deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Corrections & improvements to layout & presentation

Browse Source
This commit is contained in:
Gary Moore
2021-03-04 21:14:54 -08:00
parent a4ac2ba444
commit e848456ccf
7 changed files with 333 additions and 194 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
windows/configuration/set-up-shared-or-guest-pc.md
View File

@ -86,24 +86,29 @@ You can configure Windows to be in shared PC mode in a couple different ways:
- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows 10 in Intune, complete the following steps: - Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows 10 in Intune, complete the following steps:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Windows** > **Configuration profiles** > **Create profile**. 2. Select **Devices** > **Windows** > **Configuration profiles** > **Create profile**.
3. Enter the following properties: 3. Enter the following properties:
- **Platform**: Select **Windows 10 and later**. - **Platform**: Select **Windows 10 and later**.
- **Profile**: Select **Templates** > **Shared multi-user device**. - **Profile**: Select **Templates** > **Shared multi-user device**.
4. Select **Create**. 4. Select **Create**.
5. In **Basics**, enter the following properties: 5. In **Basics**, enter the following properties:
- **Name**: Enter a descriptive name for the new profile. - **Name**: Enter a descriptive name for the new profile.
- **Description**: Enter a description for the profile. This setting is optional, but recommended. - **Description**: Enter a description for the profile. This setting is optional, but recommended.
6. Select **Next**. 6. Select **Next**.
7. In **Configuration settings**, depending on the platform you chose, the settings you can configure are different. Choose your platform for detailed settings: 7. In **Configuration settings**, depending on the platform you chose, the settings you can configure are different. Choose your platform for detailed settings:
8. On the **Configuration settings** page, set the Shared PC Mode value to **Enabled**. 8. On the **Configuration settings** page, set the Shared PC Mode value to **Enabled**.
![Shared PC settings in ICD](images/shared_pc_3.png) > [!div class="mx-imgBorder"]
> ![Shared PC settings in ICD](images/shared_pc_3.png)
9. From this point on, you can configure any additional settings youd like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 4**. 9. From this point on, you can configure any additional settings youd like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 4**.
@ -112,27 +117,27 @@ You can configure Windows to be in shared PC mode in a couple different ways:
![Shared PC settings in ICD](images/icd-adv-shared-pc.png) ![Shared PC settings in ICD](images/icd-adv-shared-pc.png)
- WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following: - WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following:
``` ```powershell
$sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC" $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC"
$sharedPC.EnableSharedPCMode = $True $sharedPC.EnableSharedPCMode = $True
$sharedPC.SetEduPolicies = $True $sharedPC.SetEduPolicies = $True
$sharedPC.SetPowerPolicies = $True $sharedPC.SetPowerPolicies = $True
$sharedPC.MaintenanceStartTime = 0 $sharedPC.MaintenanceStartTime = 0
$sharedPC.SignInOnResume = $True $sharedPC.SignInOnResume = $True
$sharedPC.SleepTimeout = 0 $sharedPC.SleepTimeout = 0
$sharedPC.EnableAccountManager = $True $sharedPC.EnableAccountManager = $True
$sharedPC.AccountModel = 2 $sharedPC.AccountModel = 2
$sharedPC.DeletionPolicy = 1 $sharedPC.DeletionPolicy = 1
$sharedPC.DiskLevelDeletion = 25 $sharedPC.DiskLevelDeletion = 25
$sharedPC.DiskLevelCaching = 50 $sharedPC.DiskLevelCaching = 50
$sharedPC.RestrictLocalStorage = $False $sharedPC.RestrictLocalStorage = $False
$sharedPC.KioskModeAUMID = "" $sharedPC.KioskModeAUMID = ""
$sharedPC.KioskModeUserTileDisplayText = "" $sharedPC.KioskModeUserTileDisplayText = ""
$sharedPC.InactiveThreshold = 0 $sharedPC.InactiveThreshold = 0
Set-CimInstance -CimInstance $sharedPC Set-CimInstance -CimInstance $sharedPC
Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName MDM_SharedPC Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName MDM_SharedPC
``` ```
### Create a provisioning package for shared use ### Create a provisioning package for shared use
@ -209,19 +214,24 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac
## Guidance for accounts on shared PCs ## Guidance for accounts on shared PCs
* We recommend no local admin accounts on the PC to improve the reliability and security of the PC. * We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out. * When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out.
* On a Windows PC joined to Azure Active Directory: * On a Windows PC joined to Azure Active Directory:
* By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC. * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
* With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal. * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
* Local accounts that already exist on a PC wont be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign-out. * Local accounts that already exist on a PC wont be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign-out.
* If admin accounts are necessary on the PC * If admin accounts are necessary on the PC
* Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or
* Create admin accounts before setting up shared PC mode, or * Create admin accounts before setting up shared PC mode, or
* Create exempt accounts before signing out when turning shared pc mode on. * Create exempt accounts before signing out when turning shared pc mode on.
* The account management service supports accounts that are exempt from deletion. * The account management service supports accounts that are exempt from deletion.
* An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key. * An account can be marked exempt from deletion by adding the account SID to the registry key:`HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\`.
* To add the account SID to the registry key using PowerShell:<br/> * To add the account SID to the registry key using PowerShell:
```
```powershell
$adminName = "LocalAdmin" $adminName = "LocalAdmin"
$adminPass = 'Pa$$word123' $adminPass = 'Pa$$word123'
iex "net user /add $adminName $adminPass" iex "net user /add $adminName $adminPass"
@ -232,8 +242,6 @@ On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work ac
``` ```
## Policies set by shared PC mode ## Policies set by shared PC mode
Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options. Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options.

223
windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
View File

@ -211,16 +211,17 @@ When you import drivers to the **MDT driver repository**, **MDT** creates a sing
The preceding folder names should match the actual make and model values that MDT reads from devices during deployment. You can find out the model values for your machines by using the following command in an elevated **Windows PowerShell prompt**: The preceding folder names should match the actual make and model values that MDT reads from devices during deployment. You can find out the model values for your machines by using the following command in an elevated **Windows PowerShell prompt**:
``` powershell ```powershell
Get-WmiObject -Class:Win32_ComputerSystem Get-WmiObject -Class:Win32_ComputerSystem
``` ```
Or, you can use this command in a normal command prompt: Or, you can use this command in a normal command prompt:
``` ```console
wmic csproduct get name wmic csproduct get name
``` ```
If you want a more standardized naming convention, try the **ModelAliasExit.vbs script** from the Deployment Guys blog post entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536). If you want a more standardized naming convention, try the **ModelAliasExit.vbs script** from the Deployment Guys blog post, entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536).
![drivers](../images/fig4-oob-drivers.png) ![drivers](../images/fig4-oob-drivers.png)
@ -266,7 +267,8 @@ On **MDT01**:
For the **ThinkStation P500** model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6. For the **ThinkStation P500** model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6.
![ThinkStation image](../images/thinkstation.png) > [!div class="mx-imgBorder"]
> ![ThinkStation image](../images/thinkstation.png)
To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543). To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543).
@ -368,60 +370,63 @@ On **MDT01**:
1. Right-click the **MDT Production** deployment share and select **Properties**. 1. Right-click the **MDT Production** deployment share and select **Properties**.
2. Select the **Rules** tab and replace the existing rules with the following information (modify the domain name, WSUS server, and administrative credentials to match your environment): 2. Select the **Rules** tab and replace the existing rules with the following information (modify the domain name, WSUS server, and administrative credentials to match your environment):
``` ```
[Settings] [Settings]
Priority=Default Priority=Default
[Default] [Default]
_SMSTSORGNAME=Contoso _SMSTSORGNAME=Contoso
OSInstall=YES OSInstall=YES
UserDataLocation=AUTO UserDataLocation=AUTO
TimeZoneName=Pacific Standard Time TimeZoneName=Pacific Standard Time
AdminPassword=pass@word1 AdminPassword=pass@word1
JoinDomain=contoso.com JoinDomain=contoso.com
DomainAdmin=CONTOSO\MDT_JD DomainAdmin=CONTOSO\MDT_JD
DomainAdminPassword=pass@word1 DomainAdminPassword=pass@word1
MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
SLShare=\\MDT01\Logs$ SLShare=\\MDT01\Logs$
ScanStateArgs=/ue:*\* /ui:CONTOSO\* ScanStateArgs=/ue:*\* /ui:CONTOSO\*
USMTMigFiles001=MigApp.xml USMTMigFiles001=MigApp.xml
USMTMigFiles002=MigUser.xml USMTMigFiles002=MigUser.xml
HideShell=YES HideShell=YES
ApplyGPOPack=NO ApplyGPOPack=NO
WSUSServer=mdt01.contoso.com:8530 WSUSServer=mdt01.contoso.com:8530
SkipAppsOnUpgrade=NO SkipAppsOnUpgrade=NO
SkipAdminPassword=YES SkipAdminPassword=YES
SkipProductKey=YES SkipProductKey=YES
SkipComputerName=NO SkipComputerName=NO
SkipDomainMembership=YES SkipDomainMembership=YES
SkipUserData=YES SkipUserData=YES
SkipLocaleSelection=YES SkipLocaleSelection=YES
SkipTaskSequence=NO SkipTaskSequence=NO
SkipTimeZone=YES SkipTimeZone=YES
SkipApplications=NO SkipApplications=NO
SkipBitLocker=YES SkipBitLocker=YES
SkipSummary=YES SkipSummary=YES
SkipCapture=YES SkipCapture=YES
SkipFinalSummary=NO SkipFinalSummary=NO
``` ```
3. Click **Edit Bootstrap.ini** and modify using the following information: 3. Click **Edit Bootstrap.ini** and modify using the following information:
``` ```
[Settings] [Settings]
Priority=Default Priority=Default
[Default] [Default]
DeployRoot=\\MDT01\MDTProduction$ DeployRoot=\\MDT01\MDTProduction$
UserDomain=CONTOSO UserDomain=CONTOSO
UserID=MDT_BA UserID=MDT_BA
UserPassword=pass@word1 UserPassword=pass@word1
SkipBDDWelcome=YES SkipBDDWelcome=YES
``` ```
4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected. 4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
5. On the **General** sub tab (still under the main Windows PE tab), configure the following settings: 5. On the **General** sub tab (still under the main Windows PE tab), configure the following settings:
- In the **Lite Touch Boot Image Settings** area:
In the **Lite Touch Boot Image Settings** area:
1. Image description: MDT Production x86 1. Image description: MDT Production x86
2. ISO file name: MDT Production x86.iso 2. ISO file name: MDT Production x86.iso
@ -430,13 +435,19 @@ SkipBDDWelcome=YES
>Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests. >Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests.
6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option. 6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option.
7. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. 7. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
8. On the **General** sub tab, configure the following settings: 8. On the **General** sub tab, configure the following settings:
- In the **Lite Touch Boot Image Settings** area:
In the **Lite Touch Boot Image Settings** area:
1. Image description: MDT Production x64 1. Image description: MDT Production x64
2. ISO file name: MDT Production x64.iso 2. ISO file name: MDT Production x64.iso
9. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option. 9. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
10. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box. 10. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box.
11. Click **OK**. 11. Click **OK**.
>[!NOTE] >[!NOTE]
@ -451,8 +462,7 @@ The Windows PE tab for the x64 boot image.
The rules for the MDT Production deployment share are somewhat different from those for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup. The rules for the MDT Production deployment share are somewhat different from those for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup.
> You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example we are skipping the welcome screen and providing credentials.
>You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example we are skipping the welcome screen and providing credentials.
### The Bootstrap.ini file ### The Bootstrap.ini file
@ -528,32 +538,44 @@ If your organization has a Microsoft Software Assurance agreement, you also can
If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following: If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following:
>DaRT 10 is part of [MDOP 2015](https://docs.microsoft.com/microsoft-desktop-optimization-pack/#how-to-get-mdop). Note: MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**.
> [!NOTE]
> DaRT 10 is part of [MDOP 2015](https://docs.microsoft.com/microsoft-desktop-optimization-pack/#how-to-get-mdop).
>
> MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**.
On **MDT01**: On **MDT01**:
1. Download MDOP 2015 and copy the DaRT 10 installer file to the D:\\Setup\\DaRT 10 folder on MDT01 (DaRT\\DaRT 10\\Installers\\\<lang\>\\x64\\MSDaRT100.msi). 1. Download MDOP 2015 and copy the DaRT 10 installer file to the D:\\Setup\\DaRT 10 folder on MDT01 (DaRT\\DaRT 10\\Installers\\\<lang\>\\x64\\MSDaRT100.msi).
2. Install DaRT 10 (MSDaRT10.msi) using the default settings. 2. Install DaRT 10 (MSDaRT10.msi) using the default settings.
![DaRT image](../images/dart.png) ![DaRT image](../images/dart.png)
2. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively. 2. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively.
3. In the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**. 3. In the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**.
4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected. 4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
5. On the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox. 5. On the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox.
![DaRT selection](../images/mdt-07-fig09.png) ![DaRT selection](../images/mdt-07-fig09.png)
Selecting the DaRT 10 feature in the deployment share. Selecting the DaRT 10 feature in the deployment share.
8. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. 8. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
9. In the **Features** sub tab, in addition to the default selected feature pack, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box. 9. In the **Features** sub tab, in addition to the default selected feature pack, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
10. Click **OK**. 10. Click **OK**.
### Update the deployment share ### Update the deployment share
Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This is the process during which the Windows PE boot images are created. Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This is the process during which the Windows PE boot images are created.
1. Right-click the **MDT Production** deployment share and select **Update Deployment Share**. 1. Right-click the **MDT Production** deployment share and select **Update Deployment Share**.
2. Use the default options for the Update Deployment Share Wizard. 2. Use the default options for the Update Deployment Share Wizard.
>[!NOTE] >[!NOTE]
@ -570,12 +592,14 @@ You need to add the MDT Production Lite Touch x64 Boot image to WDS in preparati
On **MDT01**: On **MDT01**:
1. Open the Windows Deployment Services console, expand the **Servers** node and then expand **MDT01.contoso.com**. 1. Open the Windows Deployment Services console, expand the **Servers** node and then expand **MDT01.contoso.com**.
2. Right-click **Boot Images** and select **Add Boot Image**. 2. Right-click **Boot Images** and select **Add Boot Image**.
3. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings. 3. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings.
![figure 9](../images/mdt-07-fig10.png) ![figure 9](../images/mdt-07-fig10.png)
The boot image added to the WDS console. The boot image added to the WDS console.
### Deploy the Windows 10 client ### Deploy the Windows 10 client
@ -584,13 +608,15 @@ At this point, you should have a solution ready for deploying the Windows 10 cl
On **HV01**: On **HV01**:
1. Create a virtual machine with the following settings: 1. Create a virtual machine with the following settings:
1. Name: PC0005
2. Store the virtual machine in a different location: C:\VM - Name: PC0005
3. Generation: 2 - Store the virtual machine in a different location: C:\VM
4. Memory: 2048 MB - Generation: 2
5. Network: Must be able to connect to \\MDT01\MDTProduction$ - Memory: 2048 MB
6. Hard disk: 60 GB (dynamic disk) - Network: Must be able to connect to \\MDT01\MDTProduction$
7. Installation Options: Install an operating system from a network-based installation server - Hard disk: 60 GB (dynamic disk)
- Installation Options: Install an operating system from a network-based installation server
2. Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The VM will now load the Windows PE boot image from the WDS server. 2. Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The VM will now load the Windows PE boot image from the WDS server.
![figure 10](../images/mdt-07-fig11.png) ![figure 10](../images/mdt-07-fig11.png)
@ -598,15 +624,18 @@ On **HV01**:
The initial PXE boot process of PC0005. The initial PXE boot process of PC0005.
3. After Windows PE has booted, complete the Windows Deployment Wizard using the following setting: 3. After Windows PE has booted, complete the Windows Deployment Wizard using the following setting:
1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
2. Computer Name: **PC0005** - Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
3. Applications: Select the **Install - Adobe Reader** checkbox. - Computer Name: **PC0005**
- Applications: Select the **Install - Adobe Reader** checkbox.
4. Setup now begins and does the following: 4. Setup now begins and does the following:
1. Installs the Windows 10 Enterprise operating system. 1. Installs the Windows 10 Enterprise operating system.
2. Installs the added application. 2. Installs the added application.
3. Updates the operating system via your local Windows Server Update Services (WSUS) server. 3. Updates the operating system via your local Windows Server Update Services (WSUS) server.
![pc0005 image1](../images/pc0005-vm.png) ![pc0005 image1](../images/pc0005-vm.png)
### Application installation ### Application installation
@ -621,12 +650,14 @@ Since you have enabled the monitoring on the MDT Production deployment share, yo
On **MDT01**: On **MDT01**:
1. In the Deployment Workbench, expand the **MDT Production** deployment share folder. 1. In the Deployment Workbench, expand the **MDT Production** deployment share folder.
2. Select the **Monitoring** node, and wait until you see PC0005. 2. Select the **Monitoring** node, and wait until you see PC0005.
3. Double-click PC0005, and review the information. 3. Double-click PC0005, and review the information.
![figure 11](../images/mdt-07-fig13.png) ![figure 11](../images/mdt-07-fig13.png)
The Monitoring node, showing the deployment progress of PC0005. The Monitoring node, showing the deployment progress of PC0005.
### Use information in the Event Viewer ### Use information in the Event Viewer
@ -673,15 +704,18 @@ To filter what is being added to the media, you create a selection profile. When
On **MDT01**: On **MDT01**:
1. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click **Selection Profiles**, and select **New Selection Profile**. 1. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click **Selection Profiles**, and select **New Selection Profile**.
2. Use the following settings for the New Selection Profile Wizard: 2. Use the following settings for the New Selection Profile Wizard:
1. General Settings
- Selection profile name: Windows 10 Offline Media - General Settings
2. Folders - Selection profile name: Windows 10 Offline Media
1. Applications / Adobe
2. Operating Systems / Windows 10 - Folders
3. Out-Of-Box Drivers / WinPE x64 - Applications / Adobe
4. Out-Of-Box Drivers / Windows 10 x64 - Operating Systems / Windows 10
5. Task Sequences / Windows 10 - Out-Of-Box Drivers / WinPE x64
- Out-Of-Box Drivers / Windows 10 x64
- Task Sequences / Windows 10
![offline media](../images/mdt-offline-media.png) ![offline media](../images/mdt-offline-media.png)
@ -695,10 +729,11 @@ In these steps, you generate offline media from the MDT Production deployment sh
>When creating offline media, you need to create the target folder first. It is crucial that you do not create a subfolder inside the deployment share folder because it will break the offline media. >When creating offline media, you need to create the target folder first. It is crucial that you do not create a subfolder inside the deployment share folder because it will break the offline media.
2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**. 2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**.
3. Use the following settings for the New Media Wizard: 3. Use the following settings for the New Media Wizard:
- General Settings - General Settings
1. Media path: **D:\\MDTOfflineMedia** - Media path: **D:\\MDTOfflineMedia**
2. Selection profile: **Windows 10 Offline Media** - Selection profile: **Windows 10 Offline Media**
### Configure the offline media ### Configure the offline media
@ -707,16 +742,22 @@ Offline media has its own rules, its own Bootstrap.ini and CustomSettings.ini fi
On **MDT01**: On **MDT01**:
1. Copy the CustomSettings.ini file from the **D:\MDTProduction\Control** folder to **D:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files. 1. Copy the CustomSettings.ini file from the **D:\MDTProduction\Control** folder to **D:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files.
2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**. 2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**.
3. In the **General** tab, configure the following: 3. In the **General** tab, configure the following:
1. Clear the Generate x86 boot image check box. - Clear the Generate x86 boot image check box.
2. ISO file name: Windows 10 Offline Media.iso - ISO file name: Windows 10 Offline Media.iso
4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. 4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
5. On the **General** sub tab, configure the following settings: 5. On the **General** sub tab, configure the following settings:
1. In the **Lite Touch Boot Image Settings** area: - In the **Lite Touch Boot Image Settings** area:
- Image description: MDT Production x64 - Image description: MDT Production x64
2. In the **Windows PE Customizations** area, set the Scratch space size to 128. - In the **Windows PE Customizations** area, set the Scratch space size to 128.
6. On the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option. 6. On the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
7. Click **OK**. 7. Click **OK**.
### Generate the offline media ### Generate the offline media
@ -726,6 +767,7 @@ You have now configured the offline media deployment share, however the share ha
On **MDT01**: On **MDT01**:
1. In the Deployment Workbench, navigate to the **MDT Production / Advanced Configuration / Media** node. 1. In the Deployment Workbench, navigate to the **MDT Production / Advanced Configuration / Media** node.
2. Right-click the **MEDIA001** media, and select **Update Media Content**. The Update Media Content process now generates the offline media in the **D:\\MDTOfflineMedia\\Content** folder. The process might require several minutes. 2. Right-click the **MEDIA001** media, and select **Update Media Content**. The Update Media Content process now generates the offline media in the **D:\\MDTOfflineMedia\\Content** folder. The process might require several minutes.
### Create a bootable USB stick ### Create a bootable USB stick
@ -738,10 +780,15 @@ The ISO that you got when updating the offline media item can be burned to a DVD
Follow these steps to create a bootable USB stick from the offline media content: Follow these steps to create a bootable USB stick from the offline media content:
1. On a physical machine running Windows 7 or later, insert the USB stick you want to use. 1. On a physical machine running Windows 7 or later, insert the USB stick you want to use.
2. Copy the content of the **MDTOfflineMedia\\Content** folder to the root of the USB stick. 2. Copy the content of the **MDTOfflineMedia\\Content** folder to the root of the USB stick.
3. Start an elevated command prompt (run as Administrator), and start the Diskpart utility by typing **Diskpart** and pressing **Enter**. 3. Start an elevated command prompt (run as Administrator), and start the Diskpart utility by typing **Diskpart** and pressing **Enter**.
4. In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you really only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F. 4. In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you really only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F.
5. In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter). 5. In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter).
6. In the Diskpart utility, type **active**, and then type **exit**. 6. In the Diskpart utility, type **active**, and then type **exit**.
## Unified Extensible Firmware Interface (UEFI)-based deployments ## Unified Extensible Firmware Interface (UEFI)-based deployments

34
windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
View File

@ -49,10 +49,13 @@ The process proceeds as follows:
1. Perform one of the following tasks: 1. Perform one of the following tasks:
- Install the Volume Activation Services server role on a domain controller and add a KMS host key by using the Volume Activation Tools Wizard. - Install the Volume Activation Services server role on a domain controller and add a KMS host key by using the Volume Activation Tools Wizard.
- Extend the domain to the Windows Server 2012 R2 or higher schema level, and add a KMS host key by using the VAMT. - Extend the domain to the Windows Server 2012 R2 or higher schema level, and add a KMS host key by using the VAMT.
1. Microsoft verifies the KMS host key, and an activation object is created. 1. Microsoft verifies the KMS host key, and an activation object is created.
1. Client computers are activated by receiving the activation object from a domain controller during startup. 1. Client computers are activated by receiving the activation object from a domain controller during startup.
![Active Directory-based activation flow](../images/volumeactivationforwindows81-10.jpg) > [!div class="mx-imgBorder"]
> ![Active Directory-based activation flow](../images/volumeactivationforwindows81-10.jpg)
**Figure 10**. The Active Directory-based activation flow **Figure 10**. The Active Directory-based activation flow
@ -72,7 +75,9 @@ When a reactivation event occurs, the client queries AD DS for the activation o
**To configure Active Directory-based activation on Windows Server 2012 R2 or higher, complete the following steps:** **To configure Active Directory-based activation on Windows Server 2012 R2 or higher, complete the following steps:**
1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller. 1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller.
1. Launch Server Manager. 1. Launch Server Manager.
1. Add the Volume Activation Services role, as shown in Figure 11. 1. Add the Volume Activation Services role, as shown in Figure 11.
![Adding the Volume Activation Services role](../images/volumeactivationforwindows81-11.jpg) ![Adding the Volume Activation Services role](../images/volumeactivationforwindows81-11.jpg)
@ -101,18 +106,17 @@ When a reactivation event occurs, the client queries AD DS for the activation o
![Entering your KMS host key](../images/volumeactivationforwindows81-14.jpg) ![Entering your KMS host key](../images/volumeactivationforwindows81-14.jpg)
**Figure 15**. Choosing how to activate your product
> [!NOTE] > [!NOTE]
> To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed. > To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed.
>
>
- [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584) > - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584)
>
- [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164) > - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164)
>
- [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342) > - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342)
**Figure 15**. Choosing how to activate your product
1. After activating the key, click **Commit**, and then click **Close**. 1. After activating the key, click **Commit**, and then click **Close**.
@ -121,15 +125,21 @@ When a reactivation event occurs, the client queries AD DS for the activation o
To verify your Active Directory-based activation configuration, complete the following steps: To verify your Active Directory-based activation configuration, complete the following steps:
1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing. 1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing.
1. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key. 1. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key.
1. If the computer is not joined to your domain, join it to the domain. 1. If the computer is not joined to your domain, join it to the domain.
1. Sign in to the computer. 1. Sign in to the computer.
1. Open Windows Explorer, right-click **Computer**, and then click **Properties**. 1. Open Windows Explorer, right-click **Computer**, and then click **Properties**.
1. Scroll down to the **Windows activation** section, and verify that this client has been activated. 1. Scroll down to the **Windows activation** section, and verify that this client has been activated.
> [!NOTE] > [!NOTE]
> If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used. > If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used.
> To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-management-tool). >
> To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-management-tool).
## See also ## See also

75
windows/deployment/windows-10-subscription-activation.md
View File

@ -106,21 +106,29 @@ To resolve this issue:
If the device is running Windows 10, version 1703, 1709, or 1803, the user must either sign in with an Azure AD account, or you must disable MFA for this user during the 30-day polling period and renewal. If the device is running Windows 10, version 1703, 1709, or 1803, the user must either sign in with an Azure AD account, or you must disable MFA for this user during the 30-day polling period and renewal.
If the device is running Windows 10, version 1809 or later: If the device is running Windows 10, version 1809 or later:
1. Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch.
2. When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below:
![Subscription Activation with MFA example 1](images/sa-mfa1.png)<br> - Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch.
![Subscription Activation with MFA example 2](images/sa-mfa2.png)<br>
![Subscription Activation with MFA example 3](images/sa-mfa3.png) - When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below:
![Subscription Activation with MFA example 1](images/sa-mfa1.png)<br>
![Subscription Activation with MFA example 2](images/sa-mfa2.png)<br>
![Subscription Activation with MFA example 3](images/sa-mfa3.png)
### Windows 10 Education requirements ### Windows 10 Education requirements
1. Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded. - Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded.
2. A device with a Windows 10 Pro Education digital license. You can confirm this information in Settings > Update & Security > Activation.
3. The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription.
4. Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
> If Windows 10 Pro is converted to Windows 10 Pro Education [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition. - A device with a Windows 10 Pro Education digital license. You can confirm this information in Settings > Update & Security > Activation.
- The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription.
- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
> [!IMPORTANT]
> If Windows 10 Pro is converted to Windows 10 Pro Education by [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
## Benefits ## Benefits
@ -132,11 +140,15 @@ With Windows 10 Enterprise or Windows 10 Education, businesses and institutions
You can benefit by moving to Windows as an online service in the following ways: You can benefit by moving to Windows as an online service in the following ways:
1. Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization. - Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization.
2. User logon triggers a silent edition upgrade, with no reboot required
3. Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys. - User logon triggers a silent edition upgrade, with no reboot required.
4. Compliance support via seat assignment.
5. Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs. - Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys.
- Compliance support via seat assignment.
- Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs.
## How it works ## How it works
@ -158,26 +170,35 @@ Before Windows 10, version 1903:<br>
After Windows 10, version 1903:<br> After Windows 10, version 1903:<br>
![1903](images/after.png) ![1903](images/after.png)
Note: > [!NOTE]
1. A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019). >
2. A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019). > - A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
>
> - A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
### Scenarios ### Scenarios
**Scenario #1**:  You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but havent yet deployed Windows 10 Enterprise). #### Scenario #1
You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but havent yet deployed Windows 10 Enterprise).
All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device. All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device.
**Scenario #2**:  You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but havent yet deployed Windows 10 Enterprise). #### Scenario #2
You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but havent yet deployed Windows 10 Enterprise).
To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the following command on each computer: To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the following command on each computer:
<pre style="overflow-y: visible"> ```console
cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43</pre> cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43</pre>
```
The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate.  This key comes from [Appendix A: KMS Client Setup Keys](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)) in the Volume Activation guide.  It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro. The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate.  This key comes from [Appendix A: KMS Client Setup Keys](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)) in the Volume Activation guide.  It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro.
**Scenario #3**:  Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts.  The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in. #### Scenario #3
Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts.  The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in.
In summary, if you have a Windows 10 Enterprise E3 or E5 subscription, but are still running Windows 10 Pro, its really simple (and quick) to move to Windows 10 Enterprise using one of the scenarios above. In summary, if you have a Windows 10 Enterprise E3 or E5 subscription, but are still running Windows 10 Pro, its really simple (and quick) to move to Windows 10 Enterprise using one of the scenarios above.
@ -205,7 +226,7 @@ If you are using Windows 10, version 1607, 1703, or 1709 and have already deploy
If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt: If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt:
<pre style="overflow-y: visible"> ```console
@echo off @echo off
FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO ( FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO (
SET "ProductKey=%%A" SET "ProductKey=%%A"
@ -219,18 +240,24 @@ echo No key present
echo Installing %ProductKey% echo Installing %ProductKey%
changepk.exe /ProductKey %ProductKey% changepk.exe /ProductKey %ProductKey%
) )
</pre> ```
### Obtaining an Azure AD license ### Obtaining an Azure AD license
Enterprise Agreement/Software Assurance (EA/SA): Enterprise Agreement/Software Assurance (EA/SA):
- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#enabling-subscription-activation-with-an-existing-ea). - Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#enabling-subscription-activation-with-an-existing-ea).
- The license administrator can assign seats to Azure AD users with the same process that is used for O365. - The license administrator can assign seats to Azure AD users with the same process that is used for O365.
- New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription. - New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription.
Microsoft Products & Services Agreements (MPSA): Microsoft Products & Services Agreements (MPSA):
- Organizations with MPSA are automatically emailed the details of the new service. They must take steps to process the instructions. - Organizations with MPSA are automatically emailed the details of the new service. They must take steps to process the instructions.
- Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service. - Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service.
- New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 will be enabled for both the traditional key-based and new subscriptions activation method. - New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 will be enabled for both the traditional key-based and new subscriptions activation method.
### Deploying licenses ### Deploying licenses

34
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
View File

@ -44,44 +44,60 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se
### Connect Azure Active Directory with the PIN reset service ### Connect Azure Active Directory with the PIN reset service
1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. 1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
2. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account. 2. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account.
![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png)
![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png)
3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. 3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
4. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account. 4. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account.
![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png)
![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png)
> [!NOTE] > [!NOTE]
> After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant. > After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant.
5. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant. 5. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.
![PIN reset service permissions page](images/pinreset/pin-reset-applications.png)
![PIN reset service permissions page](images/pinreset/pin-reset-applications.png)
### Configure Windows devices to use PIN reset using Group Policy ### Configure Windows devices to use PIN reset using Group Policy
You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object. You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object.
1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory. 1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
2. Edit the Group Policy object from Step 1. 2. Edit the Group Policy object from Step 1.
3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**. 3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**.
4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC. 4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC.
#### Create a PIN Reset Device configuration profile using Microsoft Intune #### Create a PIN Reset Device configuration profile using Microsoft Intune
1. Sign-in to [Endpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account. 1. Sign-in to [Endpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account.
2. Click **Endpoint Security** > **Account Protection** > **Properties**. 2. Click **Endpoint Security** > **Account Protection** > **Properties**.
3. Set **Enable PIN recovery** to **Yes**. 3. Set **Enable PIN recovery** to **Yes**.
> [!NOTE] > [!NOTE]
> You can also setup PIN recovery using configuration profiles. > You can also setup PIN recovery using configuration profiles.
> 1. Sign in to Endpoint Manager. > 1. Sign in to Endpoint Manager.
>
> 2. Click **Devices** > **Configuration Profiles** > Create a new profile or edit an existing profile using the Identity Protection profile type. > 2. Click **Devices** > **Configuration Profiles** > Create a new profile or edit an existing profile using the Identity Protection profile type.
>
> 3. Set **Enable PIN recovery** to **Yes**. > 3. Set **Enable PIN recovery** to **Yes**.
#### Assign the PIN Reset Device configuration profile using Microsoft Intune #### Assign the PIN Reset Device configuration profile using Microsoft Intune
1. Sign in to the [Azure Portal](https://portal.azure.com) using a Global administrator account. 1. Sign in to the [Azure Portal](https://portal.azure.com) using a Global administrator account.
2. Navigate to the Microsoft Intune blade. Choose **Device configuration** > **Profiles**. From the list of device configuration profiles, choose the profile that contains the PIN reset configuration. 2. Navigate to the Microsoft Intune blade. Choose **Device configuration** > **Profiles**. From the list of device configuration profiles, choose the profile that contains the PIN reset configuration.
3. In the device configuration profile, select **Assignments**. 3. In the device configuration profile, select **Assignments**.
4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups. 4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups.
## On-premises Deployments ## On-premises Deployments
@ -106,10 +122,10 @@ On-premises deployments provide users with the ability to reset forgotten PINs e
#### Reset PIN above the Lock Screen #### Reset PIN above the Lock Screen
1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in 1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in
2. Enter your password and press enter. 2. Enter your password and press enter.
3. Follow the instructions provided by the provisioning process 3. Follow the instructions provided by the provisioning process
4. When finished, unlock your desktop using your newly created PIN. 4. When finished, unlock your desktop using your newly created PIN.
You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - **General limitations**](https://docs.microsoft.com/azure/active-directory/authentication/howto-sspr-windows#general-limitations). You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - **General limitations**](https://docs.microsoft.com/azure/active-directory/authentication/howto-sspr-windows#general-limitations).

22
windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
View File

@ -64,24 +64,36 @@ Follow the instructions for a single entry for each device.
This scenario uses a centrally located script and runs it using a domain-based group policy. You can also place the script in the golden image and run it in the same way. This scenario uses a centrally located script and runs it using a domain-based group policy. You can also place the script in the golden image and run it in the same way.
#### Download the WindowsDefenderATPOnboardingPackage.zip file from the Windows Defender Security Center #### Download the WindowsDefenderATPOnboardingPackage.zip file from the Windows Defender Security Center
1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip)
- In the Microsoft Defender Security Center navigation pane, select **Settings** > **Onboarding**. 1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip).
- Select Windows 10 as the operating system.
- In the **Deployment method** field, select VDI onboarding scripts for non-persistent endpoints. 1. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Onboarding**.
- Click **Download package** and save the .zip file. 1. Select Windows 10 as the operating system.
1. In the **Deployment method** field, select VDI onboarding scripts for non-persistent endpoints.
1. Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called **OptionalParamsPolicy** and the files **WindowsDefenderATPOnboardingScript.cmd** and **Onboard-NonPersistentMachine.ps1**. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called **OptionalParamsPolicy** and the files **WindowsDefenderATPOnboardingScript.cmd** and **Onboard-NonPersistentMachine.ps1**.
#### Use Group Policy management console to run the script when the virtual machine starts #### Use Group Policy management console to run the script when the virtual machine starts
1. Open the Group Policy Management Console (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. 1. Open the Group Policy Management Console (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
2. In the Group Policy Management Editor, go to **Computer configuration** > **Preferences** > **Control panel settings**. 2. In the Group Policy Management Editor, go to **Computer configuration** > **Preferences** > **Control panel settings**.
3. Right-click **Scheduled tasks**, click **New**, and then select **Immediate Task** (At least Windows 7). 3. Right-click **Scheduled tasks**, click **New**, and then select **Immediate Task** (At least Windows 7).
4. In the Task window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM. Click **Check Names** and then click OK. `NT AUTHORITY\SYSTEM` appears as the user account under which the task will run. 4. In the Task window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM. Click **Check Names** and then click OK. `NT AUTHORITY\SYSTEM` appears as the user account under which the task will run.
5. Select **Run whether user is logged on or not** and select the **Run with highest privileges** option. 5. Select **Run whether user is logged on or not** and select the **Run with highest privileges** option.
6. Go to the **Actions** tab and select **New**. Confirm that **Start a program** is selected in the **Action** field. 6. Go to the **Actions** tab and select **New**. Confirm that **Start a program** is selected in the **Action** field.
7. Specify the following: <br/> 7. Specify the following: <br/>
- Action = **Start a program** - Action = **Start a program**
- Program/Script = `C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe` - Program/Script = `C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe`
- Add Arguments (optional) = `-ExecutionPolicy Bypass -command "& \\Path\To\Onboard-NonPersistentMachine.ps1"` - Add Arguments (optional) = `-ExecutionPolicy Bypass -command "& \\Path\To\Onboard-NonPersistentMachine.ps1"`
8. Select **OK** and close any open GPMC windows. 8. Select **OK** and close any open GPMC windows.
### Scenario 3: Onboarding using management tools ### Scenario 3: Onboarding using management tools

69
windows/whats-new/ltsc/whats-new-windows-10-2019.md
View File

@ -36,7 +36,7 @@ The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC use
## Microsoft Intune ## Microsoft Intune
>Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching. Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching.
## Security ## Security
@ -172,10 +172,16 @@ For example, you can choose the XTS-AES 256 encryption algorithm, and have it ap
To achieve this: To achieve this:
1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. 1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm.
2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group. 2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group.
- **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users.
> [!IMPORTANT]
> The encryption policy must be assigned to **devices** in the group, not users.
3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. 3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices.
- **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts.
> [!IMPORTANT]
> If the ESP is not enabled, the policy will not apply before encryption starts.
### Identity protection ### Identity protection
@ -190,7 +196,7 @@ New features in [Windows Hello for Business](/windows/security/identity-protecti
- For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal. - For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal.
- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset). - For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset).
[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#kiosk-configuration) section. [Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration).
- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/). - Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/).
- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions. - Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions.
- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off. - Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off.
@ -204,7 +210,10 @@ For more information, see: [Windows Hello and FIDO2 Security Keys enable secure
Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. Please note that Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode.
> [!NOTE]
> Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions.
For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations). For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations).
@ -277,14 +286,12 @@ For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt).
The following new DISM commands have been added to manage feature updates: The following new DISM commands have been added to manage feature updates:
DISM /Online /Initiate-OSUninstall | Command | Description |
Initiates a OS uninstall to take the computer back to the previous installation of windows. |---------|-------------|
DISM /Online /Remove-OSUninstall | **DISM /Online /Initiate-OSUninstall** | Initiates a OS uninstall to take the computer back to the previous installation of windows. |
Removes the OS uninstall capability from the computer. | **DISM /Online /Remove-OSUninstall** | Removes the OS uninstall capability from the computer. |
DISM /Online /Get-OSUninstallWindow | **DISM /Online /Get-OSUninstallWindow** | Displays the number of days after upgrade during which uninstall can be performed. |
Displays the number of days after upgrade during which uninstall can be performed. | **DISM /Online /Set-OSUninstallWindow** | Sets the number of days after upgrade during which uninstall can be performed. |
DISM /Online /Set-OSUninstallWindow
Sets the number of days after upgrade during which uninstall can be performed.
For more information, see [DISM operating system uninstall command-line options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options). For more information, see [DISM operating system uninstall command-line options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options).
@ -300,18 +307,17 @@ For more information, see [Run custom actions during feature update](https://doc
It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option. It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option.
/PostRollback<location> [\setuprollback.cmd] [/postrollback {system / admin}] `/PostRollback<location> [\setuprollback.cmd] [/postrollback {system / admin}]`
For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21) For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21)
New command-line switches are also available to control BitLocker: New command-line switches are also available to control BitLocker:
Setup.exe /BitLocker AlwaysSuspend | Command | Description |
Always suspend bitlocker during upgrade. |---------|-------------|
Setup.exe /BitLocker TryKeepActive | **Setup.exe /BitLocker AlwaysSuspend** | Always suspend bitlocker during upgrade. |
Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade. | **Setup.exe /BitLocker TryKeepActive** | Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade. |
Setup.exe /BitLocker ForceKeepActive | **Setup.exe /BitLocker ForceKeepActive** | Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade. |
Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade.
For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33) For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33)
@ -332,20 +338,27 @@ SetupDiag works by searching Windows Setup log files. When searching log files,
If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash! If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash!
**To enable fast sign-in:** **To enable fast sign-in:**
1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise LTSC 2019. 1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise LTSC 2019.
2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in. 2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in.
3. Sign-in to a shared PC with your account. You'll notice the difference! 3. Sign-in to a shared PC with your account. You'll notice the difference!
![fast sign-in](../images/fastsignin.png "fast sign-in") ![fast sign-in](../images/fastsignin.png "fast sign-in")
### Web sign-in to Windows 10 ### Web sign-in to Windows 10
Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing "web sign-in," a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML). Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing "web sign-in," a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML).
**To try out web sign-in:** **To try out web sign-in:**
1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs). 1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).
2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in. 2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in.
3. On the lock screen, select web sign-in under sign-in options. 3. On the lock screen, select web sign-in under sign-in options.
4. Click the "Sign in" button to continue. 4. Click the "Sign in" button to continue.
![Web sign-in](../images/websignin.png "web sign-in") ![Web sign-in](../images/websignin.png "web sign-in")
@ -386,7 +399,7 @@ Maintaining devices is made easier with Device Health, a new, premium analytic t
### Accessibility ### Accessibility
"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in the [Whats new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post. "Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in [Whats new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/), a blog post.
### Privacy ### Privacy
@ -433,7 +446,9 @@ Previously, the customized taskbar could only be deployed using Group Policy or
[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include: [Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include:
- Settings for the User tile: [**Start/HideUserTile**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) - Settings for the User tile: [**Start/HideUserTile**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings)
- Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep) - Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep)
- Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist). - Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist).
## Windows Update ## Windows Update
@ -564,11 +579,11 @@ Several network stack enhancements are available in this release. Some of these
In this version of Windows 10, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx). In this version of Windows 10, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx).
How it works: #### How it works
Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
Miracast over Infrastructure offers a number of benefits: #### Miracast over Infrastructure offers a number of benefits
- Windows automatically detects when sending the video stream over this path is applicable. - Windows automatically detects when sending the video stream over this path is applicable.
- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network. - Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network.
@ -577,15 +592,18 @@ Miracast over Infrastructure offers a number of benefits:
- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct. - It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct.
- It leverages an existing connection which both reduces the time to connect and provides a very stable stream. - It leverages an existing connection which both reduces the time to connect and provides a very stable stream.
Enabling Miracast over Infrastructure: #### Enabling Miracast over Infrastructure
If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment: If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise LTSC 2019, or a later OS. - The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise LTSC 2019, or a later OS.
- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*. - A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
- As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
- As a Miracast source, the PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. - As a Miracast source, the PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. - The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname.
- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. - Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and dont have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and dont have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
@ -603,6 +621,7 @@ Azure Active Directory and Active Directory users using Windows Hello for Busine
To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**. To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**.
- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials. - Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials.
- Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN. - Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN.
See the following example: See the following example: