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files.
+
2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**.
+
3. In the **General** tab, configure the following:
- 1. Clear the Generate x86 boot image check box.
- 2. ISO file name: Windows 10 Offline Media.iso
+ - Clear the Generate x86 boot image check box.
+ - ISO file name: Windows 10 Offline Media.iso
+
4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
+
5. On the **General** sub tab, configure the following settings:
- 1. In the **Lite Touch Boot Image Settings** area:
- - Image description: MDT Production x64
- 2. In the **Windows PE Customizations** area, set the Scratch space size to 128.
+ - In the **Lite Touch Boot Image Settings** area:
+ - Image description: MDT Production x64
+ - In the **Windows PE Customizations** area, set the Scratch space size to 128.
+
6. On the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
+
7. Click **OK**.
### Generate the offline media
@@ -726,6 +767,7 @@ You have now configured the offline media deployment share, however the share ha
On **MDT01**:
1. In the Deployment Workbench, navigate to the **MDT Production / Advanced Configuration / Media** node.
+
2. Right-click the **MEDIA001** media, and select **Update Media Content**. The Update Media Content process now generates the offline media in the **D:\\MDTOfflineMedia\\Content** folder. The process might require several minutes.
### Create a bootable USB stick
@@ -738,10 +780,15 @@ The ISO that you got when updating the offline media item can be burned to a DVD
Follow these steps to create a bootable USB stick from the offline media content:
1. On a physical machine running Windows 7 or later, insert the USB stick you want to use.
+
2. Copy the content of the **MDTOfflineMedia\\Content** folder to the root of the USB stick.
+
3. Start an elevated command prompt (run as Administrator), and start the Diskpart utility by typing **Diskpart** and pressing **Enter**.
+
4. In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you really only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F.
+
5. In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter).
+
6. In the Diskpart utility, type **active**, and then type **exit**.
## Unified Extensible Firmware Interface (UEFI)-based deployments
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index 1d42b159e5..3bf28483bf 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -49,10 +49,13 @@ The process proceeds as follows:
1. Perform one of the following tasks:
- Install the Volume Activation Services server role on a domain controller and add a KMS host key by using the Volume Activation Tools Wizard.
- Extend the domain to the Windows Server 2012 R2 or higher schema level, and add a KMS host key by using the VAMT.
+
1. Microsoft verifies the KMS host key, and an activation object is created.
+
1. Client computers are activated by receiving the activation object from a domain controller during startup.
- 
+ > [!div class="mx-imgBorder"]
+ > 
**Figure 10**. The Active Directory-based activation flow
@@ -72,7 +75,9 @@ When a reactivation event occurs, the client queries AD DS for the activation o
**To configure Active Directory-based activation on Windows Server 2012 R2 or higher, complete the following steps:**
1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller.
+
1. Launch Server Manager.
+
1. Add the Volume Activation Services role, as shown in Figure 11.
@@ -101,18 +106,17 @@ When a reactivation event occurs, the client queries AD DS for the activation o
+ **Figure 15**. Choosing how to activate your product
+
> [!NOTE]
> To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed.
-
-
- - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584)
-
- - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164)
-
- - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342)
-
-
- **Figure 15**. Choosing how to activate your product
+ >
+ >
+ > - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584)
+ >
+ > - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164)
+ >
+ > - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342)
1. After activating the key, click **Commit**, and then click **Close**.
@@ -121,15 +125,21 @@ When a reactivation event occurs, the client queries AD DS for the activation o
To verify your Active Directory-based activation configuration, complete the following steps:
1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing.
+
1. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key.
+
1. If the computer is not joined to your domain, join it to the domain.
+
1. Sign in to the computer.
+
1. Open Windows Explorer, right-click **Computer**, and then click **Properties**.
+
1. Scroll down to the **Windows activation** section, and verify that this client has been activated.
> [!NOTE]
> If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used.
-> To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-management-tool).
+ >
+ > To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-management-tool).
## See also
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 9fb64c43d7..2c46f21b47 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -106,21 +106,29 @@ To resolve this issue:
If the device is running Windows 10, version 1703, 1709, or 1803, the user must either sign in with an Azure AD account, or you must disable MFA for this user during the 30-day polling period and renewal.
If the device is running Windows 10, version 1809 or later:
-1. Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch.
-2. When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below:
-
-
-
+- Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch.
+
+- When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below:
+
+ 
+
+ 
+
+ 
### Windows 10 Education requirements
-1. Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded.
-2. A device with a Windows 10 Pro Education digital license. You can confirm this information in Settings > Update & Security > Activation.
-3. The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription.
-4. Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
+- Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded.
-> If Windows 10 Pro is converted to Windows 10 Pro Education [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
+- A device with a Windows 10 Pro Education digital license. You can confirm this information in Settings > Update & Security > Activation.
+
+- The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription.
+
+- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
+
+> [!IMPORTANT]
+> If Windows 10 Pro is converted to Windows 10 Pro Education by [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
## Benefits
@@ -132,11 +140,15 @@ With Windows 10 Enterprise or Windows 10 Education, businesses and institutions
You can benefit by moving to Windows as an online service in the following ways:
-1. Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization.
-2. User logon triggers a silent edition upgrade, with no reboot required
-3. Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys.
-4. Compliance support via seat assignment.
-5. Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs.
+- Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization.
+
+- User logon triggers a silent edition upgrade, with no reboot required.
+
+- Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys.
+
+- Compliance support via seat assignment.
+
+- Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs.
## How it works
@@ -158,26 +170,35 @@ Before Windows 10, version 1903:
After Windows 10, version 1903:
-Note:
-1. A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
-2. A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
+> [!NOTE]
+>
+> - A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
+>
+> - A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
### Scenarios
-**Scenario #1**: You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise).
+#### Scenario #1
+
+You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise).
All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device.
-**Scenario #2**: You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise).
+#### Scenario #2
+
+You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise).
To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the following command on each computer:
-
+```console
cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43
+```
The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate. This key comes from [Appendix A: KMS Client Setup Keys](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)) in the Volume Activation guide. It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro.
-**Scenario #3**: Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts. The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in.
+#### Scenario #3
+
+Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts. The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in.
In summary, if you have a Windows 10 Enterprise E3 or E5 subscription, but are still running Windows 10 Pro, it’s really simple (and quick) to move to Windows 10 Enterprise using one of the scenarios above.
@@ -205,7 +226,7 @@ If you are using Windows 10, version 1607, 1703, or 1709 and have already deploy
If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt:
-
+```console
@echo off
FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO (
SET "ProductKey=%%A"
@@ -219,18 +240,24 @@ echo No key present
echo Installing %ProductKey%
changepk.exe /ProductKey %ProductKey%
)
-
+```
### Obtaining an Azure AD license
Enterprise Agreement/Software Assurance (EA/SA):
+
- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#enabling-subscription-activation-with-an-existing-ea).
+
- The license administrator can assign seats to Azure AD users with the same process that is used for O365.
+
- New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription.
Microsoft Products & Services Agreements (MPSA):
+
- Organizations with MPSA are automatically emailed the details of the new service. They must take steps to process the instructions.
+
- Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service.
+
- New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 will be enabled for both the traditional key-based and new subscriptions activation method.
### Deploying licenses
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index 35853c7fd0..6ebb39c015 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -44,44 +44,60 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se
### Connect Azure Active Directory with the PIN reset service
1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
+
2. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account.
- 
+
+ 
+
3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
+
4. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account.
- 
+
+ 
-> [!NOTE]
-> After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant.
+ > [!NOTE]
+ > After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant.
5. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.
- 
+
+ 
### Configure Windows devices to use PIN reset using Group Policy
You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object.
1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
+
2. Edit the Group Policy object from Step 1.
+
3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**.
+
4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC.
#### Create a PIN Reset Device configuration profile using Microsoft Intune
1. Sign-in to [Endpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account.
+
2. Click **Endpoint Security** > **Account Protection** > **Properties**.
+
3. Set **Enable PIN recovery** to **Yes**.
> [!NOTE]
> You can also setup PIN recovery using configuration profiles.
> 1. Sign in to Endpoint Manager.
+>
> 2. Click **Devices** > **Configuration Profiles** > Create a new profile or edit an existing profile using the Identity Protection profile type.
+>
> 3. Set **Enable PIN recovery** to **Yes**.
#### Assign the PIN Reset Device configuration profile using Microsoft Intune
1. Sign in to the [Azure Portal](https://portal.azure.com) using a Global administrator account.
+
2. Navigate to the Microsoft Intune blade. Choose **Device configuration** > **Profiles**. From the list of device configuration profiles, choose the profile that contains the PIN reset configuration.
+
3. In the device configuration profile, select **Assignments**.
+
4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups.
## On-premises Deployments
@@ -106,10 +122,10 @@ On-premises deployments provide users with the ability to reset forgotten PINs e
#### Reset PIN above the Lock Screen
- 1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in
- 2. Enter your password and press enter.
- 3. Follow the instructions provided by the provisioning process
- 4. When finished, unlock your desktop using your newly created PIN.
+1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in
+2. Enter your password and press enter.
+3. Follow the instructions provided by the provisioning process
+4. When finished, unlock your desktop using your newly created PIN.
You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - **General limitations**](https://docs.microsoft.com/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
index 034d227013..2950bc11b8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
@@ -64,24 +64,36 @@ Follow the instructions for a single entry for each device.
This scenario uses a centrally located script and runs it using a domain-based group policy. You can also place the script in the golden image and run it in the same way.
#### Download the WindowsDefenderATPOnboardingPackage.zip file from the Windows Defender Security Center
-1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip)
- - In the Microsoft Defender Security Center navigation pane, select **Settings** > **Onboarding**.
- - Select Windows 10 as the operating system.
- - In the **Deployment method** field, select VDI onboarding scripts for non-persistent endpoints.
- - Click **Download package** and save the .zip file.
+
+1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip).
+
+ 1. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Onboarding**.
+ 1. Select Windows 10 as the operating system.
+ 1. In the **Deployment method** field, select VDI onboarding scripts for non-persistent endpoints.
+ 1. Click **Download package** and save the .zip file.
+
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called **OptionalParamsPolicy** and the files **WindowsDefenderATPOnboardingScript.cmd** and **Onboard-NonPersistentMachine.ps1**.
#### Use Group Policy management console to run the script when the virtual machine starts
+
1. Open the Group Policy Management Console (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+
2. In the Group Policy Management Editor, go to **Computer configuration** > **Preferences** > **Control panel settings**.
+
3. Right-click **Scheduled tasks**, click **New**, and then select **Immediate Task** (At least Windows 7).
+
4. In the Task window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM. Click **Check Names** and then click OK. `NT AUTHORITY\SYSTEM` appears as the user account under which the task will run.
+
5. Select **Run whether user is logged on or not** and select the **Run with highest privileges** option.
+
6. Go to the **Actions** tab and select **New**. Confirm that **Start a program** is selected in the **Action** field.
+
7. Specify the following:
+
- Action = **Start a program**
- Program/Script = `C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe`
- Add Arguments (optional) = `-ExecutionPolicy Bypass -command "& \\Path\To\Onboard-NonPersistentMachine.ps1"`
+
8. Select **OK** and close any open GPMC windows.
### Scenario 3: Onboarding using management tools
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 072625e781..d5b506f46e 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -36,7 +36,7 @@ The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC use
## Microsoft Intune
->Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching.
+Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching.
## Security
@@ -172,10 +172,16 @@ For example, you can choose the XTS-AES 256 encryption algorithm, and have it ap
To achieve this:
1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm.
+
2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group.
- - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users.
+
+ > [!IMPORTANT]
+ > The encryption policy must be assigned to **devices** in the group, not users.
+
3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices.
- - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts.
+
+ > [!IMPORTANT]
+ > If the ESP is not enabled, the policy will not apply before encryption starts.
### Identity protection
@@ -190,7 +196,7 @@ New features in [Windows Hello for Business](/windows/security/identity-protecti
- For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal.
- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset).
-[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#kiosk-configuration) section.
+[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration).
- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/).
- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions.
- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off.
@@ -204,7 +210,10 @@ For more information, see: [Windows Hello and FIDO2 Security Keys enable secure
Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
-Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. Please note that Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions.
+Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode.
+
+> [!NOTE]
+> Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions.
For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations).
@@ -277,14 +286,12 @@ For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt).
The following new DISM commands have been added to manage feature updates:
- DISM /Online /Initiate-OSUninstall
- – Initiates a OS uninstall to take the computer back to the previous installation of windows.
- DISM /Online /Remove-OSUninstall
- – Removes the OS uninstall capability from the computer.
- DISM /Online /Get-OSUninstallWindow
- – Displays the number of days after upgrade during which uninstall can be performed.
- DISM /Online /Set-OSUninstallWindow
- – Sets the number of days after upgrade during which uninstall can be performed.
+| Command | Description |
+|---------|-------------|
+| **DISM /Online /Initiate-OSUninstall** | Initiates a OS uninstall to take the computer back to the previous installation of windows. |
+| **DISM /Online /Remove-OSUninstall** | Removes the OS uninstall capability from the computer. |
+| **DISM /Online /Get-OSUninstallWindow** | Displays the number of days after upgrade during which uninstall can be performed. |
+| **DISM /Online /Set-OSUninstallWindow** | Sets the number of days after upgrade during which uninstall can be performed. |
For more information, see [DISM operating system uninstall command-line options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options).
@@ -300,18 +307,17 @@ For more information, see [Run custom actions during feature update](https://doc
It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option.
- /PostRollback [\setuprollback.cmd] [/postrollback {system / admin}]
+ `/PostRollback [\setuprollback.cmd] [/postrollback {system / admin}]`
For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21)
New command-line switches are also available to control BitLocker:
- Setup.exe /BitLocker AlwaysSuspend
- – Always suspend bitlocker during upgrade.
- Setup.exe /BitLocker TryKeepActive
- – Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade.
- Setup.exe /BitLocker ForceKeepActive
- – Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade.
+| Command | Description |
+|---------|-------------|
+| **Setup.exe /BitLocker AlwaysSuspend** | Always suspend bitlocker during upgrade. |
+| **Setup.exe /BitLocker TryKeepActive** | Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade. |
+| **Setup.exe /BitLocker ForceKeepActive** | Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade. |
For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33)
@@ -332,20 +338,27 @@ SetupDiag works by searching Windows Setup log files. When searching log files,
If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash!
**To enable fast sign-in:**
+
1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise LTSC 2019.
+
2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in.
+
3. Sign-in to a shared PC with your account. You'll notice the difference!
- 
+ 
### Web sign-in to Windows 10
Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing "web sign-in," a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML).
**To try out web sign-in:**
+
1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).
+
2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in.
+
3. On the lock screen, select web sign-in under sign-in options.
+
4. Click the "Sign in" button to continue.
@@ -386,7 +399,7 @@ Maintaining devices is made easier with Device Health, a new, premium analytic t
### Accessibility
-"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post.
+"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/), a blog post.
### Privacy
@@ -433,7 +446,9 @@ Previously, the customized taskbar could only be deployed using Group Policy or
[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include:
- Settings for the User tile: [**Start/HideUserTile**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings)
+
- Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep)
+
- Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist).
## Windows Update
@@ -564,11 +579,11 @@ Several network stack enhancements are available in this release. Some of these
In this version of Windows 10, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx).
-How it works:
+#### How it works
Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
-Miracast over Infrastructure offers a number of benefits:
+#### Miracast over Infrastructure offers a number of benefits
- Windows automatically detects when sending the video stream over this path is applicable.
- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network.
@@ -577,15 +592,18 @@ Miracast over Infrastructure offers a number of benefits:
- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct.
- It leverages an existing connection which both reduces the time to connect and provides a very stable stream.
-Enabling Miracast over Infrastructure:
+#### Enabling Miracast over Infrastructure
If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise LTSC 2019, or a later OS.
+
- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
- As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
- As a Miracast source, the PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
+
- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname.
+
- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
@@ -603,6 +621,7 @@ Azure Active Directory and Active Directory users using Windows Hello for Busine
To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**.
- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials.
+
- Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN.
See the following example: