diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index bf51ddcd42..0219414079 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -14392,11 +14392,6 @@ "redirect_document_id": true }, { -"source_path": "windows/update/waas-wufb-intune.md", -"redirect_url": "https://docs.microsoft.com/windows/deployment/update/waas-wufb-intune", -"redirect_document_id": true -}, -{ "source_path": "windows/manage/manage-settings-app-with-group-policy.md", "redirect_url": "https://docs.microsoft.com/windows/client-management/manage-settings-app-with-group-policy", "redirect_document_id": true @@ -14652,9 +14647,9 @@ "redirect_document_id": true }, { -"source_path": "windows/privacy/basic-level-windows-diagnostic-events-and-fields.md", -"redirect_url": "https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903", -"redirect_document_id": true + "source_path": "windows/privacy/basic-level-windows-diagnostic-events-and-fields.md", + "redirect_url": "https://docs.microsoft.com/windows/privacy/required-windows-diagnostic-events-and-fields-2004", + "redirect_document_id": true }, { "source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md", @@ -15957,6 +15952,11 @@ "redirect_document_id": true }, { +"source_path": "devices/surface/using-the-sda-deployment-share.md", +"redirect_url": "https://docs.microsoft.com/surface/microsoft-surface-deployment-accelerator", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction", "redirect_document_id": true diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index 3dcabcaee0..cb44c5b311 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -18,7 +18,7 @@ ## [Getting around HoloLens (1st gen)](hololens1-basic-usage.md) ## [HoloLens (1st Gen) release notes](hololens1-release-notes.md) -# Deploy HoloLens and mixed-reality apps in commercial environments +# Deploy HoloLens and mixed reality apps in commercial environments ## [Commercial features](hololens-commercial-features.md) ## [Deploy HoloLens in a commercial environment](hololens-requirements.md) ## [Determine what licenses you need](hololens-licenses-requirements.md) @@ -29,13 +29,13 @@ ## [Manage HoloLens updates](hololens-updates.md) ## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) -# Navigating Windows Holographic -## [Start menu and mixed reality home](holographic-home.md) -## [Use your voice with HoloLens](hololens-cortana.md) +# Navigate the Windows Holographic environment +## [Use the Start menu and mixed reality home](holographic-home.md) +## [Use your voice to operate HoloLens](hololens-cortana.md) ## [Find, open, and save files](holographic-data.md) ## [Create mixed reality photos and videos](holographic-photos-and-videos.md) -# User management and access management +# Manage users and access ## [Manage user identity and sign-in for HoloLens](hololens-identity.md) ## [Share your HoloLens with multiple people](hololens-multiple-users.md) ## [Set up HoloLens as a kiosk](hololens-kiosk.md) diff --git a/devices/hololens/holographic-home.md b/devices/hololens/holographic-home.md index 9b554c0638..8cbbe10268 100644 --- a/devices/hololens/holographic-home.md +++ b/devices/hololens/holographic-home.md @@ -1,5 +1,5 @@ --- -title: Start menu and mixed reality home +title: Use the Start menu and mixed reality home description: Navigate the mixed reality home in Windows Holographic. ms.assetid: 742bc126-7996-4f3a-abb2-cf345dff730c ms.date: 08/07/2019 @@ -15,7 +15,7 @@ appliesto: - HoloLens 2 --- -# Start menu and mixed reality home +# Use the Start menu and mixed reality home Just like the Windows PC experience starts with the desktop, Windows Holographic starts with mixed reality home. Using the Start menu you can open and place app windows, immersive app launchers, and 3D content in mixed reality home, and their placement in your physical space will be remembered. diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md index 89a01c0628..ec869cc67d 100644 --- a/devices/hololens/hololens-cortana.md +++ b/devices/hololens/hololens-cortana.md @@ -1,5 +1,5 @@ --- -title: Use your voice with HoloLens +title: Use your voice to operate HoloLens description: Cortana can help you do all kinds of things on your HoloLens ms.assetid: fd96fb0e-6759-4dbe-be1f-58bedad66fed ms.date: 03/10/2020 @@ -17,7 +17,7 @@ appliesto: - HoloLens 2 --- -# Use your voice with HoloLens +# Use your voice to operate HoloLens You can use your voice to do almost anything on HoloLens, such as taking a quick photo or opening an app. Many voice commands are built into HoloLens, while others are available through Cortana. @@ -34,14 +34,14 @@ Get around HoloLens faster with these basic commands. In order to use these, you ### General speech commands -Use these commands throughout Windows Mixed Reality to get around faster. Some commands use the gaze cursor, which you bring up by saying “select.” +Use these commands throughout Windows Mixed Reality to get around faster. Some commands use the gaze cursor, which you bring up by saying "select." > [!NOTE] > Hand rays are not supported on HoloLens (1st Gen). | Say this | To do this | | - | - | -| "Select" | Say "select" to bring up the gaze cursor. Then, turn your head to position the cursor on the thing you want to select, and say “select” again. | +| "Select" | Say "select" to bring up the gaze cursor. Then, turn your head to position the cursor on the thing you want to select, and say "select" again. | |Open the Start menu | "Go to Start" | |Close the Start menu | "Close" | |Leave an immersive app | Say "Go to Start" to bring up the quick actions menu, then say "Mixed reality home." | diff --git a/devices/hololens/hololens-enroll-mdm.md b/devices/hololens/hololens-enroll-mdm.md index 0e557e9c50..9eb5eea890 100644 --- a/devices/hololens/hololens-enroll-mdm.md +++ b/devices/hololens/hololens-enroll-mdm.md @@ -41,7 +41,7 @@ When auto-enrollment is enabled, no additional manual enrollment is needed. When 1. Select **Enroll into device management** and enter your organizational account. You will be redirected to your organization's sign in page. 1. Upon successful authentication to the MDM server, a success message is shown. -Your device is now enrolled with your MDM server. The device will need to restart to acquire policies, certificates, and apps. The Settings app will now reflect that the device is enrolled in device management. +Your device is now enrolled with your MDM server. The Settings app will now reflect that the device is enrolled in device management. ## Unenroll HoloLens from Intune diff --git a/devices/hololens/hololens-release-notes.md b/devices/hololens/hololens-release-notes.md index b98be63493..6653076c8c 100644 --- a/devices/hololens/hololens-release-notes.md +++ b/devices/hololens/hololens-release-notes.md @@ -132,7 +132,7 @@ Many Windows apps now support both dark and light modes, and HoloLens 2 customer - 3D Viewer - Movies & TV -![Dark mode windows tiled](images/hololens-darkmode-tiled-picture.jpg) +![Dark mode windows tiled](images/DarkMode.jpg) ### System voice commands diff --git a/devices/hololens/hololens2-autopilot.md b/devices/hololens/hololens2-autopilot.md index 02c0a61b10..39e0029ff0 100644 --- a/devices/hololens/hololens2-autopilot.md +++ b/devices/hololens/hololens2-autopilot.md @@ -185,24 +185,7 @@ The Enrollment Status Page (ESP) displays the status of the complete device conf ![ESP configuration](./images/hololens-ap-profile-settings.png) -### 8. Configure a custom configuration profile for HoloLens devices (known issue) - -1. In [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com), select **Devices** > **Configuration profiles** > **Create profile**. -1. For **Platform**, specify **Windows 10 and later**, and for **Profile**, select **Custom**. -1. Select **Create**. -1. Enter a name for the profile, and then select **Settings** > **Configure**. - - ![Settings for the custom configuration profile.](./images/hololens-ap-profile-settings-oma.png) -1. Select **Add**, and then specify the following information: - - - **Name**: SidecarPath - - **OMA-URI**: ./images/Device/Vendor/MSFT/EnrollmentStatusTracking/DevicePreparation/PolicyProviders/Sidecar/InstallationState - - **Data type**: Integer - - **Value**: 2 -1. Select **OK** two times, and then select **Create** to create the profile. -1. After Intune creates the configuration profile, assign the configuration profile to the device group for the HoloLens devices. - -### 9. Verify the profile status of the HoloLens devices +### 8. Verify the profile status of the HoloLens devices 1. In Microsoft Endpoint Manager Admin Center, select **Devices** > **Windows** > **Windows enrollment** > **Devices**. 1. Verify that the HoloLens devices are listed, and that their profile status is **Assigned**. @@ -234,7 +217,7 @@ At the end of OOBE, you can sign in to the device by using your user name and pa ## Known Issues -- The list of supported languages for Autopilot deployment profiles includes languages that HoloLens does not support. Select a language that [HoloLens supports](hololens2-language-support.md). +- You cannot install applications that use the device security context. ## Feedback diff --git a/devices/hololens/hololens2-language-support.md b/devices/hololens/hololens2-language-support.md index 955eec82e6..e97e9dd065 100644 --- a/devices/hololens/hololens2-language-support.md +++ b/devices/hololens/hololens2-language-support.md @@ -62,7 +62,7 @@ The setup process configures your HoloLens for a specific region and language. Y If the supported language that you're looking for is not in the menu, follow these steps: 1. Under **Preferred languages**, select **Add a language**. -2. Locater and add the language. +2. Locate and add the language. 3. Select the **Windows display language** menu again, and then select the language that you added in the previous step. ### To change the keyboard layout diff --git a/devices/hololens/images/DarkMode.jpg b/devices/hololens/images/DarkMode.jpg new file mode 100644 index 0000000000..f2cd7c4510 Binary files /dev/null and b/devices/hololens/images/DarkMode.jpg differ diff --git a/devices/hololens/images/MicrosoftHoloLensRecovery.png b/devices/hololens/images/MicrosoftHoloLensRecovery.png new file mode 100644 index 0000000000..b162b881d8 Binary files /dev/null and b/devices/hololens/images/MicrosoftHoloLensRecovery.png differ diff --git a/devices/hololens/index.md b/devices/hololens/index.md index 47862d7138..91a487f9a0 100644 --- a/devices/hololens/index.md +++ b/devices/hololens/index.md @@ -53,7 +53,7 @@ appliesto: | [HoloLens user management](hololens-multiple-users.md) | Multiple users can share a HoloLens device by using their Azure Active Directory accounts. | | [HoloLens application access management](hololens-kiosk.md) | Manage application access for different user groups. | | [Recover and troubleshoot HoloLens issues](https://support.microsoft.com/products/hololens) | Learn how to gather logs from HoloLens, recover a misbehaving device, or reset HoloLens when necessary. | -| [Contact Support](https://support.microsoft.com/supportforbusiness/productselection) | Create a new support request for the business support team. | +| [Contact Support](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f) | Create a new support request for the business support team. | | [More support options](https://support.microsoft.com/products/hololens) | Connect with Microsoft support resources for HoloLens in the enterprise. | ## Related resources diff --git a/devices/surface-hub/surface-hub-2s-account.md b/devices/surface-hub/surface-hub-2s-account.md index fb93b0e7d9..27c7053045 100644 --- a/devices/surface-hub/surface-hub-2s-account.md +++ b/devices/surface-hub/surface-hub-2s-account.md @@ -1,6 +1,6 @@ --- -title: "Create Surface Hub 2S device account" -description: "This page describes the procedure for creating the Surface Hub 2S device account." +title: Create Surface Hub 2S device account +description: This page describes the procedure for creating the Surface Hub 2S device account. keywords: separate values with commas ms.prod: surface-hub ms.sitesec: library @@ -15,15 +15,18 @@ ms.localizationpriority: Medium # Create Surface Hub 2S device account -Creating a Surface Hub device account (also known as a Room mailbox) allows Surface Hub 2S to receive, approve, or decline meeting requests and join meetings using Microsoft Teams or Skype for Business. Configure the device account during OOBE setup. If needed you can change it later (without going through OOBE setup). +Creating a Surface Hub device account (also known as a Room mailbox) allows Surface Hub 2S to receive, approve, or decline meeting requests and join meetings using either Microsoft Teams or Skype for Business. Configure the device account during Out-of-Box Experience (OOBE) setup. If needed, you can change it later (without going through OOBE setup). Unlike standard Room mailboxes that remain disabled by default, you need to enable the Surface Hub 2S device account to sign on to Microsoft Teams and Skype for Business. Surface Hub 2S relies on Exchange ActiveSync, which requires an ActiveSync mailbox policy on the device account. Apply the default ActiveSync mailbox policy that comes with Exchange Online. -Create the account using the Microsoft 365 admin center or by using PowerShell. You can use Exchange Online PowerShell to configure specific features including: +Create the account by using the Microsoft 365 admin center or by using PowerShell. You can use Exchange Online PowerShell to configure specific features including: - Calendar processing for every Surface Hub device account. - Custom auto replies to scheduling requests. -- If the default ActiveSync mailbox policy has already been modified by someone else or another process, you will likely have to create and assign a new ActiveSync mailbox policy +- If the default ActiveSync mailbox policy has already been modified by someone else or by another process, you will likely have to create and assign a new ActiveSync mailbox policy. + +> [!NOTE] +> The Surface Hub device account doesn’t support third-party Federated Identity Providers (FIPs) and must be a standard Active Directory or Azure Active Directory account. ## Create account using Microsoft 365 admin center @@ -31,17 +34,17 @@ Create the account using the Microsoft 365 admin center or by using PowerShell. 2. Provide a name and email address for the device account. Leave remaining settings unchanged in the default state. -![Provide a name and email address](images/sh2-account2.png) + ![Provide a name and email address](images/sh2-account2.png) -![Leave remaining settings unchanged in the default state](images/sh2-account3.png) + ![Leave remaining settings unchanged in the default state](images/sh2-account3.png) 3. Set the password for the device account. To set the password, choose **Users** and then select **Active Users**. Now search for the newly created user to set the password. Ensure that you **do not** select the option **Make this user change their password when they first sign in.** -![Set the password for the device account](images/sh2-account4.png) + ![Set the password for the device account](images/sh2-account4.png) 4. Assign the room with an Office 365 license. It’s recommended to assign the Office 365 **Meeting Room** license, a new option that automatically enables the account for Skype for Business Online and Microsoft Teams. -![Assign Office 365 license](images/sh2-account5.png) + ![Assign Office 365 license](images/sh2-account5.png) ### Finalize setup via PowerShell @@ -50,6 +53,7 @@ Create the account using the Microsoft 365 admin center or by using PowerShell. - **Microsoft Teams and Skype for Business Calendar:** Set [**Calendar Auto processing**](https://docs.microsoft.com/surface-hub/surface-hub-2s-account?source=docs#set-calendar-auto-processing) for this account. ## Create account using PowerShell + Instead of using the Microsoft Admin Center portal, you can create the account using PowerShell. ### Connect to Exchange Online PowerShell @@ -59,13 +63,13 @@ $365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $ImportResults = Import-PSSession $365Session ``` -### Create a new Room Mailbox +### Create a new Room mailbox ```powershell New-Mailbox -MicrosoftOnlineServicesID account@YourDomain.com -Alias SurfaceHub2S -Name SurfaceHub2S -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String "" -AsPlainText -Force) ``` -### Set Calendar Auto processing +### Set Calendar auto-processing ```powershell Set-CalendarProcessing -Identity "account@YourDomain.com" -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false -AddAdditionalResponse $true -AdditionalResponse "This room is equipped with a Surface Hub" @@ -81,7 +85,7 @@ Set-MsolUserLicense -UserPrincipalName "account@YourDomain.com" -AddLicenses "co ## Connect to Skype for Business Online using PowerShell -### Install prerequisites +### Install pre-requisites - [Visual C++ 2017 Redistributable](https://aka.ms/vs/15/release/vc_redist.x64.exe) - [Skype for Business Online PowerShell Module](https://www.microsoft.com/download/confirmation.aspx?id=39366) diff --git a/devices/surface-hub/surface-hub-security.md b/devices/surface-hub/surface-hub-security.md index 4dc2b7518e..faee5ad929 100644 --- a/devices/surface-hub/surface-hub-security.md +++ b/devices/surface-hub/surface-hub-security.md @@ -5,7 +5,7 @@ keywords: separate values with commas ms.prod: surface-hub ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin manager: laurawi audience: Admin ms.topic: article diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index 4d8062c985..27582aebe5 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -38,12 +38,12 @@ ### [Enable the Surface Laptop keyboard during MDT deployment](enable-surface-keyboard-for-windows-pe-deployment.md) ### [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md) ### [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md) -### [Using the Surface Deployment Accelerator deployment share](using-the-sda-deployment-share.md) ### [Surface System SKU reference](surface-system-sku-reference.md) ## Manage ### [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) +### [Manage Surface driver updates in Configuration Manager](manage-surface-driver-updates-configuration-manager.md) ### [Optimize Wi-Fi connectivity for Surface devices](surface-wireless-connect.md) ### [Best practice power settings for Surface devices](maintain-optimal-power-settings-on-Surface-devices.md) ### [Surface Dock Firmware Update](surface-dock-firmware-update.md) diff --git a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md index 017f34559f..4abd9e0c86 100644 --- a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md +++ b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md @@ -11,7 +11,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article --- diff --git a/devices/surface/assettag.md b/devices/surface/assettag.md index 296a57b10e..6d9533bb52 100644 --- a/devices/surface/assettag.md +++ b/devices/surface/assettag.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.localizationpriority: medium ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: hachidan manager: laurawi diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index 35be5e736d..b1aed6e997 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md index f68989b045..e8ce13b98d 100644 --- a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md +++ b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/customize-the-oobe-for-surface-deployments.md b/devices/surface/customize-the-oobe-for-surface-deployments.md index 70d53dae71..cb492c2620 100644 --- a/devices/surface/customize-the-oobe-for-surface-deployments.md +++ b/devices/surface/customize-the-oobe-for-surface-deployments.md @@ -11,7 +11,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.audience: itpro --- diff --git a/devices/surface/deploy-surface-app-with-windows-store-for-business.md b/devices/surface/deploy-surface-app-with-windows-store-for-business.md index 121be61007..fc2956ead6 100644 --- a/devices/surface/deploy-surface-app-with-windows-store-for-business.md +++ b/devices/surface/deploy-surface-app-with-windows-store-for-business.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, store ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md index 47f14939db..bb8e62fb6b 100644 --- a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md +++ b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md index a7220315da..7431a22a8a 100644 --- a/devices/surface/deploy.md +++ b/devices/surface/deploy.md @@ -8,7 +8,7 @@ ms.sitesec: library author: coveminer ms.reviewer: manager: laurawi -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/documentation/surface-system-sku-reference.md b/devices/surface/documentation/surface-system-sku-reference.md index 0d49be965e..0014ad0c25 100644 --- a/devices/surface/documentation/surface-system-sku-reference.md +++ b/devices/surface/documentation/surface-system-sku-reference.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article --- # Surface System SKU Reference @@ -26,6 +26,7 @@ System SKU is a variable (along with System Model and others) stored in System M | Surface Book 2 15inch | Surface Book 2 | Surface_Book_1793 | | Surface Go Consumer | Surface Go | Surface_Go_1824_Consumer | | Surface Go Commercial | Surface Go | Surface_Go_1824_Commercial | +| Surface Go 2 | Surface Go 2 | Surface_Go_2_1927 | | Surface Pro 6 Consumer | Surface Pro 6 | Surface_Pro_6_1796_Consumer | | Surface Pro 6 Commercial | Surface Pro 6 | Surface_Pro_6_1796_Commercial | | Surface Laptop 2 Consumer | Surface Laptop 2 | Surface_Laptop_2_1769_Consumer | diff --git a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md index d51a90413e..36f05515f3 100644 --- a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md +++ b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md @@ -11,7 +11,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article --- diff --git a/devices/surface/enroll-and-configure-surface-devices-with-semm.md b/devices/surface/enroll-and-configure-surface-devices-with-semm.md index 56282326a4..6eb848da41 100644 --- a/devices/surface/enroll-and-configure-surface-devices-with-semm.md +++ b/devices/surface/enroll-and-configure-surface-devices-with-semm.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md index abc4672793..a68242b88a 100644 --- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md +++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md @@ -11,7 +11,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.audience: itpro --- diff --git a/devices/surface/images/manage-surface-driver-updates-1.png b/devices/surface/images/manage-surface-driver-updates-1.png new file mode 100644 index 0000000000..58cec90ea0 Binary files /dev/null and b/devices/surface/images/manage-surface-driver-updates-1.png differ diff --git a/devices/surface/images/manage-surface-driver-updates-2.png b/devices/surface/images/manage-surface-driver-updates-2.png new file mode 100644 index 0000000000..26bcfcda74 Binary files /dev/null and b/devices/surface/images/manage-surface-driver-updates-2.png differ diff --git a/devices/surface/images/manage-surface-driver-updates-3.png b/devices/surface/images/manage-surface-driver-updates-3.png new file mode 100644 index 0000000000..e1dafd7f15 Binary files /dev/null and b/devices/surface/images/manage-surface-driver-updates-3.png differ diff --git a/devices/surface/images/manage-surface-driver-updates-4.png b/devices/surface/images/manage-surface-driver-updates-4.png new file mode 100644 index 0000000000..5e6e4cafb4 Binary files /dev/null and b/devices/surface/images/manage-surface-driver-updates-4.png differ diff --git a/devices/surface/ltsb-for-surface.md b/devices/surface/ltsb-for-surface.md index c250085467..17e6d48fb1 100644 --- a/devices/surface/ltsb-for-surface.md +++ b/devices/surface/ltsb-for-surface.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: manager: laurawi diff --git a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md index 36197ca93f..e7c739be75 100644 --- a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md +++ b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: manager: laurawi diff --git a/devices/surface/manage-surface-driver-and-firmware-updates.md b/devices/surface/manage-surface-driver-and-firmware-updates.md index 75ccff3070..a1eea22998 100644 --- a/devices/surface/manage-surface-driver-and-firmware-updates.md +++ b/devices/surface/manage-surface-driver-and-firmware-updates.md @@ -11,18 +11,18 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.audience: itpro --- # Manage and deploy Surface driver and firmware updates - + How you manage Surface driver and firmware updates varies depending on your environment and organizational requirements. On Surface devices, firmware is exposed to the operating system as a driver and is visible in Device Manager, enabling device firmware and drivers to be automatically updated using Windows Update or Windows Update for Business. Although this simplified approach may be feasible for startups and small or medium-sized businesses, larger organizations typically need IT admins to distribute updates internally. This may involve comprehensive planning, application compatibility testing, piloting and validating updates, before final approval and distribution across the network. > [!NOTE] > This article is intended for technical support agents and IT professionals and applies to Surface devices only. If you're looking for help to install Surface updates or firmware on a home device, see [Update Surface firmware and Windows 10](https://support.microsoft.com/help/4023505). - + While enterprise-grade software distribution solutions continue to evolve, the business rationale for centrally managing updates remains the same: Maintain the security of Surface devices and keep them updated with the latest operating system and feature improvements. This is essential for sustaining a stable production environment and ensuring users aren't blocked from being productive. This article provides an overview of recommended tools and processes for larger organizations to accomplish these goals. ## Central update management in commercial environments @@ -32,18 +32,17 @@ Microsoft has streamlined tools for managing devices – including driver and fi ### Manage updates with Configuration Manager and Intune Microsoft Endpoint Configuration Manager allows you to synchronize and deploy Surface firmware and driver updates with the Configuration Manager client. Integration with Microsoft Intune lets you see all your managed, co-managed, and partner-managed devices in one place. This is the recommended solution for large organizations to manage Surface updates. - + For detailed steps, see the following resources: -- [How to manage Surface driver updates in Configuration Manager.](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager) -- [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications). +- [How to manage Surface driver updates in Configuration Manager](https://docs.microsoft.com/surface/manage-surface-driver-updates-configuration-manager.md) +- [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications) - [Endpoint Configuration Manager documentation](https://docs.microsoft.com/configmgr/) - ### Manage updates with Microsoft Deployment Toolkit Included in Endpoint Configuration Manager, the Microsoft Deployment Toolkit (MDT) contains optional deployment tools that you may wish to use depending on your environment. These include the Windows Assessment and Deployment Kit (Windows ADK), Windows System Image Manager (Windows SIM), Deployment Image Servicing and Management (DISM), and User State Migration Tool (USMT). You can download the latest version of MDT from the [Microsoft Deployment Toolkit download page](https://www.microsoft.com/download/details.aspx?id=54259). - + For detailed steps, see the following resources: - [Microsoft Deployment Toolkit documentation](https://docs.microsoft.com/configmgr/mdt/) @@ -54,7 +53,6 @@ Surface driver and firmware updates are packaged as Windows Installer (*.msi) fi For instructions on how to deploy updates by using Endpoint Configuration Manager refer to [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications). For instructions on how to deploy updates by using MDT, see [Deploy a Windows 10 image using MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt). - **WindowsPE and Surface firmware and drivers** Endpoint Configuration Manager and MDT both use the Windows Preinstallation Environment (WindowsPE) during the deployment process. WindowsPE only supports a limited set of basic drivers such as those for network adapters and storage controllers. Drivers for Windows components that are not part of WindowsPE might produce errors. As a best practice, you can prevent such errors by configuring the deployment process to use only the required drivers during the WindowsPE phase. @@ -65,13 +63,12 @@ Starting in Endpoint Configuration Manager, you can synchronize and deploy Micro ## Supported devices -Downloadable .msi files are available for Surface devices from Surface Pro 2 and later. Information about .msi files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3 will be available from this page upon release. - +Downloadable .msi files are available for Surface devices from Surface Pro 2 and later. Information about .msi files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3 will be available from this page upon release. ## Managing firmware with DFCI With Device Firmware Configuration Interface (DFCI) profiles built into Intune (now available in [public preview](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows)), Surface UEFI management extends the modern management stack down to the UEFI hardware level. DFCI supports zero-touch provisioning, eliminates BIOS passwords, provides control of security settings including boot options and built-in peripherals, and lays the groundwork for advanced security scenarios in the future. For more information, see: - + - [Intune management of Surface UEFI settings](https://docs.microsoft.com/surface/surface-manage-dfci-guide) - [Ignite 2019: Announcing remote management of Surface UEFI settings from Intune](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Ignite-2019-Announcing-remote-management-of-Surface-UEFI/ba-p/978333). @@ -93,7 +90,6 @@ Specific versions of Windows 10 have separate .msi files, each containing all re - Management engine (ME) - Unified extensible firmware interface (UEFI) - ### Downloading .msi files 1. Browse to [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware) on the Microsoft Download Center. @@ -102,8 +98,7 @@ Specific versions of Windows 10 have separate .msi files, each containing all re ![Figure 1. Downloading Surface updates](images/fig1-downloads-msi.png) *Figure 1. Downloading Surface updates* - - + ### Surface .msi naming convention Since August 2019, .msi files have used the following naming convention: @@ -120,14 +115,15 @@ This file name provides the following information: - **Windows release:** Win10 - **Build:** 18362 - **Version:** 19.073.44195 – This shows the date and time that the file was created, as follows: - - **Year:** 19 (2019) - - **Month and week:** 073 (third week of July) - - **Minute of the month:** 44195 + - **Year:** 19 (2019) + - **Month and week:** 073 (third week of July) + - **Minute of the month:** 44195 - **Revision of version:** 0 (first release of this version) ### Legacy Surface .msi naming convention + Legacy .msi files (files built before August 2019) followed the same overall naming formula but used a different method to derive the version number. - **** + **Example** - SurfacePro6_Win10_16299_1900307_0.msi @@ -138,13 +134,11 @@ This file name provides the following information: - **Windows release:** Win10 - **Build:** 16299 - **Version:** 1900307 – This shows the date that the file was created and its position in the release sequence, as follows: - - **Year:** 19 (2019) - - **Number of release:** 003 (third release of the year) - - **Product version number:** 07 (Surface Pro 6 is officially the seventh version of Surface Pro) + - **Year:** 19 (2019) + - **Number of release:** 003 (third release of the year) + - **Product version number:** 07 (Surface Pro 6 is officially the seventh version of Surface Pro) - **Revision of version:** 0 (first release of this version) - - ## Learn more - [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware) @@ -157,4 +151,3 @@ This file name provides the following information: - [Intune management of Surface UEFI settings](https://docs.microsoft.com/surface/surface-manage-dfci-guide) - [Ignite 2019: Announcing remote management of Surface UEFI settings from Intune](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Ignite-2019-Announcing-remote-management-of-Surface-UEFI/ba-p/978333). - [Build deployment rings for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) - diff --git a/devices/surface/manage-surface-driver-updates-configuration-manager.md b/devices/surface/manage-surface-driver-updates-configuration-manager.md new file mode 100644 index 0000000000..a6fc726ee7 --- /dev/null +++ b/devices/surface/manage-surface-driver-updates-configuration-manager.md @@ -0,0 +1,181 @@ +--- +title: Manage Surface driver updates in Configuration Manager +description: This article describes the available options to manage and deploy firmware and driver updates for Surface devices. +ms.assetid: b64879c4-37eb-4fcf-a000-e05cbb3d26ea +ms.reviewer: +author: v-miegge +manager: laurawi +keywords: Surface, Surface Pro 3, firmware, update, device, manage, deploy, driver, USB +ms.localizationpriority: medium +ms.prod: w10 +ms.mktglfcycl: manage +ms.pagetype: surface, devices +ms.sitesec: library +author: coveminer +ms.author: daclark +ms.topic: article +audience: itpro +--- + +# Manage Surface driver updates in Configuration Manager + +## Summary + +Starting in [Microsoft System Center Configuration Manager version 1710](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1710#software-updates), you can synchronize and deploy Microsoft Surface firmware and driver updates directly through the Configuration Manager client. The process resembles deploying regular updates. However, some additional configurations are required to get the Surface driver updates into your catalog. + +## Prerequisites + +To manage Surface driver updates, the following prerequisites must be met: + +- You must use Configuration Manager version 1710 or a later version. +- All Software Update Points (SUPs) must run Windows Server 2016 or a later version. Otherwise, Configuration Manager ignores this setting and Surface drivers won't be synchronized. + +> [!NOTE] +> If your environment doesn’t meet the prerequisites, refer to the [alternative methods](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager#1) to deploy Surface driver and firmware updates in the [FAQ](#frequently-asked-questions-faq) section. + +## Useful log files + +The following logs are especially useful when you manage Surface driver updates. + +|Log name|Description| +|---|---| +|WCM.log|Records details about the software update point configuration and connections to the WSUS server for subscribed update categories, classifications, and languages.| +|WsyncMgr.log|Records details about the software updates sync process.| + +These logs are located on the site server that manages the SUP, or on the SUP itself if it's installed directly on a site server. +For a complete list of Configuration Manager logs, see [Log files in System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/log-files). + +## Enabling Surface driver updates management + +To enable Surface driver updates management in Configuration Manager, follow these steps: + +1. In the Configuration Manager console, go to **Administration** > **Overview** > **Site Configuration** > **Sites**. +1. Select the site that contains the top-level SUP server for your environment. +1. On the ribbon, select **Configure Site Components**, and then select **Software Update Point**. Or, right-click the site, and then select **Configure Site Components** > **Software Update Point**. +1. On the **Classifications** tab, select the **Include Microsoft Surface drivers and firmware updates** check box. + + ![Software Update Point Component Properties](images/manage-surface-driver-updates-1.png) + +1. When you're prompted by the following warning message, select **OK**. + + ![Configuration Manager](images/manage-surface-driver-updates-2.png) + +1. On the Products tab, select the products that you want to update, and then select **OK**. + + Most drivers belong to the following product groups: + + - Windows 10 and later version drivers + - Windows 10 and later Upgrade & Servicing Drivers + - Windows 10 Anniversary Update and Later Servicing Drivers + - Windows 10 Anniversary Update and Later Upgrade & Servicing Drivers + - Windows 10 Creators Update and Later Servicing Drivers + - Windows 10 Creators Update and Later Upgrade & Servicing Drivers + - Windows 10 Fall Creators Update and Later Servicing Drivers + - Windows 10 Fall Creators Update and Later Upgrade & Servicing Drivers + - Windows 10 S and Later Servicing Drivers + - Windows 10 S Version 1709 and Later Servicing Drivers for testing + - Windows 10 S Version 1709 and Later Upgrade & Servicing Drivers for testing + + > [!NOTE] + > Most Surface drivers belong to multiple Windows 10 product groups. You may not have to select all the products that are listed here. To help reduce the number of products that populate your Update Catalog, we recommend that you select only the products that are required by your environment for synchronization. + +## Verifying the configuration + +To verify that the SUP is configured correctly, follow these steps: + +1. Open WsyncMgr.log, and then look for the following entry: + + ```console + Surface Drivers can be supported in this hierarchy since all SUPs are on Windows Server 2016, WCM SCF property Sync Catalog Drivers is set. + + Sync Catalog Drivers SCF value is set to : 1 + ``` + + If either of the following entries is logged in WsyncMgr.log, recheck step 4 in the previous section: + + ```console + Sync Surface Drivers option is not set + + Sync Catalog Drivers SCF value is set to : 0 + ``` + +1. Open WCM.log, and then look for an entry that resembles the following: + + ![WCM.log settings](images/manage-surface-driver-updates-3.png) + + This entry is an XML element that lists every product group and classification that's currently synchronized by your SUP server. For example, you might see an entry that resembles the following: + + ```xml + + + + + + ``` + + If you can't find the products that you selected in step 6 in the previous section, double-check whether the SUP settings are saved. + + You can also wait until the next synchronization finishes, and then check whether the Surface driver and firmware updates are listed in Software Updates in the Configuration Manager console. For example, the console might display the following information: + + ![All Software Updates Search Results](images/manage-surface-driver-updates-4.png) + +## Manual synchronization + +If you don't want to wait until the next synchronization, follow these steps to start a synchronization: + +1. In the Configuration Manager console, go to **Software Library** > **Overview** > **Software Updates** > **All Software Updates**. +1. On the ribbon, select **Synchronize Software Updates**. Or, right-click **All Software Update**, and then select **Synchronize Software Update**. +1. Monitor the synchronization progress by looking for the following entries in WsyncMgr.log: + + ```console + Surface Drivers can be supported in this hierarchy since all SUPs are on Windows Server 2016, WCM SCF property Sync Catalog Drivers is set. + + sync: SMS synchronizing categories + sync: SMS synchronizing categories, processed 0 out of 311 items (0%) + sync: SMS synchronizing categories, processed 311 out of 311 items (100%) + sync: SMS synchronizing categories, processed 311 out of 311 items (100%) + sync: SMS synchronizing updates + + Synchronizing update 7eaa0148-c42b-45fd-a1ab-012c82972de6 - Microsoft driver update for Surface Type Cover Integration + Synchronizing update 2dcb07f8-37ec-41ef-8cd5-030bf24dc1d8 - Surface driver update for Surface Pen Pairing + Synchronizing update 63067414-ae52-422b-b3d1-0382a4d6519a - Surface driver update for Surface UEFI + Synchronizing update 8e4e3a41-a784-4dd7-9a42-041f43ddb775 - Surface driver update for Surface Integration + Synchronizing update 7f8baee8-419f-47e2-918a-045a15a188e7 - Microsoft driver update for Surface DTX + Synchronizing update aed66e05-719b-48cd-a0e7-059e50f67fdc - Microsoft driver update for Surface Base Firmware Update + Synchronizing update 8ffe1526-6e66-43cc-86e3-05ad92a24e3a - Surface driver update for Surface UEFI + Synchronizing update 74102899-0a49-48cf-97e6-05bde18a27ff - Microsoft driver update for Surface UEFI + ``` + +## Deploying Surface firmware and driver updates + +You can deploy Surface firmware and driver updates in the same manner as you deploy other updates. + +For more information about deployment, see [System Center 2012 Configuration Manager–Part7: Software Updates (Deploy)](https://blogs.technet.microsoft.com/elie/2012/05/25/system-center-2012-configuration-managerpart7-software-updates-deploy/). + +## Frequently asked questions (FAQ) + +**After I follow the steps in this article, my Surface drivers are still not synchronized. Why?** + +If you synchronize from an upstream Windows Server Update Services (WSUS) server, instead of Microsoft Update, make sure that the upstream WSUS server is configured to support and synchronize Surface driver updates. All downstream servers are limited to updates that are present in the upstream WSUS server database. + +There are more than 68,000 updates that are classified as drivers in WSUS. To prevent non-Surface related drivers from synchronizing to Configuration Manager, Microsoft filters driver synchronization against an allow list. After the new allow list is published and incorporated into Configuration Manager, the new drivers are added to the console following the next synchronization. Microsoft aims to get the Surface drivers added to the allow list each month in line with Patch Tuesday to make them available for synchronization to Configuration Manager. + +If your Configuration Manager environment is offline, a new allow list is imported every time you import [servicing updates](https://docs.microsoft.com/mem/configmgr/core/servers/manage/use-the-service-connection-tool) to Configuration Manager. You will also have to import a [new WSUS catalog](https://docs.microsoft.com/mem/configmgr/sum/get-started/synchronize-software-updates-disconnected) that contains the drivers before the updates are displayed in the Configuration Manager console. Because a stand-alone WSUS environment contains more drivers than a Configuration Manager SUP, we recommend that you establish a Configuration Manager environment that has online capabilities, and that you configure it to synchronize Surface drivers. This provides a smaller WSUS export that closely resembles the offline environment. + +If your Configuration Manager environment is online and able to detect new updates, you will receive updates to the list automatically. If you don’t see the expected drivers, please review the WCM.log and WsyncMgr.log for any synchronization failures. + +**My Configuration Manager environment is offline, can I manually import Surface drivers into WSUS?** + +No. Even if the update is imported into WSUS, the update won't be imported into the Configuration Manager console for deployment if it isn't listed in the allow list. You must use the [Service Connection Tool](https://docs.microsoft.com/mem/configmgr/core/servers/manage/use-the-service-connection-tool) to import servicing updates to Configuration Manager to update the allow list. + +**What alternative methods do I have to deploy Surface driver and firmware updates?** + +For information about how to deploy Surface driver and firmware updates through alternative channels, see [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-driver-and-firmware-updates). If you want to download the .msi or .exe file, and then deploy through traditional software deployment channels, see [Keeping Surface Firmware Updated with Configuration Manager](https://docs.microsoft.com/archive/blogs/thejoncallahan/keeping-surface-firmware-updated-with-configuration-manager). + +## Additional Information + +For more information about Surface driver and firmware updates, see the following articles: + +- [Download the latest firmware and drivers for Surface devices](https://docs.microsoft.com/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices) +- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates) +- [Considerations for Surface and System Center Configuration Manager](https://docs.microsoft.com/surface/considerations-for-surface-and-system-center-configuration-manager) diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md index c5f41821d3..f56bcb55d1 100644 --- a/devices/surface/manage-surface-uefi-settings.md +++ b/devices/surface/manage-surface-uefi-settings.md @@ -8,7 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: devices, surface author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: manager: laurawi diff --git a/devices/surface/microsoft-surface-brightness-control.md b/devices/surface/microsoft-surface-brightness-control.md index f0e6c5d221..2bb2c8a956 100644 --- a/devices/surface/microsoft-surface-brightness-control.md +++ b/devices/surface/microsoft-surface-brightness-control.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: hachidan manager: laurawi diff --git a/devices/surface/support-solutions-surface.md b/devices/surface/support-solutions-surface.md index ab4c3a46c4..d9f0e6200d 100644 --- a/devices/surface/support-solutions-surface.md +++ b/devices/surface/support-solutions-surface.md @@ -10,7 +10,7 @@ ms.mktglfcycl: support ms.sitesec: library ms.pagetype: surfacehub author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.date: 09/26/2019 ms.localizationpriority: medium diff --git a/devices/surface/surface-book-quadro.md b/devices/surface/surface-book-quadro.md index 79fb762dba..8b1599f5b4 100644 --- a/devices/surface/surface-book-quadro.md +++ b/devices/surface/surface-book-quadro.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.localizationpriority: medium ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.date: 5/06/2020 ms.reviewer: brrecord diff --git a/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md index 044b0e0437..19eb605696 100644 --- a/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md +++ b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/surface-diagnostic-toolkit-command-line.md b/devices/surface/surface-diagnostic-toolkit-command-line.md index 035eec60da..d7b8828415 100644 --- a/devices/surface/surface-diagnostic-toolkit-command-line.md +++ b/devices/surface/surface-diagnostic-toolkit-command-line.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: hachidan manager: laurawi diff --git a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md index 795bff7f7f..7734d2a4fa 100644 --- a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md +++ b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: hachidan manager: laurawi diff --git a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md index 2b19282899..10939f979e 100644 --- a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md +++ b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: cottmca manager: laurawi diff --git a/devices/surface/surface-dock-whats-new.md b/devices/surface/surface-dock-whats-new.md index 253a73b069..f3443b6c31 100644 --- a/devices/surface/surface-dock-whats-new.md +++ b/devices/surface/surface-dock-whats-new.md @@ -8,14 +8,14 @@ ms.sitesec: library author: coveminer ms.author: greglin ms.topic: article -ms.date: 5/06/2020 +ms.date: 5/29/2020 ms.reviewer: brrecord manager: laurawi audience: itpro --- # What’s new in Surface Dock 2 -Surface Dock 2, the next generation Surface dock, lets users connect external monitors and multiple peripherals to obtain a fully modernized desktop experience from a Surface device. Built to maximize efficiency at the office, in a flexible workspace, or at home, Surface Dock 2 features seven ports, including two front-facing USB-C ports, with 15 watts of fast charging power for phone and accessories. Surface Dock 2 is designed to simplify IT management, enabling admins to automate firmware updates using Windows Update or centralize updates with internal software distribution tools. An extended set of management tools will be released via Windows update upon commercial distribution. +Surface Dock 2, the next generation Surface dock, lets users connect external monitors and multiple peripherals to obtain a fully modernized desktop experience from a Surface device. Built to maximize efficiency at the office, in a flexible workspace, or at home, Surface Dock 2 features seven ports, including two front-facing USB-C ports, with 15 watts of fast charging power for phone and accessories. Surface Dock 2 is designed to simplify IT management, enabling admins to automate firmware updates using Windows Update or centralize updates with internal software distribution tools. Surface Enterprise Management Mode (SEMM) now enables IT admins to secure ports on Surface Dock 2. For more information, see [Secure Surface Dock 2 ports with Surface Enterprise Management Mode](https://techcommunity.microsoft.com/t5/surface-it-pro-blog/secure-surface-dock-2-ports-with-surface-enterprise-management/ba-p/1418999). ## General system requirements @@ -28,8 +28,7 @@ Surface Dock 2, the next generation Surface dock, lets users connect external mo - Surface Book 2 - Surface Laptop 2 - Surface Go - - Surface Go with LTE Advanced - - Surface Studio 2 + - Surface Go with LTE Advanced - Surface Pro 7 - Surface Laptop 3 - Surface Book 3 @@ -86,7 +85,7 @@ Surface Dock 2, the next generation Surface dock, lets users connect external mo |Surflink|Yes|Yes| |USB-A|2 front facing USB 3.1 Gen 1
2 rear facing USB 3.1 Gen 1|2 rear facing USB 3.2 Gen 2 (7.5W power)| |Mini Display port|2 rear facing (DP1.2)|None| -|USB-C|None|2 front facing USB 3.2 Gen 2
[15W power]
2 rear facing USB 3.2 Gen 2 (DP1.4a)
[7.5W power]| +|USB-C|None|2 front facing USB 3.2 Gen 2
(15W power)
2 rear facing USB 3.2 Gen 2 (DP1.4a)
(7.5W power)| |3.5 mm Audio in/out|Yes|Yes| |Ethernet|Yes, 1 gigabit|Yes 1 gigabit| |DC power in|Yes|Yes| @@ -99,20 +98,18 @@ Surface Dock 2, the next generation Surface dock, lets users connect external mo |Wake-on-LAN from Connected Standby1|Yes|Yes| |Wake-on-LAN from S4/S5 sleep modes|No|Yes| |Network PXE boot|Yes|Yes| -|SEMM host access control|No|Coming in Windows Update2| -|SEMM port access control3|No|Coming in Windows Update| +|SEMM host access control|No|Yes +|SEMM port access control2|No|Yes| |Servicing support|MSI|Windows Update or MSI| |||| 1. *Devices must be configured for Wake on LAN via Surface Enterprise Management Mode (SEMM) or Device Firmware Control Interface (DFCI) to wake from Hibernation or Power-Off states. Wake from Hibernation or Power-Off is supported on Surface Pro 7, Surface Laptop 3, Surface Pro X, Surface Book 3, and Surface Go 2. Software license required for some features. Sold separately.* -2. *Pending release via Windows Update.* - -3. *Software license required for some features. Sold separately.* +2. *Software license required for some features. Sold separately.* ## Streamlined device management -Following the public announcement of Surface Dock 2, Surface will release streamlined management functionality via Windows Update enabling IT admins to utilize the following enterprise-grade features: +Surface has released streamlined management functionality via Windows Update enabling IT admins to utilize the following enterprise-grade features: - **Frictionless updates**. Update your docks silently and automatically, with Windows Update or Microsoft Endpoint Configuration Manager, (formerly System Center Configuration Manager - SCCM) or other MSI deployment tools. - **Wake from the network**. Manage and access corporate devices without depending on users to keep their devices powered on. Even when a docked device is in sleep, hibernation, or power off mode, your team can wake from the network for service and management, using Endpoint Configuration Manager or other enterprise management tools. @@ -120,5 +117,6 @@ Following the public announcement of Surface Dock 2, Surface will release stream ## Next steps +- [Secure Surface Dock 2 ports with Surface Enterprise Management Mode](https://techcommunity.microsoft.com/t5/surface-it-pro-blog/secure-surface-dock-2-ports-with-surface-enterprise-management/ba-p/1418999) - [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) - [Best practice power settings for Surface devices](maintain-optimal-power-settings-on-Surface-devices.md) diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index 4599e50712..d44626e6a8 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -9,11 +9,11 @@ ms.sitesec: library author: coveminer ms.author: greglin ms.topic: article -ms.reviewer: scottmca +ms.reviewer: hachidan manager: laurawi ms.localizationpriority: medium audience: itpro -ms.date: 05/11/2020 +ms.date: 05/26/2020 --- # Microsoft Surface Enterprise Management Mode @@ -228,14 +228,27 @@ create a reset package using PowerShell to reset SEMM. ## Version History -The latest version of SEMM released May 11, 2020 includes: +### Version 2.71.139.0 + +This version of SEMM adds support for Surface Dock 2 management features for Surface Book 3, Surface Laptop 3, and Surface Pro 7 including: + +- Enabling audio (locking/unlocking), Ethernet and USB ports +- Ability to create dock packages for both authenticated and unauthenticated hosts + +### Version 2.70.130.0 + +This version of SEMM includes: + - Support for Surface Go 2 - Support for Surface Book 3 - Bug fixes -### Version 2.59. -* Support to Surface Pro 7, Surface Pro X, and Surface Laptop 3 13.5" and 15" models with Intel processor. Note: Surface Laptop 3 15" AMD processor is not supported. -- Support to Wake on Power feature + +### Version 2.59.139.0 + +* Support for Surface Pro 7, Surface Pro X, and Surface Laptop 3 13.5" and 15" models with Intel processor. Note: Surface Laptop 3 15" AMD processor is not supported. + +- Support for Wake on Power feature ### Version 2.54.139.0 * Support to Surface Hub 2S diff --git a/devices/surface/surface-manage-dfci-guide.md b/devices/surface/surface-manage-dfci-guide.md index f21805f1a7..e1df0dc226 100644 --- a/devices/surface/surface-manage-dfci-guide.md +++ b/devices/surface/surface-manage-dfci-guide.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.date: 11/13/2019 ms.reviewer: jesko diff --git a/devices/surface/surface-pro-arm-app-management.md b/devices/surface/surface-pro-arm-app-management.md index 488eeca1a2..5b7adaf812 100644 --- a/devices/surface/surface-pro-arm-app-management.md +++ b/devices/surface/surface-pro-arm-app-management.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.localizationpriority: high ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.date: 4/15/2020 ms.reviewer: jessko diff --git a/devices/surface/surface-pro-arm-app-performance.md b/devices/surface/surface-pro-arm-app-performance.md index 4459d6052b..10f3e57bbd 100644 --- a/devices/surface/surface-pro-arm-app-performance.md +++ b/devices/surface/surface-pro-arm-app-performance.md @@ -6,7 +6,7 @@ ms.localizationpriority: medium ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.date: 10/03/2019 ms.reviewer: jessko diff --git a/devices/surface/surface-system-sku-reference.md b/devices/surface/surface-system-sku-reference.md index c0de20193f..499e718991 100644 --- a/devices/surface/surface-system-sku-reference.md +++ b/devices/surface/surface-system-sku-reference.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.date: 03/09/2020 ms.reviewer: diff --git a/devices/surface/surface-wireless-connect.md b/devices/surface/surface-wireless-connect.md index 24a358065b..34c653abc0 100644 --- a/devices/surface/surface-wireless-connect.md +++ b/devices/surface/surface-wireless-connect.md @@ -7,7 +7,7 @@ ms.sitesec: library author: coveminer ms.audience: itpro ms.localizationpriority: medium -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: tokatz manager: laurawi diff --git a/devices/surface/unenroll-surface-devices-from-semm.md b/devices/surface/unenroll-surface-devices-from-semm.md index 0caea932ab..6750387137 100644 --- a/devices/surface/unenroll-surface-devices-from-semm.md +++ b/devices/surface/unenroll-surface-devices-from-semm.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: manager: laurawi diff --git a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md index c9345502d8..7602e690be 100644 --- a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md +++ b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md index 21616dc89e..91c1b17875 100644 --- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md +++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: manager: laurawi diff --git a/devices/surface/using-the-sda-deployment-share.md b/devices/surface/using-the-sda-deployment-share.md deleted file mode 100644 index 0309d071ec..0000000000 --- a/devices/surface/using-the-sda-deployment-share.md +++ /dev/null @@ -1,172 +0,0 @@ ---- -title: Using the Microsoft Surface Deployment Accelerator deployment share (Surface) -description: Explore the scenarios where you can use SDA to meet the deployment needs of your organization including Proof of Concept, pilot deployment, as well as import additional drivers and applications. -keywords: deploy, install, automate, deployment solution -ms.prod: w10 -ms.mktglfcycl: deploy -ms.pagetype: surface, devices -ms.sitesec: library -author: coveminer -ms.author: v-jokai -ms.topic: article -ms.localizationpriority: medium -ms.audience: itpro -ms.reviewer: -manager: laurawi ---- - -# Using the Microsoft Surface Deployment Accelerator deployment share - -With Microsoft Surface Deployment Accelerator (SDA), you can quickly and easily set up a deployment solution that is ready to deploy Windows to Surface devices. The prepared environment is built on powerful deployment technologies available from Microsoft, such as the [Microsoft Deployment Toolkit (MDT)](https://technet.microsoft.com/windows/dn475741), and is capable of immediately performing a deployment after configuration. See [Step-by-Step: Surface Deployment Accelerator](https://technet.microsoft.com/itpro/surface/step-by-step-surface-deployment-accelerator) for a comprehensive walkthrough of using the SDA wizard to set up a deployment share and perform a deployment. - -For more information about SDA and information on how to download SDA, see [Microsoft Surface Deployment Accelerator (SDA)](https://technet.microsoft.com/itpro/surface/microsoft-surface-deployment-accelerator). - -> [!NOTE] -> SDA is not supported on Surface Pro 7, Surface Pro X, and Surface Laptop 3. For more information refer to [Deploy Surface devices](deploy.md). - -Using SDA provides these primary benefits: - -* With SDA, you can create a ready-to-deploy environment that can deploy to target devices as fast as your download speeds allow. The wizard experience enables you to check a few boxes and then the automated process builds your deployment environment for you. - -* With SDA, you prepare a deployment environment built on the industry leading deployment solution of MDT. With MDT you can scale from a relatively basic deployment of a few Surface devices to a solution capable of deploying to thousands of devices including all of the different makes and models in your organization and all of the applications required by each device and user. - -This article explores four scenarios where you can use SDA to meet the needs of your organization. See [Deploy Windows 10](https://technet.microsoft.com/itpro/windows/deploy/index) to explore the capabilities of MDT and the Windows deployment technologies available from Microsoft in greater detail. - -## Perform a Proof of Concept deployment - -One of the primary scenarios for use of SDA is as a Proof of Concept. A *Proof of Concept* (PoC) enables you to test or evaluate the capabilities of a solution or technology. A PoC is often used to illustrate the benefits of the solution or technology to decision makers. For example, if you want to recommend Surface devices as a replacement of older point of sale (POS) systems, you could perform a PoC to demonstrate how Surface devices provide superior computing power, flexibility, and connectivity when compared to alternate options. - -Using SDA to prepare a PoC of Surface devices enables you to very quickly prepare a demonstration of Surface device or devices, which gives you more time for customization or preparation. The flexibility of SDA even lets you import resources, like applications and drivers, from existing MDT deployment infrastructure. See the [Work with existing deployment shares](#work-with-existing-deployment-shares) section later in this article for more information. - -SDA is also an excellent PoC of the capabilities of MDT. SDA demonstrates just how quickly an MDT deployment environment can be prepared and made ready for deployment to devices. It also shows just how flexible and customizable the MDT solution can be, with support for Windows 10 and Windows 8.1, for Microsoft Store and desktop applications, and several models of Surface devices. - -Some recommendations for a successful PoC with SDA are: - -* Keep your SDA deployment environment separate from your production network. This ensures optimal performance and reduces potential for conflicts during your PoC deployment. - -* Use a fresh and updated instance of Windows Server to house your SDA deployment share to maintain the simplicity and performance of the demonstration environment. - -* Test the deployment process before you demonstrate your PoC. This reduces the potential for unexpected situations and keeps the demonstration focused on the deployment process and Surface devices. - -* Use offline files with SDA to further reduce installation times. - -* For help with your PoC, contact [Surface Support](https://www.microsoft.com/surface/support/contact-us-business). - -## Perform a pilot deployment - -A pilot deployment differs from a PoC. Where a PoC is usually a closed demonstration that is performed prior to the deployment process in order to get approval for the use of certain technologies or solutions, a *pilot deployment* is performed during the deployment process as a limited scope deployment for testing and validation. The focus of a pilot deployment can be as narrow as only a handful of devices, or wide enough to include a significant portion of your organization. - ->[!NOTE] ->A pilot deployment should not replace the testing process that should be performed regularly in the lab as the deployment environment is built and developed. A deployment solution should be tested in virtual and physical environments as new applications and drivers are added and when task sequences are modified and before a pilot deployment is performed. - -For example, you are tasked with deploying Surface devices to mobile workers and you want to test the organization’s MDT deployment process by providing a small number of devices to executives. You can use SDA to create an isolated Surface deployment environment and then copy the task sequence, applications, and drivers needed from the production deployment share. This not only enables you to quickly create a Surface deployment, but it also minimizes the risk to the production deployment process used for other types of devices. - -For small organizations, the pilot deployment environment of SDA may suffice as a complete deployment solution. Even if you do not have an existing deployment environment, you can import drivers and applications (covered later in this article) to provide a complete deployment solution based on MDT. Even without previous knowledge of MDT or Windows deployment, you can follow the [Step-by-Step: Surface Deployment Accelerator](https://technet.microsoft.com/itpro/surface/step-by-step-surface-deployment-accelerator) article to get started with a deployment to Surface devices. - -## Import additional drivers - -The SDA deployment share includes all of the drivers needed for Surface devices. This includes the drivers for the components inside the Surface device, such as the wireless network adapter and the main chipset, as well as drivers for Surface accessories, such as the Surface Dock or Surface USB Ethernet adapters. The SDA deployment share does not, however, include drivers for third-party devices or peripherals. - -For example, you may intend to use your Surface device with a thermal printer, credit card reader, and barcode scanner as a POS terminal. In this scenario, the thermal printer, credit card reader, and barcode scanner will very likely require installation of drivers to operate properly. You could potentially download and install these drivers from Windows Update when each peripheral is connected, or you could install the driver package from the manufacturer manually on each Surface device, but the ideal solution is to have these drivers already present in Windows so that when the peripheral is connected, it will just work. - -Because SDA is built on MDT, adding the drivers to the SDA deployment share is easy and simple. - ->[!NOTE] ->The drivers must be in the Setup Information File (.inf) format. If the drivers for your device come as an executable file (.exe), they may need to be extracted or installed to procure the .inf file. Some device drivers come packaged with applications, for example an all-in-one printer bundled with scan software. These applications will need to be installed separately from the drivers. - -To import drivers for a peripheral device: - -1. Download the drivers for your device from the manufacturer web site. - -2. Open the MDT Deployment Workbench. - -3. Expand the **Deployment Shares** node and expand the SDA deployment share. - -4. Expand the **Out-of-Box Drivers** folder. - -5. Select the folder of the Surface model for which you would like to include this driver. - -6. Click **Import Drivers** to start the Import Drivers Wizard, as shown in Figure 1. - - ![Provide the location of your driver files](images/using-sda-driverfiles-fig1.png "Provide the location of your driver files") - - *Figure 1. Provide the location of your driver files* - -7. The Import Drivers Wizard presents a series of steps: - - - **Specify Directory** – Click **Browse** and navigate to the folder where you stored the drivers in Step 1. - - **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process. - - **Progress** – While the drivers are imported, a progress bar is displayed on this page. - - **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Drivers Wizard. - -8. Repeat Steps 5-7 for each Surface model on which you would like to include this driver. - -9. Close the Deployment Workbench. - -After the drivers are imported for the Surface model, the deployment task sequence will automatically select the drivers during the deployment process and include them in the Windows environment. When you connect your device, such as the barcode scanner in the example, Windows should automatically detect the device and you should be able to use it immediately. - ->[!NOTE] ->You can even import drivers for other computer makes and models to support other devices. See **Step 5: Prepare the drivers repository** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt) for more information about how to import drivers for other makes and models. - -## Import additional applications - -As with drivers, the SDA deployment share can be pre-configured with apps like the Surface App and Microsoft Office 365. You can also add applications to the SDA deployment share and configure them to be installed on your Surface devices during deployment of Windows. In the ideal scenario, your Surface devices deployed with the SDA deployment share will include all of the applications needed to be ready for your end users. - -In the previous example for including drivers for a POS system, you would also need to include POS software for processing transactions and recording the input from the barcode scanner and credit card reader. To import an application and prepare it for installation on your Surface devices during Windows deployment: - -1. Download the application installation files or locate the installation media for your application. - -2. Determine the command line instruction for silent installation, usually provided by the developer of the application. For Windows Installer files (.msi), see [Standard Installer Command-Line Options](https://msdn.microsoft.com/library/windows/desktop/aa372024) in the Windows Dev Center. - -3. Open the MDT Deployment Workbench. - -4. Expand the **Deployment Shares** node and expand the SDA deployment share. - -5. Expand the **Applications** folder. - -6. Click **New Application** to start the New Application Wizard, as shown in Figure 2. - - ![Provide the command to install your application](images/using-sda-installcommand-fig2.png "Provide the command to install your application") - - *Figure 2: Provide the command to install your application* - -7. Follow the steps of the New Application Wizard: - - - **Application Type** – Click **Application with Source Files**, and then click **Next**. - - **Details** – Enter a name for the application in the **Application Name** field. Enter publisher, version, and language information in the **Publisher**, **Version**, and **Language** fields if desired. Click **Next**. - - **Source** – Click **Browse** to navigate to and select the folder with the application installation files procured in Step 1, and then click **Next**. - - **Destination** – Enter a name for the folder where the application files will be stored in the **Specify the Name of the Directory that Should Be Created** field or click **Next** to accept the default name. - - **Command Details** – Enter the silent command-line instruction, for example `setup.msi /quiet /norestart` - - **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process. - - **Progress** – While the installation files are imported, a progress bar is displayed on this page. - - **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the New Application Wizard. - -8. Click the **Task Sequences** folder, right-click **1 - Deploy Microsoft Surface**, and then click **Properties**. - -9. Click the **Task Sequence** tab to view the steps that are included in the new task sequence. - -10. Select the **Windows Update (Pre-Application Installation)** step, and then click **Add**. - -11. Hover the mouse over **General** under the **Add** menu, and then click **Install Application**. This will add a new step after the selected step for the installation of a specific application as shown in Figure 3. - - ![A new Install Application step for Sample POS App](images/using-sda-newinstall-fig3.png "A new Install Application step for Sample POS App") - - *Figure 3. A new Install Application step for Sample POS App* - -12. On the **Properties** tab of the new **Install Application** step, enter **Install - Sample POS App** in the **Name** field, where *Sample POS App* is the name of your app. - -13. Click **Install a Single Application**, and then click **Browse** to view available applications that have been imported into the deployment share. - -14. Select your app from the list of applications, and then click **OK**. - -15. Click **OK** to close the task sequence properties. - -16. Close the Deployment Workbench. - -## Work with existing deployment shares - -One of the many benefits of an MDT deployment share is the simplicity of how deployment resources are stored. The MDT deployment share is, at its core, just a standard network file share. All deployment resources, such as Windows images, application installation files, and drivers, are stored in a share that can be browsed with File Explorer, copied and pasted, and moved just like any other file share, provided that you have the necessary permissions. This makes working with deployment resources extremely easy. MDT even allows you to make it easier by allowing you to open multiple deployment shares from the Deployment Workbench and to transfer or copy resources between them. - -This ability gives SDA some extra capabilities when used in an environment with an existing MDT infrastructure. For example, if you install SDA on an isolated server to prepare a PoC and then log on to your production MDT deployment share from the Deployment Workbench on your SDA server, you can copy applications, drivers, task sequences, and other components into the SDA deployment share that is prepared with Surface apps and drivers. With this process, in a very short amount time, you can have a deployment environment ready to deploy your organization’s precise requirements to Surface devices. - -You can also use this capability in reverse. For example, you can copy the Surface drivers, deployment task sequences, and apps directly into a lab or testing environment following a successful PoC. Using these resources, you can immediately begin to integrate Surface deployment into your existing deployment infrastructure. diff --git a/devices/surface/wake-on-lan-for-surface-devices.md b/devices/surface/wake-on-lan-for-surface-devices.md index a6686dcf69..b9c11bd90f 100644 --- a/devices/surface/wake-on-lan-for-surface-devices.md +++ b/devices/surface/wake-on-lan-for-surface-devices.md @@ -8,7 +8,7 @@ ms.pagetype: surface, devices ms.sitesec: library ms.localizationpriority: medium author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: scottmca manager: laurawi diff --git a/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-a-specific-user.md b/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-a-specific-user.md index 76656d39e1..38d5dc61eb 100644 --- a/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-a-specific-user.md +++ b/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-a-specific-user.md @@ -4,7 +4,6 @@ title: How to Revert Extension Points From an App-V 5.0 Package to an App-V 4.6 description: How to Revert Extension Points From an App-V 5.0 Package to an App-V 4.6 Package for a Specific User ms.assetid: f1d2ab1f-0831-4976-b49f-169511d3382a author: dansimp -ms.assetid: f1d2ab1f-0831-4976-b49f-169511d3382a ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-50-application.md b/mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-50-application.md index 0345a45113..bad9d61431 100644 --- a/mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-50-application.md +++ b/mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-50-application.md @@ -4,7 +4,6 @@ title: How to Use an App-V 4.6 Application From an App-V 5.0 Application description: How to Use an App-V 4.6 Application From an App-V 5.0 Application ms.assetid: 4e78cb32-9c8b-478e-ae8b-c474a7e42487 author: msfttracyp -ms.assetid: 4e78cb32-9c8b-478e-ae8b-c474a7e42487 ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md index cd77d39b06..8a255ed548 100644 --- a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md +++ b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md @@ -11,8 +11,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.prod: w10 ms.date: 8/30/2018 -ms.author: pashort -author: shortpatti +ms.author: dansimp --- # Applying hotfixes on MBAM 2.5 SP1 diff --git a/mdop/mbam-v25/deploy-mbam.md b/mdop/mbam-v25/deploy-mbam.md index a921105176..c035e3eadb 100644 --- a/mdop/mbam-v25/deploy-mbam.md +++ b/mdop/mbam-v25/deploy-mbam.md @@ -8,7 +8,6 @@ ms.author: delhan ms.sitesec: library ms.prod: w10 ms.date: 09/16/2019 -manager: dcscontentpm --- # Deploying MBAM 2.5 in a standalone configuration diff --git a/mdop/mbam-v25/troubleshooting-mbam-installation.md b/mdop/mbam-v25/troubleshooting-mbam-installation.md index f2d0494b7f..9dce3b1297 100644 --- a/mdop/mbam-v25/troubleshooting-mbam-installation.md +++ b/mdop/mbam-v25/troubleshooting-mbam-installation.md @@ -8,7 +8,6 @@ ms.author: delhan ms.sitesec: library ms.prod: w10 ms.date: 09/16/2019 -manager: dcscontentpm --- # Troubleshooting MBAM 2.5 installation problems diff --git a/mdop/mbam-v25/upgrade-mbam2.5-sp1.md b/mdop/mbam-v25/upgrade-mbam2.5-sp1.md index 153757ee67..0e55529039 100644 --- a/mdop/mbam-v25/upgrade-mbam2.5-sp1.md +++ b/mdop/mbam-v25/upgrade-mbam2.5-sp1.md @@ -2,11 +2,10 @@ title: Upgrading from MBAM 2.5 to MBAM 2.5 SP1 Servicing Release Update author: dansimp ms.author: ksharma -manager: +manager: miaposto audience: ITPro ms.topic: article ms.prod: w10 -manager: miaposto ms.localizationpriority: Normal --- diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md index b62b89b55a..9b5f3ae040 100644 --- a/smb/cloud-mode-business-setup.md +++ b/smb/cloud-mode-business-setup.md @@ -2,7 +2,7 @@ title: Deploy and manage a full cloud IT solution for your business description: Learn how to set up a cloud infrastructure for your business, acquire devices and apps, and configure and deploy policies to your devices. keywords: smb, full cloud IT solution, small to medium business, deploy, setup, manage, Windows, Intune, Office 365 -ms.prod: +ms.prod: w10 ms.technology: ms.author: eravena audience: itpro @@ -13,6 +13,7 @@ author: eavena ms.reviewer: manager: dansimp ms.localizationpriority: medium +ms.topic: conceptual --- # Get started: Deploy and manage a full cloud IT solution for your business diff --git a/smb/index.md b/smb/index.md index 5cc2746261..1f9527ebf2 100644 --- a/smb/index.md +++ b/smb/index.md @@ -2,16 +2,17 @@ title: Windows 10 for small to midsize businesses description: Microsoft products and devices to transform and grow your businessLearn how to use Windows 10 for your small to midsize business. keywords: Windows 10, SMB, small business, midsize business, business -ms.prod: +ms.prod: w10 ms.technology: ms.topic: article -ms.author: celested +ms.author: dansimp ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: smb -author: CelesteDG +author: dansimp ms.localizationpriority: medium manager: dansimp +audience: itpro --- # Windows 10 for SMB diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md index b7fea1a9ef..04c86ceb64 100644 --- a/store-for-business/microsoft-store-for-business-education-powershell-module.md +++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md @@ -9,7 +9,6 @@ author: TrudyHa ms.author: TrudyHa ms.topic: conceptual ms.localizationpriority: medium -ms.author: ms.date: 10/22/2017 ms.reviewer: manager: dansimp diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index da98a12e3b..b82c42bf9a 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -13,7 +13,7 @@ ms.author: dansimp ms.topic: article --- -# Enable or block Windows Mixed Reality apps in the enterprise +# Enable or block Windows Mixed Reality apps in enterprises **Applies to** @@ -33,7 +33,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to 2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD. - a. Download the FOD .cab file for [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). + a. Download the FOD .cab file for [Windows 10, version 20H1](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). >[!NOTE] >You must download the FOD .cab file that matches your operating system version. diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index 35c0f225b0..91bc510d5f 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -29,7 +29,7 @@ The tools in the folder might vary depending on which edition of Windows you are ![Screenshot of folder of admin tools](images/admin-tools-folder.png) -These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list links to documentation for each tool. +These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list provides links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders. @@ -43,6 +43,8 @@ These tools were included in previous versions of Windows and the associated doc - [ODBC Data Sources]( https://go.microsoft.com/fwlink/p/?LinkId=708494) - [Performance Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708495) - [Print Management](https://go.microsoft.com/fwlink/p/?LinkId=708496) +- [Recovery Drive](https://support.microsoft.com/help/4026852/windows-create-a-recovery-drive) +- [Registry Editor](https://docs.microsoft.com/windows/win32/sysinfo/registry) - [Resource Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708497) - [Services](https://go.microsoft.com/fwlink/p/?LinkId=708498) - [System Configuration](https://go.microsoft.com/fwlink/p/?LinkId=708499) @@ -60,7 +62,3 @@ These tools were included in previous versions of Windows and the associated doc - - - - diff --git a/windows/client-management/determine-appropriate-page-file-size.md b/windows/client-management/determine-appropriate-page-file-size.md index b6abb3661e..8daf0f4ce4 100644 --- a/windows/client-management/determine-appropriate-page-file-size.md +++ b/windows/client-management/determine-appropriate-page-file-size.md @@ -8,8 +8,8 @@ author: Deland-Han ms.localizationpriority: medium ms.author: delhan ms.date: 8/28/2019 -ms.reviewer: -manager: dcscontentpm +ms.reviewer: dcscontentpm +manager: dansimp --- # How to determine the appropriate page file size for 64-bit versions of Windows diff --git a/windows/client-management/introduction-page-file.md b/windows/client-management/introduction-page-file.md index cee81bcd72..2f12bd900f 100644 --- a/windows/client-management/introduction-page-file.md +++ b/windows/client-management/introduction-page-file.md @@ -7,8 +7,8 @@ ms.topic: troubleshooting author: Deland-Han ms.localizationpriority: medium ms.author: delhan -ms.reviewer: greglin -manager: dcscontentpm +ms.reviewer: dcscontentpm +manager: dansimp --- # Introduction to page files diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index 40de22d2b3..7a9545e09a 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -40,7 +40,7 @@ Available naming macros: Supported operation is Add. > [!Note] -> For desktop PCs on the next major release of Windows 10 or later, use the **Ext/Microsoft/DNSComputerName** node in [DevDetail CSP](devdetail-csp.md). +> For desktop PCs on Windows 10, version 2004 or later, use the **Ext/Microsoft/DNSComputerName** node in [DevDetail CSP](devdetail-csp.md). **Users** Interior node for the user account information. diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index c76115e831..f93af2f2a2 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2808,4 +2808,4 @@ The following list shows the CSPs supported in HoloLens devices: - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. - 7 - Added in Windows 10, version 1909. -- 8 - Added in the next major release of Windows 10. +- 8 - Added in Windows 10, version 2004. diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index 859ffd1672..285d96ddf8 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -14,9 +14,6 @@ ms.date: 03/27/2020 # DevDetail CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - The DevDetail configuration service provider handles the management object which provides device-specific parameters to the OMA DM server. These device parameters are not sent from the client to the server automatically, but can be queried by servers using OMA DM commands. > [!NOTE] @@ -135,7 +132,7 @@ Value type is string. Supported operations are Get and Replace. **Ext/Microsoft/DNSComputerName** -Added in the next major release of Windows 10. This node specifies the DNS computer name for a device. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 63 characters. This node replaces the **Domain/ComputerName** node in [Accounts CSP](accounts-csp.md). +Added in Windows 10, version 2004. This node specifies the DNS computer name for a device. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 63 characters. This node replaces the **Domain/ComputerName** node in [Accounts CSP](accounts-csp.md). The following are the available naming macros: diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index c2df51c0ae..b03d28832e 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -37,7 +37,7 @@ The auto-enrollment relies on the presence of an MDM service and the Azure Activ When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. -In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/). +In Windows 10, version 1709 or later, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/) For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices. @@ -52,9 +52,10 @@ The following steps demonstrate required settings using the Intune service: ![Auto-enrollment activation verification](images/auto-enrollment-activation-verification.png) -> [!IMPORTANT] -> For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled. -> For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled. + > [!IMPORTANT] + > For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled. + > + > For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled. 3. Verify that the device OS version is Windows 10, version 1709 or later. 4. Auto-enrollment into Intune via Group Policy is valid only for devices which are hybrid Azure AD joined. This means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line. @@ -93,7 +94,7 @@ You may contact your domain administrators to verify if the group policy has bee This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It is not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices). Requirements: -- AD-joined PC running Windows 10, version 1709 +- AD-joined PC running Windows 10, version 1709 or later - Enterprise has MDM service already configured - Enterprise AD must be registered with Azure AD @@ -109,27 +110,27 @@ Requirements: ![MDM policies](images/autoenrollment-mdm-policies.png) -4. Double-click **Enable Automatic MDM enrollment using default Azure AD credentials**. +4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** (support for Device Credential is coming) as the Selected Credential Type to use. User Credential enrolls Windows 10, version 1709 and later once an Intune licensed user logs into the device. Device Credential will enroll the device and then assign a user later, once support for this is available. ![MDM autoenrollment policy](images/autoenrollment-policy.png) 5. Click **Enable**, then click **OK**. -> [!NOTE] -> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. -The default behavior for older releases is to revert to **User Credential**. + > [!NOTE] + > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. + > The default behavior for older releases is to revert to **User Credential**. -When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." + When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." -To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). + To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). -If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot. + If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot. -![Two-factor authentication notification](images/autoenrollment-2-factor-auth.png) + ![Two-factor authentication notification](images/autoenrollment-2-factor-auth.png) -> [!Tip] -> You can avoid this behavior by using Conditional Access Policies in Azure AD. -Learn more by reading [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview). + > [!Tip] + > You can avoid this behavior by using Conditional Access Policies in Azure AD. + Learn more by reading [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview). 6. To verify successful enrollment to MDM , click **Start > Settings > Accounts > Access work or school**, then select your domain account. @@ -159,27 +160,28 @@ Learn more by reading [What is Conditional Access?](https://docs.microsoft.com/a ## Configure the auto-enrollment for a group of devices Requirements: -- AD-joined PC running Windows 10, version 1709 +- AD-joined PC running Windows 10, version 1709 or later - Enterprise has MDM service already configured (with Intune or a third party service provider) - Enterprise AD must be integrated with Azure AD. - Ensure that PCs belong to same computer group. -> [!IMPORTANT] -> If you do not see the policy, it may be because you don’t have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, follow these steps (Note: the latest MDM.admx is backwards compatible): -> 1. Download: -> 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or -> 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) or -> 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all) -> 2. Install the package on the Domain Controller. -> 3. Navigate, depending on the version to the folder: -> 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or -> 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**, or -> 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3** -> 4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**. -> 5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**. -> (If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain). -> 6. Restart the Domain Controller for the policy to be available. -> This procedure will work for any future version as well. +[!IMPORTANT] +If you do not see the policy, it may be because you don’t have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, follow these steps (Note: the latest MDM.admx is backwards compatible): + 1. Download: + 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or + 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) or + 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all) + 2. Install the package on the Domain Controller. + 3. Navigate, depending on the version to the folder: + 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or + 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**, or + 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3** + 4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**. + 5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**. + (If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain). + 6. Restart the Domain Controller for the policy to be available. + + This procedure will work for any future version as well. 1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**. 2. Create a Security Group for the PCs. @@ -187,7 +189,6 @@ Requirements: 4. Filter using Security Groups. ## Troubleshoot auto-enrollment of devices - Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device. To collect Event Viewer logs: @@ -241,10 +242,10 @@ To collect Event Viewer logs: - [Link a Group Policy Object](https://technet.microsoft.com/library/cc732979(v=ws.11).aspx) - [Filter Using Security Groups](https://technet.microsoft.com/library/cc752992(v=ws.11).aspx) - [Enforce a Group Policy Object Link](https://technet.microsoft.com/library/cc753909(v=ws.11).aspx) +- [Group Policy Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) ### Useful Links - [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591) - [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495) - [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576) -- [Windows 10 Administrative Templates for Windows 10 April 2018 Update 1803](https://www.microsoft.com/download/details.aspx?id=56880) diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 1c440edf96..5384ce0168 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -14,9 +14,6 @@ ms.date: 09/27/2019 # EnterpriseModernAppManagement CSP -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md). > [!Note] @@ -329,6 +326,7 @@ Required. The value is 0 or 1 that indicates if the app is provisioned on the de Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/IsStub** +Added in Windows 10, version 2004. Required. This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app. The value is 1 if the package is a stub package and 0 (zero) for all other cases. Value type is int. diff --git a/windows/client-management/mdm/esim-enterprise-management.md b/windows/client-management/mdm/esim-enterprise-management.md index 386f5a8c48..9251f6a755 100644 --- a/windows/client-management/mdm/esim-enterprise-management.md +++ b/windows/client-management/mdm/esim-enterprise-management.md @@ -8,7 +8,7 @@ ms.sitesec: library author: dansimp ms.localizationpriority: medium ms.author: dansimp -ms.topic: +ms.topic: conceptual --- # How Mobile Device Management Providers support eSIM Management on Windows diff --git a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png index 6ece851369..76df1eafea 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png and b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png index 5c90ec5a2b..4328edcad7 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png and b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png b/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png index 498ce66f47..f123d98073 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png and b/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png differ diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 0ab027fca0..8a720f94a0 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -24,6 +24,7 @@ This topic provides information about what's new and breaking changes in Windows For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). - **What’s new in MDM for Windows 10 versions** + - [What’s new in MDM for Windows 10, version 2004](#whats-new-in-mdm-for-windows-10-version-2004) - [What’s new in MDM for Windows 10, version 1909](#whats-new-in-mdm-for-windows-10-version-1909) - [What’s new in MDM for Windows 10, version 1903](#whats-new-in-mdm-for-windows-10-version-1903) - [What’s new in MDM for Windows 10, version 1809](#whats-new-in-mdm-for-windows-10-version-1809) @@ -58,6 +59,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s - [What is dmwappushsvc?](#what-is-dmwappushsvc) - **Change history in MDM documentation** + - [May 2020](#may-2020) - [February 2020](#february-2020) - [January 2020](#january-2020) - [November 2019](#november-2019) @@ -87,6 +89,45 @@ For details about Microsoft mobile device management protocols for Windows 10 s - [September 2017](#september-2017) - [August 2017](#august-2017) +## What’s new in MDM for Windows 10, version 2004 + ++++ + + + + + + + + + + + + + + + + + + + + +
New or updated topicDescription
Policy CSP

Added the following new policies in Windows 10, version 2004:

+
DevDetail CSP

Added the following new node:
Ext/Microsoft/DNSComputerName

+
EnterpriseModernAppManagement CSP

Added the following new node:
IsStub

+
SUPL CSP

Added the following new node:
FullVersion

+
+ ## What’s new in MDM for Windows 10, version 1909 @@ -1940,6 +1981,13 @@ How do I turn if off? | The service can be stopped from the "Services" console o ## Change history in MDM documentation +### May 2020 +|New or updated topic | Description| +|--- | ---| +|[BitLocker CSP](bitlocker-csp.md)|Added the bitmask table for the Status/DeviceEncryptionStatus node.| +|[Policy CSP - RestrictedGroups](policy-csp-restrictedgroups.md)| Updated the topic with additional details. Added policy timeline table. + + ### February 2020 |New or updated topic | Description| |--- | ---| diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 798bbae111..b2bfd70f15 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -14,10 +14,6 @@ manager: dansimp # Policy CSP - ApplicationManagement -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - -
@@ -436,15 +432,15 @@ Most restricted value: 0 - + - + - +
Businesscheck mark7check mark8
Enterprisecheck mark7check mark8
Educationcheck mark7check mark8
@@ -462,7 +458,7 @@ Most restricted value: 0 -Added in the next major release of Windows 10. +Added in Windows 10, version 2004. Manages non-administrator users' ability to install Windows app packages. @@ -1112,7 +1108,7 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. -- 7 - Added in the next major release of Windows 10. - +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 40e770a691..74dbe86c25 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - Bluetooth -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
@@ -412,19 +409,19 @@ The default value is an empty string. For more information, see [ServicesAllowed Pro - check mark7 + check mark8 Business - check mark7 + check mark8 Enterprise - check mark7 + check mark8 Education - check mark7 + check mark8 @@ -441,8 +438,7 @@ The default value is an empty string. For more information, see [ServicesAllowed -Added in the next major release of Windows 10. -There are multiple levels of encryption strength when pairing Bluetooth devices. This policy helps prevent weaker devices cryptographically being used in high security environments. +Added in Windows 10, version 2004. There are multiple levels of encryption strength when pairing Bluetooth devices. This policy helps prevent weaker devices cryptographically being used in high security environments. @@ -470,8 +466,8 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. -- 7 - Added in the next major release of Windows 10. - +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md index 825ac41a15..3f4beef3e9 100644 --- a/windows/client-management/mdm/policy-csp-education.md +++ b/windows/client-management/mdm/policy-csp-education.md @@ -52,23 +52,23 @@ manager: dansimp Home - check mark + check mark8 Pro - check mark + check mark8 Business - check mark + check mark8 Enterprise - check mark + check mark8 Education - check mark + check mark8 @@ -85,7 +85,7 @@ manager: dansimp -Added in next major release of Windows 10. This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you will be able to access graphing functionality. +Added in Windows 10, version 2004. This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you will be able to access graphing functionality. ADMX Info: @@ -283,6 +283,8 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 3b7a445092..4935d3f947 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -155,7 +155,7 @@ where: ### Policy timeline -The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `` and SID in ``. For the latest release of Windows 10, you can use name or SID for both the elements, as described in this topic. +The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `` and SID in ``. For Windows 10, version 2004, you can use name or SID for both the elements, as described in this topic. The following table describes how this policy setting behaves in different Windows 10 versions: @@ -163,7 +163,7 @@ The following table describes how this policy setting behaves in different Windo | ------------------ | --------------- | |Windows 10, version 1803 | Added this policy setting.
XML accepts group and member only by name.
Supports configuring the administrators group using the group name.
Expects member name to be in the account name format. | | Windows 10, version 1809
Windows 10, version 1903
Windows 10, version 1909 | Supports configuring any local group.
`` accepts only name.
`` accepts a name or an SID.
This is useful when you want to ensure a certain local group always has a well-known SID as member. | -| The latest release of Windows 10 | Behaves as described in this topic.
Accepts name or SID for group and members and translates as appropriate. | +| Windows 10, version 2004 | Behaves as described in this topic.
Accepts name or SID for group and members and translates as appropriate. | @@ -178,5 +178,7 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index 7786a5eb5c..a116d3b084 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -815,19 +815,19 @@ This setting supports a range of values between 0 and 1. Pro - check mark + check mark8 Business - check mark + check mark8 Enterprise - check mark + check mark8 Education - check mark + check mark8 @@ -848,7 +848,7 @@ This setting supports a range of values between 0 and 1. > - The policy is only enforced in Windows 10 for desktop. > - This policy requires reboot to take effect. -Added in next major release of Windows 10. Allows IT admins to configure Microsoft Japanese IME version in the desktop. +Added in Windows 10, version 2004. Allows IT admins to configure Microsoft Japanese IME version in the desktop. @@ -878,19 +878,19 @@ The following list shows the supported values: Pro - check mark + check mark8 Business - check mark + check mark8 Enterprise - check mark + check mark8 Education - check mark + check mark8 @@ -911,7 +911,7 @@ The following list shows the supported values: > - This policy is enforced only in Windows 10 for desktop. > - This policy requires reboot to take effect. -Added in next major release of Windows 10. Allows IT admins to configure Microsoft Simplified Chinese IME version in the desktop. +Added in Windows 10, version 2004. Allows IT admins to configure Microsoft Simplified Chinese IME version in the desktop. @@ -941,19 +941,19 @@ The following list shows the supported values: Pro - check mark + check mark8 Business - check mark + check mark8 Enterprise - check mark + check mark8 Education - check mark + check mark8 @@ -974,7 +974,7 @@ The following list shows the supported values: > - This policy is enforced only in Windows 10 for desktop. > - This policy requires reboot to take effect. -Added in next major release of Windows 10. Allows IT admins to configure Microsoft Traditional Chinese IME version in the desktop. +Added in Windows 10, version 2004. Allows IT admins to configure Microsoft Traditional Chinese IME version in the desktop. @@ -1718,6 +1718,8 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csps-supported-by-hololens2.md b/windows/client-management/mdm/policy-csps-supported-by-hololens2.md index 5e31cf4abc..0a0040f58c 100644 --- a/windows/client-management/mdm/policy-csps-supported-by-hololens2.md +++ b/windows/client-management/mdm/policy-csps-supported-by-hololens2.md @@ -104,7 +104,7 @@ Footnotes: - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. - 7 - Added in Windows 10, version 1909. -- 8 - Added in the next major release of Windows 10. +- 8 - Added in Windows 10, version 2004. ## Related topics diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index 64077761f8..28d0b9c42e 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -14,9 +14,6 @@ ms.date: 09/12/2019 # SUPL CSP -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - The SUPL configuration service provider is used to configure the location client, as shown in the following table: @@ -89,7 +86,7 @@ For OMA DM, if the format for this node is incorrect the entry will be ignored a Optional. Determines the major version of the SUPL protocol to use. For SUPL 1.0.0, set this value to 1. For SUPL 2.0.0, set this value to 2. The default is 1. Refer to FullVersion to define the minor version and the service indicator. **FullVersion** -Added in the next major release of Windows 10. Optional. Determines the full version (X.Y.Z where X, Y, and Z are the major version, the minor version, and the service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored. +Added in Windows 10, version 2004. Optional. Determines the full version (X.Y.Z where X, Y, and Z are the major version, the minor version, and the service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored. **MCCMNCPairs** Required. List all of the MCC and MNC pairs owned by the mobile operator. This list is used to verify that the UICC matches the network and SUPL can be used. When the UICC and network do not match, the device uses the default location service and does not use SUPL. diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md index ab3a46a409..14cd5810b2 100644 --- a/windows/client-management/mdm/understanding-admx-backed-policies.md +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -260,7 +260,7 @@ Note that the data payload of the SyncML needs to be encoded so that it does not The **LocURI** for the above GP policy is: -`.\Device\Vendor\MSFT\Policy\Config\AppVirtualization\PublishingAllowServer2` +`./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2` To construct SyncML for your area/policy using the samples below, you need to update the **data id** and the **value** in the `` section of the SyncML. The items prefixed with an '&' character are the escape characters needed and can be retained as shown. diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md index da5cc3e5c8..8b4d14515d 100644 --- a/windows/client-management/new-policies-for-windows-10.md +++ b/windows/client-management/new-policies-for-windows-10.md @@ -25,6 +25,33 @@ ms.topic: reference Windows 10 includes the following new policies for management. [Download the complete set of Administrative Template (.admx) files for Windows 10](https://www.microsoft.com/download/100591). +## New Group Policy settings in Windows 10, version 1903 + +The following Group Policy settings were added in Windows 10, version 1903: + +**System** + +- System\Service Control Manager Settings\Security Settings\Enable svchost.exe mitigation options +- System\Storage Sense\Allow Storage Sense +- System\Storage Sense\Allow Storage Sense Temporary Files cleanup +- System\Storage Sense\Configure Storage Sense +- System\Storage Sense\Configure Storage Sense Cloud content dehydration threshold +- System\Storage Sense\Configure Storage Sense Recycle Bin cleanup threshold +- System\Storage Sense\Configure Storage Sense Downloads cleanup threshold +- System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Troubleshooting:Allow users to access recommended troubleshooting for known problems + + +**Windows Components** + +- Windows Components\App Privacy\Let Windows apps activate with voice +- Windows Components\App Privacy\Let Windows apps activate with voice while the system is locked +- Windows Components\Data Collection and Preview Builds\Allow commercial data pipeline +- Windows Components\Data Collection and Preview Builds\Configure collection of browsing data for Desktop Analytics +- Windows Components\Data Collection and Preview Builds\Configure diagnostic data upload endpoint for Desktop Analytics +- Windows Components\Delivery Optimization\Delay background download Cache Server fallback (in seconds) +- Windows Components\Delivery Optimization\Delay Foreground download Cache Server fallback (in seconds) +- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Use WDDM graphics display driver for Remote Desktop Connections +- Windows Components\Windows Logon Options\Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot ## New Group Policy settings in Windows 10, version 1809 @@ -496,4 +523,3 @@ No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId= - diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md index 28f7edaab0..d0806c95e1 100644 --- a/windows/client-management/system-failure-recovery-options.md +++ b/windows/client-management/system-failure-recovery-options.md @@ -8,8 +8,8 @@ author: Deland-Han ms.localizationpriority: medium ms.author: delhan ms.date: 8/22/2019 -ms.reviewer: -manager: dcscontentpm +ms.reviewer: dcscontentpm +manager: dansimp --- # Configure system failure and recovery options in Windows diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md index 5556b97262..667776a7f8 100644 --- a/windows/client-management/troubleshoot-inaccessible-boot-device.md +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -110,10 +110,10 @@ To verify the BCD entries: >[!NOTE] >This output may not contain a path. -2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device** , **path** , **osdevice,** and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder. +2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device**, **path**, **osdevice**, and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder. > [!NOTE] - > If the computer is UEFI-based, the **bootmgr** and **winload** entries under **{default}** will contain an **.efi** extension. + > If the computer is UEFI-based, the filepath value specified in the **path** parameter of **{bootmgr}** and **{default}** will contain an **.efi** extension. ![bcdedit](images/screenshot1.png) diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index 55040620db..0d01784273 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -2,7 +2,7 @@ ## [Accessibility information for IT Pros](windows-10-accessibility-for-ITPros.md) ## [Configure access to Microsoft Store](stop-employees-from-using-microsoft-store.md) ## [Configure Cortana in Windows 10](cortana-at-work/cortana-at-work-overview.md) -## [Set up and test Cortana in Windows 10, version 2004 and later](cortana-at-work/set-up-and-test-cortana-in-windows-10) +## [Set up and test Cortana in Windows 10, version 2004 and later](cortana-at-work/set-up-and-test-cortana-in-windows-10.md) ## [Testing scenarios using Cortana in your business or organization](cortana-at-work/cortana-at-work-testing-scenarios.md) ### [Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query](cortana-at-work/cortana-at-work-scenario-1.md) ### [Test scenario 2 - Perform a Bing search with Cortana](cortana-at-work/cortana-at-work-scenario-2.md) @@ -13,13 +13,13 @@ ## [Send feedback about Cortana back to Microsoft](cortana-at-work/cortana-at-work-feedback.md) ## [Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization](cortana-at-work/cortana-at-work-o365.md) ## [Testing scenarios using Cortana in your business or organization](cortana-at-work/cortana-at-work-testing-scenarios.md) -### [Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query](cortana-at-work/test-scenario-1) -### [Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work/test-scenario-2) -### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work/test-scenario-3) -### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work/test-scenario-4) -### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work/test-scenario-5) -### [Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work/test-scenario-6) -### [Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work/cortana-at-work-scenario-7) +### [Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query](cortana-at-work/test-scenario-1.md) +### [Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work/test-scenario-2.md) +### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work/test-scenario-3.md) +### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work/test-scenario-4.md) +### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work/test-scenario-5.md) +### [Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work/test-scenario-6.md) +### [Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work/cortana-at-work-scenario-7.md) ## [Set up and test custom voice commands in Cortana for your organization](cortana-at-work/cortana-at-work-voice-commands.md) ## [Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization](cortana-at-work/cortana-at-work-policy-settings.md) ## [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md index 61fdb9257a..d915ec9aee 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md @@ -33,7 +33,7 @@ There are a few things to be aware of before you start using Cortana in Windows - **Troubleshooting tips.** If you run into issues, check out these [troubleshooting tips](https://go.microsoft.com/fwlink/p/?LinkId=620763). -### Turn on Cortana enterprise services on employees devices +### Turn on Cortana enterprise services on employees' devices Your employees must connect Cortana to their Microsoft 365 account to be able to use skills like email and calendar. #### Turn on Cortana enterprise services @@ -51,6 +51,6 @@ Cortana in Windows 10, versions 1909 and earlier can only access data in your Mi 2. Select the app launcher icon in the upper-left and choose **Admin**. -3. Expand **Settings** and select **Settings**. +3. Expand **Settings** and select **Org Settings**. 4. Select **Cortana** to toggle Cortana's access to Microsoft 365 data off. \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index 9bdf2f0ae6..5158bc4ada 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -34,7 +34,7 @@ Cortana requires a PC running Windows 10, version 1703 or later, as well as the |**Software** |**Minimum version** | |---------|---------| -|Client operating system | Desktop:
- Windows 10, version 2004 (recommended)

- Windows 10, version 1703 (legacy version of Cortana)

Mobile: Windows 10 mobile, version 1703 (legacy version of Cortana)

For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see **How is my data processed by Cortana** below. | +|Client operating system | Desktop:
- Windows 10, version 2004 (recommended)

- Windows 10, version 1703 (legacy version of Cortana)

Mobile: Windows 10 mobile, version 1703 (legacy version of Cortana)

For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-overview#how-is-my-data-processed-by-cortana) below. | |Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn’t required. | |Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word (“Cortana”) for hands-free activation or voice commands to easily ask for help. | @@ -65,6 +65,9 @@ The table below describes the data handling for Cortana enterprise services. #### How does the wake word (Cortana) work? If I enable it, is Cortana always listening? +>[!NOTE] +>The wake word has been temporarily disabled in the latest version of Cortana in Windows but will be restored soon. You can still click on the microphone button to use your voice with Cortana. + Cortana only begins listening for commands or queries when the wake word is detected, or the microphone button has been selected. First, the user must enable the wake word from within Cortana settings. Once it has been enabled, a component of Windows called the [Windows Multiple Voice Assistant platform](https://docs.microsoft.com/windows-hardware/drivers/audio/voice-activation-mva#voice-activation) will start listening for the wake word. No audio is processed by speech recognition unless two local wake word detectors and a server-side one agree with high confidence that the wake word was heard. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md index ae1cc6a4a5..de5e546244 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md @@ -14,6 +14,9 @@ manager: dansimp # Test scenario 1 – Sign into Azure AD, enable the wake word, and try a voice query +>[!NOTE] +>The wake word has been temporarily disabled in the latest version of Cortana in Windows but will be restored soon. + 1. Select the **Cortana** icon in the task bar and sign in using your Azure AD account. 2. Select the "…" menu and select **Talking to Cortana**. diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md deleted file mode 100644 index d4e56af1b7..0000000000 --- a/windows/deployment/TOC.md +++ /dev/null @@ -1,283 +0,0 @@ -# [Deploy and update Windows 10](https://docs.microsoft.com/windows/deployment) -## [Deployment process posters](windows-10-deployment-posters.md) -## [Deploy Windows 10 with Microsoft 365](deploy-m365.md) -## [What's new in Windows 10 deployment](deploy-whats-new.md) -## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) -## [Windows Autopilot](windows-autopilot/windows-autopilot.md) - -## Subscription Activation -### [Windows 10 Subscription Activation](windows-10-subscription-activation.md) -### [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) -### [Configure VDA for Subscription Activation](vda-subscription-activation.md) -### [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) - -## Resolve upgrade errors -### [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) -### [Quick fixes](upgrade\quick-fixes.md) -### [SetupDiag](upgrade/setupdiag.md) -### [Troubleshooting upgrade errors](upgrade/troubleshoot-upgrade-errors.md) -### [Windows error reporting](upgrade/windows-error-reporting.md) -### [Upgrade error codes](upgrade/upgrade-error-codes.md) -### [Log files](upgrade/log-files.md) -### [Resolution procedures](upgrade/resolution-procedures.md) -### [Submit Windows 10 upgrade errors](upgrade/submit-errors.md) - -## Deploy Windows 10 -### [Deploying Windows 10](deploy.md) - -### [Windows Autopilot](windows-autopilot/windows-autopilot.md) -### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) -### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) -### [Windows 10 volume license media](windows-10-media.md) - -### [Windows 10 in S mode](s-mode.md) -#### [Switch to Windows 10 Pro/Enterprise from S mode](windows-10-pro-in-s-mode.md) - -### [Windows 10 deployment test lab](windows-10-poc.md) -#### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) -#### [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md) - -### [Plan for Windows 10 deployment](planning/index.md) -#### [Windows 10 Enterprise FAQ for IT Pros](planning/windows-10-enterprise-faq-itpro.md) -#### [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md) -#### [Windows 10 compatibility](planning/windows-10-compatibility.md) -#### [Windows 10 infrastructure requirements](planning/windows-10-infrastructure-requirements.md) - -#### [Volume Activation [client]](volume-activation/volume-activation-windows-10.md) -##### [Plan for volume activation [client]](volume-activation/plan-for-volume-activation-client.md) -##### [Activate using Key Management Service [client]](volume-activation/activate-using-key-management-service-vamt.md) -##### [Activate using Active Directory-based activation [client]](volume-activation/activate-using-active-directory-based-activation-client.md) -##### [Activate clients running Windows 10](volume-activation/activate-windows-10-clients-vamt.md) -##### [Monitor activation [client]](volume-activation/monitor-activation-client.md) -##### [Use the Volume Activation Management Tool [client]](volume-activation/use-the-volume-activation-management-tool-client.md) -##### [Appendix: Information sent to Microsoft during activation [client]](volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md) - -#### [Application Compatibility Toolkit (ACT) Technical Reference](planning/act-technical-reference.md) -##### [SUA User's Guide](planning/sua-users-guide.md) -###### [Using the SUA Wizard](planning/using-the-sua-wizard.md) -###### [Using the SUA Tool](planning/using-the-sua-tool.md) -####### [Tabs on the SUA Tool Interface](planning/tabs-on-the-sua-tool-interface.md) -####### [Showing Messages Generated by the SUA Tool](planning/showing-messages-generated-by-the-sua-tool.md) -####### [Applying Filters to Data in the SUA Tool](planning/applying-filters-to-data-in-the-sua-tool.md) -####### [Fixing Applications by Using the SUA Tool](planning/fixing-applications-by-using-the-sua-tool.md) -##### [Compatibility Administrator User's Guide](planning/compatibility-administrator-users-guide.md) -###### [Using the Compatibility Administrator Tool](planning/using-the-compatibility-administrator-tool.md) -####### [Available Data Types and Operators in Compatibility Administrator](planning/available-data-types-and-operators-in-compatibility-administrator.md) -####### [Searching for Fixed Applications in Compatibility Administrator](planning/searching-for-fixed-applications-in-compatibility-administrator.md) -####### [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md) -####### [Creating a Custom Compatibility Fix in Compatibility Administrator](planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md) -####### [Creating a Custom Compatibility Mode in Compatibility Administrator](planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md) -####### [Creating an AppHelp Message in Compatibility Administrator](planning/creating-an-apphelp-message-in-compatibility-administrator.md) -####### [Viewing the Events Screen in Compatibility Administrator](planning/viewing-the-events-screen-in-compatibility-administrator.md) -####### [Enabling and Disabling Compatibility Fixes in Compatibility Administrator](planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md) -####### [Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md) -###### [Managing Application-Compatibility Fixes and Custom Fix Databases](planning/managing-application-compatibility-fixes-and-custom-fix-databases.md) -####### [Understanding and Using Compatibility Fixes](planning/understanding-and-using-compatibility-fixes.md) -####### [Compatibility Fix Database Management Strategies and Deployment](planning/compatibility-fix-database-management-strategies-and-deployment.md) -####### [Testing Your Application Mitigation Packages](planning/testing-your-application-mitigation-packages.md) -###### [Using the Sdbinst.exe Command-Line Tool](planning/using-the-sdbinstexe-command-line-tool.md) -##### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) - - -### Deploy Windows 10 with the Microsoft Deployment Toolkit (MDT) -#### [Get started with MDT](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md) - -#### Deploy Windows 10 with MDT -##### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) -##### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) -##### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md) -##### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md) -##### [Refresh a Windows 7 computer with Windows 10](deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md) -##### [Replace a Windows 7 computer with a Windows 10 computer](deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md) -##### [Perform an in-place upgrade to Windows 10 with MDT](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) - -#### Customize MDT -##### [Configure MDT settings](deploy-windows-mdt/configure-mdt-settings.md) -##### [Set up MDT for BitLocker](deploy-windows-mdt/set-up-mdt-for-bitlocker.md) -##### [Configure MDT deployment share rules](deploy-windows-mdt/configure-mdt-deployment-share-rules.md) -##### [Configure MDT for UserExit scripts](deploy-windows-mdt/configure-mdt-for-userexit-scripts.md) -##### [Simulate a Windows 10 deployment in a test environment](deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md) -##### [Use the MDT database to stage Windows 10 deployment information](deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md) -##### [Assign applications using roles in MDT](deploy-windows-mdt/assign-applications-using-roles-in-mdt.md) -##### [Use web services in MDT](deploy-windows-mdt/use-web-services-in-mdt.md) -##### [Use Orchestrator runbooks with MDT](deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md) - -### Deploy Windows 10 with Microsoft Endpoint Configuration Manager -#### Prepare for Windows 10 deployment with Configuration Manager -##### [Prepare for Zero Touch Installation with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) -##### [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md) -##### [Add a Windows 10 operating system image using Configuration Manager](deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md) -##### [Create an application to deploy with Windows 10 using Configuration Manager](deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) -##### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) -##### [Create a task sequence with Configuration Manager and MDT](deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md) -##### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md) - -#### Deploy Windows 10 with Configuration Manager -##### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md) -##### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) -##### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) -##### [Perform an in-place upgrade to Windows 10 using Configuration Manager](deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md) - -### [Windows 10 deployment tools](windows-10-deployment-tools.md) - -#### [Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) -#### [Convert MBR partition to GPT](mbr-to-gpt.md) -#### [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) -#### [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) - -#### [Deploy Windows To Go in your organization](deploy-windows-to-go.md) -##### [Windows To Go: feature overview](planning/windows-to-go-overview.md) -###### [Best practice recommendations for Windows To Go](planning/best-practice-recommendations-for-windows-to-go.md) -###### [Deployment considerations for Windows To Go](planning/deployment-considerations-for-windows-to-go.md) -###### [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) -###### [Security and data protection considerations for Windows To Go](planning/security-and-data-protection-considerations-for-windows-to-go.md) -###### [Windows To Go: frequently asked questions](planning/windows-to-go-frequently-asked-questions.md) - -#### [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) -##### [Introduction to VAMT](volume-activation/introduction-vamt.md) -##### [Active Directory-Based Activation Overview](volume-activation/active-directory-based-activation-overview.md) -##### [Install and Configure VAMT](volume-activation/install-configure-vamt.md) -###### [VAMT Requirements](volume-activation/vamt-requirements.md) -###### [Install VAMT](volume-activation/install-vamt.md) -###### [Configure Client Computers](volume-activation/configure-client-computers-vamt.md) -##### [Add and Manage Products](volume-activation/add-manage-products-vamt.md) -###### [Add and Remove Computers](volume-activation/add-remove-computers-vamt.md) -###### [Update Product Status](volume-activation/update-product-status-vamt.md) -###### [Remove Products](volume-activation/remove-products-vamt.md) -##### [Manage Product Keys](volume-activation/manage-product-keys-vamt.md) -###### [Add and Remove a Product Key](volume-activation/add-remove-product-key-vamt.md) -###### [Install a Product Key](volume-activation/install-product-key-vamt.md) -###### [Install a KMS Client Key](volume-activation/install-kms-client-key-vamt.md) -##### [Manage Activations](volume-activation/manage-activations-vamt.md) -###### [Perform Online Activation](volume-activation/online-activation-vamt.md) -###### [Perform Proxy Activation](volume-activation/proxy-activation-vamt.md) -###### [Perform KMS Activation](volume-activation/kms-activation-vamt.md) -###### [Perform Local Reactivation](volume-activation/local-reactivation-vamt.md) -###### [Activate an Active Directory Forest Online](volume-activation/activate-forest-vamt.md) -###### [Activate by Proxy an Active Directory Forest](volume-activation/activate-forest-by-proxy-vamt.md) -##### [Manage VAMT Data](volume-activation/manage-vamt-data.md) -###### [Import and Export VAMT Data](volume-activation/import-export-vamt-data.md) -###### [Use VAMT in Windows PowerShell](volume-activation/use-vamt-in-windows-powershell.md) -##### [VAMT Step-by-Step Scenarios](volume-activation/vamt-step-by-step.md) -###### [Scenario 1: Online Activation](volume-activation/scenario-online-activation-vamt.md) -###### [Scenario 2: Proxy Activation](volume-activation/scenario-proxy-activation-vamt.md) -###### [Scenario 3: KMS Client Activation](volume-activation/scenario-kms-activation-vamt.md) -##### [VAMT Known Issues](volume-activation/vamt-known-issues.md) -#### [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) -##### [User State Migration Tool (USMT) Overview Topics](usmt/usmt-topics.md) -###### [User State Migration Tool (USMT) Overview](usmt/usmt-overview.md) -###### [Getting Started with the User State Migration Tool (USMT)](usmt/getting-started-with-the-user-state-migration-tool.md) -###### [Windows Upgrade and Migration Considerations](upgrade/windows-upgrade-and-migration-considerations.md) -##### [User State Migration Tool (USMT) How-to topics](usmt/usmt-how-to.md) -###### [Exclude Files and Settings](usmt/usmt-exclude-files-and-settings.md) -###### [Extract Files from a Compressed USMT Migration Store](usmt/usmt-extract-files-from-a-compressed-migration-store.md) -###### [Include Files and Settings](usmt/usmt-include-files-and-settings.md) -###### [Migrate Application Settings](usmt/migrate-application-settings.md) -###### [Migrate EFS Files and Certificates](usmt/usmt-migrate-efs-files-and-certificates.md) -###### [Migrate User Accounts](usmt/usmt-migrate-user-accounts.md) -###### [Reroute Files and Settings](usmt/usmt-reroute-files-and-settings.md) -###### [Verify the Condition of a Compressed Migration Store](usmt/verify-the-condition-of-a-compressed-migration-store.md) -##### [User State Migration Tool (USMT) Troubleshooting](usmt/usmt-troubleshooting.md) -###### [Common Issues](usmt/usmt-common-issues.md) -###### [Frequently Asked Questions](usmt/usmt-faq.md) -###### [Log Files](usmt/usmt-log-files.md) -###### [Return Codes](usmt/usmt-return-codes.md) -###### [USMT Resources](usmt/usmt-resources.md) -##### [User State Migration Toolkit (USMT) Reference](usmt/usmt-reference.md) -###### [USMT Requirements](usmt/usmt-requirements.md) -###### [USMT Best Practices](usmt/usmt-best-practices.md) -###### [How USMT Works](usmt/usmt-how-it-works.md) -###### [Plan Your Migration](usmt/usmt-plan-your-migration.md) -####### [Common Migration Scenarios](usmt/usmt-common-migration-scenarios.md) -####### [What Does USMT Migrate?](usmt/usmt-what-does-usmt-migrate.md) -####### [Choose a Migration Store Type](usmt/usmt-choose-migration-store-type.md) -######## [Migration Store Types Overview](usmt/migration-store-types-overview.md) -######## [Estimate Migration Store Size](usmt/usmt-estimate-migration-store-size.md) -######## [Hard-Link Migration Store](usmt/usmt-hard-link-migration-store.md) -######## [Migration Store Encryption](usmt/usmt-migration-store-encryption.md) -####### [Determine What to Migrate](usmt/usmt-determine-what-to-migrate.md) -######## [Identify Users](usmt/usmt-identify-users.md) -######## [Identify Applications Settings](usmt/usmt-identify-application-settings.md) -######## [Identify Operating System Settings](usmt/usmt-identify-operating-system-settings.md) -######## [Identify File Types, Files, and Folders](usmt/usmt-identify-file-types-files-and-folders.md) -####### [Test Your Migration](usmt/usmt-test-your-migration.md) -###### [User State Migration Tool (USMT) Command-line Syntax](usmt/usmt-command-line-syntax.md) -####### [ScanState Syntax](usmt/usmt-scanstate-syntax.md) -####### [LoadState Syntax](usmt/usmt-loadstate-syntax.md) -####### [UsmtUtils Syntax](usmt/usmt-utilities.md) -###### [USMT XML Reference](usmt/usmt-xml-reference.md) -####### [Understanding Migration XML Files](usmt/understanding-migration-xml-files.md) -####### [Config.xml File](usmt/usmt-configxml-file.md) -####### [Customize USMT XML Files](usmt/usmt-customize-xml-files.md) -####### [Custom XML Examples](usmt/usmt-custom-xml-examples.md) -####### [Conflicts and Precedence](usmt/usmt-conflicts-and-precedence.md) -####### [General Conventions](usmt/usmt-general-conventions.md) -####### [XML File Requirements](usmt/xml-file-requirements.md) -####### [Recognized Environment Variables](usmt/usmt-recognized-environment-variables.md) -####### [XML Elements Library](usmt/usmt-xml-elements-library.md) -###### [Offline Migration Reference](usmt/offline-migration-reference.md) -### [Install fonts in Windows 10](windows-10-missing-fonts.md) - -## Update Windows 10 -### [Update Windows 10 in enterprise deployments](update/index.md) -### Windows as a service -#### [Windows as a service - introduction](update/windows-as-a-service.md) -#### [Quick guide to Windows as a service](update/waas-quick-start.md) -#### [Servicing stack updates](update/servicing-stack-updates.md) -#### [Overview of Windows as a service](update/waas-overview.md) -### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md) -### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md) -### [Assign devices to servicing channels for Windows 10 updates](update/waas-servicing-channels-windows-10-updates.md) -### Get started -#### [Get started with Windows Update](update/windows-update-overview.md) -#### [How Windows Update works](update/how-windows-update-works.md) -#### [Windows Update log files](update/windows-update-logs.md) -#### [How to troubleshoot Windows Update](update/windows-update-troubleshooting.md) -#### [Common Windows Update errors](update/windows-update-errors.md) -#### [Windows Update error code reference](update/windows-update-error-reference.md) -#### [Other Windows Update resources](update/windows-update-resources.md) -### Optimize delivery -#### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md) -#### [Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md) -#### [Set up Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization-setup.md) -#### [Delivery Optimization reference](update/waas-delivery-optimization-reference.md) -#### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md) -#### [Whitepaper: Windows Updates using forward and reverse differentials](update/PSFxWhitepaper.md) -### Monitor Windows Updates -#### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md) -#### [Get started with Update Compliance](update/update-compliance-get-started.md) -##### [Update Compliance Configuration Script](update/update-compliance-configuration-script.md) -##### [Manually Configuring Devices for Update Compliance](update/update-compliance-configuration-manual.md) -#### [Use Update Compliance](update/update-compliance-using.md) -##### [Need Attention! report](update/update-compliance-need-attention.md) -##### [Security Update Status report](update/update-compliance-security-update-status.md) -##### [Feature Update Status report](update/update-compliance-feature-update-status.md) -##### [Delivery Optimization in Update Compliance](update/update-compliance-delivery-optimization.md) -##### [Data Handling and Privacy in Update Compliance](update/update-compliance-privacy.md) -##### [Update Compliance Schema Reference](update/update-compliance-schema.md) -###### [WaaSUpdateStatus](update/update-compliance-schema-waasupdatestatus.md) -###### [WaaSInsiderStatus](update/update-compliance-schema-waasinsiderstatus.md) -###### [WaaSDeploymentStatus](update/update-compliance-schema-waasdeploymentstatus.md) -###### [WUDOStatus](update/update-compliance-schema-wudostatus.md) -###### [WUDOAggregatedStatus](update/update-compliance-schema-wudoaggregatedstatus.md) -### Best practices -#### [Best practices for feature updates on mission-critical devices](update/feature-update-mission-critical.md) -#### [Update Windows 10 media with Dynamic Update](update/media-dynamic-update.md) -#### [Deploy feature updates during maintenance windows](update/feature-update-maintenance-window.md) -#### [Deploy feature updates for user-initiated installations](update/feature-update-user-install.md) -#### [Conclusion](update/feature-update-conclusion.md) -### [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](update/waas-mobile-updates.md) -### Use Windows Update for Business -#### [Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md) -#### [Configure Windows Update for Business](update/waas-configure-wufb.md) -#### [Enforcing compliance deadlines for updates](update/wufb-compliancedeadlines.md) -#### [Integrate Windows Update for Business with management solutions](update/waas-integrate-wufb.md) -#### [Walkthrough: use Group Policy to configure Windows Update for Business](update/waas-wufb-group-policy.md) -#### [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure) -### Use Windows Server Update Services -#### [Deploy Windows 10 updates using Windows Server Update Services](update/waas-manage-updates-wsus.md) -#### [Enable FoD and language pack updates in Windows Update](update/fod-and-lang-packs.md) -### [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](update/waas-manage-updates-configuration-manager.md) -### [Manage device restarts after updates](update/waas-restart.md) -### [Manage additional Windows Update settings](update/waas-wu-settings.md) -### [Determine the source of Windows updates](update/windows-update-sources.md) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml new file mode 100644 index 0000000000..3dda78fbb4 --- /dev/null +++ b/windows/deployment/TOC.yml @@ -0,0 +1,515 @@ +- name: Deploy and update Windows 10 + href: index.yml + items: + - name: Get started + items: + - name: What's new + href: deploy-whats-new.md + - name: Windows 10 deployment scenarios + href: windows-10-deployment-scenarios.md + - name: What is Windows as a service? + href: update/waas-quick-start.md + - name: Windows update fundamentals + href: update/waas-overview.md + - name: Types of Windows updates + href: update/waas-quick-start.md#definitions + - name: Servicing the Windows 10 operating system + href: update/waas-servicing-strategy-windows-10-updates.md + + - name: Deployment proof of concept + items: + - name: Demonstrate Autopilot deployment on a VM + href: windows-autopilot/demonstrate-deployment-on-vm.md + - name: Deploy Windows 10 with MDT and Configuration Manager + items: + - name: 'Step by step guide: Configure a test lab to deploy Windows 10' + href: windows-10-poc.md + - name: Deploy Windows 10 in a test lab using MDT + href: windows-10-poc-mdt.md + - name: Deploy Windows 10 in a test lab using Configuration Manager + href: windows-10-poc-sc-config-mgr.md + - name: Deployment process posters + href: windows-10-deployment-posters.md + + - name: Plan + items: + - name: Create a deployment plan + href: update/create-deployment-plan.md + - name: Define readiness criteria + href: update/plan-define-readiness.md + - name: Evaluate infrastructure and tools + href: update/eval-infra-tools.md + - name: Determine application readiness + href: update/plan-determine-app-readiness.md + - name: Define your servicing strategy + href: update/waas-servicing-strategy-windows-10-updates.md + - name: Best practices for feature updates on mission-critical devices + href: update/feature-update-mission-critical.md + - name: Plan for volume activation + href: volume-activation/plan-for-volume-activation-client.md + - name: Features removed or planned for replacement + items: + - name: Windows 10 features lifecycle + href: planning/features-lifecycle.md + - name: Features we're no longer developing + href: planning/windows-10-deprecated-features.md + - name: Features we removed + href: planning/windows-10-removed-features.md + + - name: Prepare + items: + - name: Prepare to deploy Windows 10 + href: deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md + - name: Evaluate and update infrastructure + href: update/update-policies.md + - name: Set up Delivery Optimization for Windows 10 updates + href: update/waas-delivery-optimization-setup.md + - name: Configure BranchCache for Windows 10 updates + href: update/waas-branchcache.md + - name: Prepare your deployment tools + items: + - name: Register devices for deployment with Windows Autopilot + href: windows-autopilot/add-devices.md + - name: Prepare for deployment with MDT + href: deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md + - name: Prepare for deployment with Configuration Manager + href: deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md + - name: Build a successful servicing strategy + items: + - name: Build deployment rings for Windows 10 updates + href: update/waas-deployment-rings-windows-10-updates.md + - name: Prepare updates using Windows Update for Business + href: update/waas-manage-updates-wufb.md + - name: Prepare updates using WSUS + href: update/waas-manage-updates-wsus.md + + - name: Deploy + items: + - name: Deploy Windows 10 + items: + - name: Deploy Windows 10 with Autopilot + href: windows-autopilot/windows-autopilot-scenarios.md + - name: Deploy Windows 10 with Configuration Manager + items: + - name: Deploy to a new device + href: deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md + - name: Refresh a device + href: deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md + - name: Replace a device + href: deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md + - name: In-place upgrade + href: deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md + - name: Deploy Windows 10 with MDT + items: + - name: Deploy to a new device + href: deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md + - name: Refresh a device + href: deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md + - name: Replace a device + href: deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md + - name: In-place upgrade + href: deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md + - name: Subscription Activation + items: + - name: Windows 10 Subscription Activation + href: windows-10-subscription-activation.md + - name: Windows 10 Enterprise E3 in CSP + href: windows-10-enterprise-e3-overview.md + - name: Configure VDA for Subscription Activation + href: vda-subscription-activation.md + - name: Deploy Windows 10 Enterprise licenses + href: deploy-enterprise-licenses.md + - name: Deploy Windows 10 updates + items: + - name: Assign devices to servicing channels + href: update/waas-servicing-channels-windows-10-updates.md + - name: Deploy updates with Configuration Manager + href: update/deploy-updates-configmgr.md + - name: Deploy updates with Intune + href: update/waas-wufb-csp-mdm.md + - name: Deploy updates with WSUS + href: update/waas-manage-updates-wsus.md + - name: Deploy updates with Group Policy + href: update/waas-wufb-group-policy.md + - name: Update Windows 10 media with Dynamic Update + href: update/media-dynamic-update.md + - name: Manage the Windows 10 update experience + items: + - name: Manage device restarts after updates + href: update/waas-restart.md + - name: Manage additional Windows Update settings + href: update/waas-wu-settings.md + - name: Deploy feature updates during maintenance windows + href: update/feature-update-maintenance-window.md + - name: Deploy feature updates for user-initiated installations + href: update/feature-update-user-install.md + - name: Use Windows Update for Business + items: + - name: What is Windows Update for Business? + href: update/waas-manage-updates-wufb.md + - name: Configure Windows Update for Business + href: update/waas-configure-wufb.md + - name: Enforcing compliance deadlines for updates + href: update/wufb-compliancedeadlines.md + - name: Integrate Windows Update for Business with management solutions + href: update/waas-integrate-wufb.md + - name: 'Walkthrough: use Group Policy to configure Windows Update for Business' + href: update/waas-wufb-group-policy.md + - name: 'Walkthrough: use Intune to configure Windows Update for Business' + href: update/waas-wufb-csp-mdm.md + - name: Monitor Windows 10 updates + items: + - name: Monitor Delivery Optimization + href: update/waas-delivery-optimization-setup.md#monitor-delivery-optimization + - name: Monitor Windows Updates with Update Compliance + items: + - name: Get started + items: + - name: Get started with Update Compliance + href: update/update-compliance-get-started.md + - name: Update Compliance configuration script + href: update/update-compliance-configuration-script.md + - name: Manually configuring devices for Update Compliance + href: update/update-compliance-configuration-manual.md + - name: Update Compliance monitoring + items: + - name: Use Update Compliance + href: update/update-compliance-using.md + - name: Need attention report + href: update/update-compliance-need-attention.md + - name: Security update status report + href: update/update-compliance-security-update-status.md + - name: Feature update status report + href: update/update-compliance-feature-update-status.md + - name: Delivery Optimization in Update Compliance + href: update/update-compliance-delivery-optimization.md + - name: Data handling and privacy in Update Compliance + href: update/update-compliance-privacy.md + - name: Update Compliance schema reference + items: + - name: WaaSUpdateStatus + href: update/update-compliance-schema-waasupdatestatus.md + - name: WaaSInsiderStatus + href: update/update-compliance-schema-waasinsiderstatus.md + - name: WaaSDepoymentStatus + href: update/update-compliance-schema-waasdeploymentstatus.md + - name: WUDOStatus + href: update/update-compliance-schema-wudostatus.md + - name: WUDOAggregatedStatus + href: update/update-compliance-schema-wudoaggregatedstatus.md + - name: Troubleshooting + items: + - name: Resolve upgrade errors + items: + - name: Resolve Windows 10 upgrade errors + href: upgrade/resolve-windows-10-upgrade-errors.md + - name: Quick fixes + href: upgrade/quick-fixes.md + - name: SetupDiag + href: upgrade/setupdiag.md + - name: Troubleshooting upgrade errors + href: upgrade/troubleshoot-upgrade-errors.md + - name: Windows error reporting + href: upgrade/windows-error-reporting.md + - name: Upgrade error codes + href: upgrade/upgrade-error-codes.md + - name: Log files + href: upgrade/log-files.md + - name: Resolution procedures + href: upgrade/resolution-procedures.md + - name: Submit Windows 10 upgrade errors + href: upgrade/submit-errors.md + - name: Troubleshoot Windows Update + items: + - name: How to troubleshoot Windows Update + href: update/windows-update-troubleshooting.md + - name: Determine the source of Windows Updates + href: update/windows-update-sources.md + - name: Common Windows Update errors + href: update/windows-update-errors.md + - name: Windows Update error code reference + href: update/windows-update-error-reference.md + + - name: Reference + items: + - name: How does Windows Update work? + href: update/how-windows-update-works.md + - name: Understanding the Unified Update Platform + href: update/windows-update-overview.md + - name: Servicing stack updates + href: update/servicing-stack-updates.md + - name: How Windows Update works + href: update/how-windows-update-works.md + - name: Additional Windows Update settings + href: update/waas-wu-settings.md + - name: Delivery Optimization reference + href: update/waas-delivery-optimization-reference.md + - name: Windows 10 in S mode + href: windows-10-pro-in-s-mode.md + - name: Windows 10 deployment tools + items: + - name: Windows 10 deployment scenarios and tools + items: + - name: Convert MBR partition to GPT + href: mbr-to-gpt.md + - name: Configure a PXE server to load Windows PE + href: configure-a-pxe-server-to-load-windows-pe.md + - name: Windows ADK for Windows 10 scenarios for IT Pros + href: windows-adk-scenarios-for-it-pros.md + - name: Windows To Go + items: + - name: Deploy Windows To Go in your organization + href: deploy-windows-to-go.md + - name: "Windows To Go: feature overview" + href: planning/windows-to-go-overview.md + - name: Best practice recommendations for Windows To Go + href: planning/best-practice-recommendations-for-windows-to-go.md + - name: Deployment considerations for Windows To Go + href: planning/deployment-considerations-for-windows-to-go.md + - name: Prepare your organization for Windows To Go + href: planning/prepare-your-organization-for-windows-to-go.md + - name: Security and data protection considerations for Windows To Go + href: planning/security-and-data-protection-considerations-for-windows-to-go.md + - name: "Windows To Go: frequently asked questions" + href: planning/windows-to-go-frequently-asked-questions.md + + - name: Volume Activation Management Tool (VAMT) technical reference + items: + - name: VAMT technical reference + href: volume-activation/volume-activation-management-tool.md + - name: Introduction to VAMT + href: volume-activation/introduction-vamt.md + - name: Active Directory-Based Activation Overview + href: volume-activation/active-directory-based-activation-overview.md + - name: Install and Configure VAMT + href: volume-activation/install-configure-vamt.md + - name: VAMT Requirements + href: volume-activation/vamt-requirements.md + - name: Install VAMT + href: volume-activation/install-vamt.md + - name: Configure Client Computers + href: volume-activation/configure-client-computers-vamt.md + - name: Add and Manage Products + href: volume-activation/add-manage-products-vamt.md + - name: Add and Remove Computers + href: volume-activation/add-remove-computers-vamt.md + - name: Update Product Status + href: volume-activation/update-product-status-vamt.md + - name: Remove Products + href: volume-activation/remove-products-vamt.md + - name: Manage Product Keys + href: volume-activation/manage-product-keys-vamt.md + - name: Add and Remove a Product Key + href: volume-activation/add-remove-product-key-vamt.md + - name: Install a Product Key + href: volume-activation/install-product-key-vamt.md + - name: Install a KMS Client Key + href: volume-activation/install-kms-client-key-vamt.md + - name: Manage Activations + href: volume-activation/manage-activations-vamt.md + - name: Perform Online Activation + href: volume-activation/online-activation-vamt.md + - name: Perform Proxy Activation + href: volume-activation/proxy-activation-vamt.md + - name: Perform KMS Activation + href: volume-activation/kms-activation-vamt.md + - name: Perform Local Reactivation + href: volume-activation/local-reactivation-vamt.md + - name: Activate an Active Directory Forest Online + href: volume-activation/activate-forest-vamt.md + - name: Activate by Proxy an Active Directory Forest + href: volume-activation/activate-forest-by-proxy-vamt.md + - name: Manage VAMT Data + href: volume-activation/manage-vamt-data.md + - name: Import and Export VAMT Data + href: volume-activation/import-export-vamt-data.md + - name: Use VAMT in Windows PowerShell + href: volume-activation/use-vamt-in-windows-powershell.md + - name: VAMT Step-by-Step Scenarios + href: volume-activation/vamt-step-by-step.md + - name: "Scenario 1: Online Activation" + href: volume-activation/scenario-online-activation-vamt.md + - name: "Scenario 2: Proxy Activation" + href: volume-activation/scenario-proxy-activation-vamt.md + - name: "Scenario 3: KMS Client Activation" + href: volume-activation/scenario-kms-activation-vamt.md + - name: VAMT Known Issues + href: volume-activation/vamt-known-issues.md + + - name: User State Migration Tool (USMT) technical reference + items: + - name: USMT overview topics + items: + - name: USMT overview + href: usmt/usmt-overview.md + - name: Getting started with the USMT + href: usmt/getting-started-with-the-user-state-migration-tool.md + - name: Windows upgrade and migration considerations + href: upgrade/windows-upgrade-and-migration-considerations.md + - name: USMT How-to topics + items: + - name: Exclude Files and Settings + href: usmt/usmt-exclude-files-and-settings.md + - name: Extract Files from a Compressed USMT Migration Store + href: usmt/usmt-extract-files-from-a-compressed-migration-store.md + - name: Include Files and Settings + href: usmt/usmt-include-files-and-settings.md + - name: Migrate Application Settings + href: usmt/migrate-application-settings.md + - name: Migrate EFS Files and Certificates + href: usmt/usmt-migrate-efs-files-and-certificates.md + - name: Migrate User Accounts + href: usmt/usmt-migrate-user-accounts.md + - name: Reroute Files and Settings + href: usmt/usmt-reroute-files-and-settings.md + - name: Verify the Condition of a Compressed Migration Store + href: usmt/verify-the-condition-of-a-compressed-migration-store.md + - name: USMT Troubleshooting + href: usmt/usmt-troubleshooting.md + - name: Common Issues + href: usmt/usmt-common-issues.md + - name: Frequently Asked Questions + href: usmt/usmt-faq.md + - name: Log Files + href: usmt/usmt-log-files.md + - name: Return Codes + href: usmt/usmt-return-codes.md + - name: USMT Resources + href: usmt/usmt-resources.md + + - name: USMT Reference + items: + - name: USMT Requirements + href: usmt/usmt-requirements.md + - name: USMT Best Practices + href: usmt/usmt-best-practices.md + - name: How USMT Works + href: usmt/usmt-how-it-works.md + - name: Plan Your Migration + href: usmt/usmt-plan-your-migration.md + - name: Common Migration Scenarios + href: usmt/usmt-common-migration-scenarios.md + - name: What Does USMT Migrate? + href: usmt/usmt-what-does-usmt-migrate.md + - name: Choose a Migration Store Type + href: usmt/usmt-choose-migration-store-type.md + - name: Migration Store Types Overview + href: usmt/migration-store-types-overview.md + - name: Estimate Migration Store Size + href: usmt/usmt-estimate-migration-store-size.md + - name: Hard-Link Migration Store + href: usmt/usmt-hard-link-migration-store.md + - name: Migration Store Encryption + href: usmt/usmt-migration-store-encryption.md + - name: Determine What to Migrate + href: usmt/usmt-determine-what-to-migrate.md + - name: Identify users + href: usmt/usmt-identify-users.md + - name: Identify Applications Settings + href: usmt/usmt-identify-application-settings.md + - name: Identify Operating System Settings + href: usmt/usmt-identify-operating-system-settings.md + - name: Identify File Types, Files, and Folders + href: usmt/usmt-identify-file-types-files-and-folders.md + - name: Test Your Migration + href: usmt/usmt-test-your-migration.md + - name: USMT Command-line Syntax + href: usmt/usmt-command-line-syntax.md + - name: ScanState Syntax + href: usmt/usmt-scanstate-syntax.md + - name: LoadState Syntax + href: usmt/usmt-loadstate-syntax.md + - name: UsmtUtils Syntax + href: usmt/usmt-utilities.md + - name: USMT XML Reference + href: usmt/usmt-xml-reference.md + - name: Understanding Migration XML Files + href: usmt/understanding-migration-xml-files.md + - name: Config.xml File + href: usmt/usmt-configxml-file.md + - name: Customize USMT XML Files + href: usmt/usmt-customize-xml-files.md + - name: Custom XML Examples + href: usmt/usmt-custom-xml-examples.md + - name: Conflicts and Precedence + href: usmt/usmt-conflicts-and-precedence.md + - name: General Conventions + href: usmt/usmt-general-conventions.md + - name: XML File Requirements + href: usmt/xml-file-requirements.md + - name: Recognized Environment Variables + href: usmt/usmt-recognized-environment-variables.md + - name: XML Elements Library + href: usmt/usmt-xml-elements-library.md + - name: Offline Migration Reference + href: usmt/offline-migration-reference.md + + - name: Application Compatibility Toolkit (ACT) Technical Reference + items: + - name: SUA User's Guide + href: planning/sua-users-guide.md + - name: Using the SUA Wizard + href: planning/using-the-sua-wizard.md + - name: Using the SUA Tool + href: planning/using-the-sua-tool.md + - name: Tabs on the SUA Tool Interface + href: planning/tabs-on-the-sua-tool-interface.md + - name: Showing Messages Generated by the SUA Tool + href: planning/showing-messages-generated-by-the-sua-tool.md + - name: Applying Filters to Data in the SUA Tool + href: planning/applying-filters-to-data-in-the-sua-tool.md + - name: Fixing Applications by Using the SUA Tool + href: planning/fixing-applications-by-using-the-sua-tool.md + - name: Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista + href: planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md + - name: Compatibility Administrator User's Guide + href: planning/compatibility-administrator-users-guide.md + - name: Using the Compatibility Administrator Tool + href: planning/using-the-compatibility-administrator-tool.md + - name: Available Data Types and Operators in Compatibility Administrator + href: planning/available-data-types-and-operators-in-compatibility-administrator.md + - name: Searching for Fixed Applications in Compatibility Administrator + href: planning/searching-for-fixed-applications-in-compatibility-administrator.md + - name: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator + href: planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md + - name: Creating a Custom Compatibility Fix in Compatibility Administrator + href: planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md + - name: Creating a Custom Compatibility Mode in Compatibility Administrator + href: planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md + - name: Creating an AppHelp Message in Compatibility Administrator + href: planning/creating-an-apphelp-message-in-compatibility-administrator.md + - name: Viewing the Events Screen in Compatibility Administrator + href: planning/viewing-the-events-screen-in-compatibility-administrator.md + - name: Enabling and Disabling Compatibility Fixes in Compatibility Administrator + href: planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md + - name: Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator + href: planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md + - name: Managing Application-Compatibility Fixes and Custom Fix Databases + href: planning/managing-application-compatibility-fixes-and-custom-fix-databases.md + - name: Understanding and Using Compatibility Fixes + href: planning/understanding-and-using-compatibility-fixes.md + - name: Compatibility Fix Database Management Strategies and Deployment + href: planning/compatibility-fix-database-management-strategies-and-deployment.md + - name: Testing Your Application Mitigation Packages + href: planning/testing-your-application-mitigation-packages.md + - name: Using the Sdbinst.exe Command-Line Tool + href: planning/using-the-sdbinstexe-command-line-tool.md + - name: Volume Activation + href: volume-activation/volume-activation-windows-10.md + - name: Plan for volume activation + href: volume-activation/plan-for-volume-activation-client.md + - name: Activate using Key Management Service + href: volume-activation/activate-using-key-management-service-vamt.md + - name: Activate using Active Directory-based activation + href: volume-activation/activate-using-active-directory-based-activation-client.md + - name: Activate clients running Windows 10 + href: volume-activation/activate-windows-10-clients-vamt.md + - name: Monitor activation + href: volume-activation/monitor-activation-client.md + - name: Use the Volume Activation Management Tool + href: volume-activation/use-the-volume-activation-management-tool-client.md + - name: "Appendix: Information sent to Microsoft during activation " + href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md + + - name: Install fonts in Windows 10 + href: windows-10-missing-fonts.md \ No newline at end of file diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 4e60ac99b8..cff09982d3 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -25,14 +25,16 @@ ms.topic: article This topic provides an overview of new solutions and online content related to deploying Windows 10 in your organization. - For an all-up overview of new features in Windows 10, see [What's new in Windows 10](https://docs.microsoft.com/windows/whats-new/index). -- For a detailed list of changes to Windows 10 ITPro TechNet library content, see [Online content change history](#online-content-change-history). -## Recent additions to this page +## Latest news -[SetupDiag](#setupdiag) 1.6 is released.
-The [Windows ADK for Windows 10, version 1903](https://docs.microsoft.com/windows-hardware/get-started/adk-install) is available.
-New [Windows Autopilot](#windows-autopilot) content is available.
-[Windows 10 Subscription Activation](#windows-10-subscription-activation) now supports Windows 10 Education. +[SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later.
+The [Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/adk-install) is available.
+New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
+VPN support is added to [Windows Autopilot](#windows-autopilot)
+An in-place upgrade wizard is available in [Configuration Manager](#microsoft-endpoint-configuration-manager).
+The [Windows ADK](#windows-assessment-and-deployment-kit-adk) for Windows 10, version 2004 is available.
+The Windows 10 deployment and update [landing page](index.yml) has been redesigned, with additional content added and more content coming soon.
## The Modern Desktop Deployment Center @@ -49,9 +51,36 @@ See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, whic ## Windows 10 servicing and support -- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon! -- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. -- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. +### Delivery Optimization + +Windows PowerShell cmdlets for Delivery Optimization have been improved: + +- **Get-DeliveryOptimizationStatus** has added the **-PeerInfo** option for a real-time peak behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent). +- **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections. +- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting. + +Additional improvements in [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) include: +- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling. +- Automatic cloud-based congestion detection is available for PCs with cloud service support. +- Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon! + +The following Delivery Optimization policies are removed in the Windows 10, version 2004 release: + +- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth) + - Reason: Replaced with separate policies for foreground and background +- Max Upload Bandwidth (DOMaxUploadBandwidth) + - Reason: impacts uploads to internet peers only, which isn't used in Enterprises. +- Absolute max throttle (DOMaxDownloadBandwidth) + - Reason: separated to foreground and background + +### Windows Update for Business + +[Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) enhancements in this release include: +- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. +- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds. + +- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. +- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. - **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. - **Improved update notifications**: When there’s an update requiring you to restart your device, you’ll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar. @@ -70,13 +99,16 @@ Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel o For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) - ## Deployment solutions and tools ### Windows Autopilot [Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose and recover devices. +With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903. + +If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, this was only supported with self-deploying profiles. + The following Windows Autopilot features are available in Windows 10, version 1903 and later: - [Windows Autopilot for white glove deployment](https://docs.microsoft.com/windows/deployment/windows-autopilot/white-glove) is new in Windows 10, version 1903. "White glove" deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users. @@ -85,6 +117,10 @@ The following Windows Autopilot features are available in Windows 10, version 19 - Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE. - Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE. +### Microsoft Endpoint Configuration Manager + +An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364). + ### Windows 10 Subscription Activation Windows 10 Education support has been added to Windows 10 Subscription Activation. @@ -93,9 +129,11 @@ With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to ### SetupDiag -[SetupDiag](upgrade/setupdiag.md) is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. +[SetupDiag](upgrade/setupdiag.md) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. -SetupDiag version 1.6.0.42 was released on 08/08/2019. +In Windows 10, version 2004, SetupDiag is now automatically installed. + +During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, Windows Setup now also installs SetupDiag.exe to this directory. If there is an issue with the upgrade, SetupDiag is automatically run to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under %SystemDrive%\Windows.Old for cleanup. ### Upgrade Readiness @@ -131,21 +169,21 @@ There are many benefits to converting the partition style of a disk to GPT, incl For more information, see [MBR2GPT.EXE](mbr-to-gpt.md). - ### Microsoft Deployment Toolkit (MDT) -MDT build 8456 (12/19/2018) is available, including support for Windows 10, version 1809, and Windows Server 2019. - -For more information about MDT, see the [MDT resource page](https://docs.microsoft.com/sccm/mdt/). +MDT version 8456 supports Windows 10, version 2004 and earlier operating systems, including Windows Server 2019. There is currently an issue that causes MDT to incorrectly detect that UEFI is present in Windows 10, version 2004. This issue is currently under investigation. +For the latest information about MDT, see the [MDT release notes](https://docs.microsoft.com/mem/configmgr/mdt/release-notes). ### Windows Assessment and Deployment Kit (ADK) -The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. See the following topics: +The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. -- [What's new in ADK kits and tools](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools) -- [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) +Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 [here](https://docs.microsoft.com/windows-hardware/get-started/adk-install). +For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004). + +Also see [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md). ## Testing and validation guidance @@ -159,25 +197,15 @@ For more information, see the following guides: - [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) - [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md) - ## Troubleshooting guidance [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) was published in October of 2016 and will continue to be updated with new fixes. The topic provides a detailed explanation of the Windows 10 upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process. - -## Online content change history - -The following topics provide a change history for Windows 10 ITPro TechNet library content related to deploying and using Windows 10. - -[Change history for Access Protection](/windows/access-protection/change-history-for-access-protection)
-[Change history for Device Security](/windows/device-security/change-history-for-device-security)
-[Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection) - ## Related topics -[Overview of Windows as a service](update/waas-overview.md) -
[Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md) -
[Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information) -
[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications) -
[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) -
[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md) +[Overview of Windows as a service](update/waas-overview.md)
+[Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md)
+[Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information)
+[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications)
+[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
+[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md index b54532b820..52cc80097b 100644 --- a/windows/deployment/deploy-windows-to-go.md +++ b/windows/deployment/deploy-windows-to-go.md @@ -25,8 +25,8 @@ ms.topic: article This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. +> [!IMPORTANT] +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. ## Deployment tips diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index 2d316a4b7f..753f83e575 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -1,105 +1,94 @@ -### YamlMime:YamlDocument +### YamlMime:Landing + +title: Windows 10 deployment resources and documentation # < 60 chars +summary: Learn about deploying and and keeping Windows 10 up to date. # < 160 chars -documentType: LandingData -title: Deploy and update Windows 10 metadata: - document_id: - title: Deploy and update Windows 10 - description: Deploying and updating Windows 10 for IT professionals. - keywords: deploy, update, Windows, service, Microsoft365, e5, e3 - ms.localizationpriority: high - author: greg-lindsay - ms.author: greglin - manager: laurawi - ms.topic: article - ms.devlang: na + title: Windows 10 deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars. + services: windows-10 + ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. + ms.subservice: subservice + ms.topic: landing-page # Required + ms.collection: windows-10 + author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. + ms.author: greglin #Required; microsoft alias of author; optional team alias. + ms.date: 05/27/2020 #Required; mm/dd/yyyy format. + localization_priority: medium + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new -sections: -- items: - - type: markdown - text: Learn about deployment of Windows 10 for IT professionals. This includes deploying the operating system, upgrading to it from previous versions and updating Windows 10. -- items: - - type: list - style: cards - className: cardsM - columns: 3 - items: - - href: windows-10-deployment-scenarios - html:

Understand the different ways that Windows 10 can be deployed

- image: - src: https://docs.microsoft.com/media/common/i_deploy.svg - title: Windows 10 deployment scenarios - - href: update - html:

Update Windows 10 in the enterprise

- image: - src: https://docs.microsoft.com/media/common/i_upgrade.svg - title: Windows as a service - - href: windows-autopilot/windows-autopilot - html:

Windows Autopilot greatly simplifies deployment of Windows devices

- image: - src: https://docs.microsoft.com/media/common/i_delivery.svg - title: Windows Autopilot -- title: -- items: - - type: markdown - text: " -
-
- - - - - - -
[Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) Check out the new Modern Deskop Deployment Center and discover content to help you with your Windows 10 and Microsoft 365 Apps for enterprise deployments.
[What's new in Windows 10 deployment](deploy-whats-new.md) See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization.
[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task.
[Windows Autopilot](windows-autopilot/windows-autopilot.md) Windows Autopilot enables an IT department to pre-configure new devices and repurpose existing devices with a simple process that requires little to no infrastructure.
[Windows 10 Subscription Activation](windows-10-subscription-activation.md) Windows 10 Enterprise has traditionally been sold as on premises software, however, with Windows 10 version 1703 (also known as the Creator’s Update), both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as true online services via subscription. You can move from Windows 10 Pro to Windows 10 Enterprise with no keys and no reboots. If you are using a Cloud Service Providers (CSP) see the related topic: [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade.
- " -- title: Deploy Windows 10 -- items: - - type: markdown - text: " - Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment. -
 
- - - - - - - - - - - -
TopicDescription
[Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) Windows Autopilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices.
[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) This topic provides information about support for upgrading directly to Windows 10 from a previous operating system.
[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) This topic provides information about support for upgrading from one edition of Windows 10 to another.
[Windows 10 volume license media](windows-10-media.md) This topic provides information about media available in the Microsoft Volume Licensing Service Center.
[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
[Windows 10 deployment test lab](windows-10-poc.md) This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md).
[Plan for Windows 10 deployment](planning/index.md) This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning.
[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT).
[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-cm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or.
[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more.
- " -- title: Update Windows 10 -- items: - - type: markdown - text: " - Information is provided about keeping Windows 10 up-to-date. -
 
- - - - - - - - - - - - - - - -
TopicDescription
[Quick guide to Windows as a service](update/waas-quick-start.md) Provides a brief summary of the key points for the new servicing model for Windows 10.
[Overview of Windows as a service](update/waas-overview.md) Explains the differences in building, deploying, and servicing Windows 10; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools.
[Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md) Explains the decisions you need to make in your servicing strategy.
[Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md) Explains how to make use of servicing branches and update deferrals to manage Windows 10 updates.
[Assign devices to servicing branches for Windows 10 updates](update/waas-servicing-branches-windows-10-updates.md) Explains how to assign devices to Current Branch (CB) or Current Branch for Business (CBB) for feature and quality updates, and how to enroll devices in Windows Insider.
[Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md) Explains how to use Windows Analytics: Update Compliance to monitor and manage Windows Updates on devices in your organization.
[Optimize update delivery for Windows 10 updates](update/waas-optimize-windows-10-updates.md) Explains the benefits of using Delivery Optimization or BranchCache for update distribution.
[Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](update/waas-mobile-updates.md) Explains updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile.
[Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md) Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune.
[Deploy Windows 10 updates using Windows Server Update Services (WSUS)](update/waas-manage-updates-wsus.md) Explains how to use WSUS to manage Windows 10 updates.
[Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](update/waas-manage-updates-configuration-manager.md) Explains how to use Configuration Manager to manage Windows 10 updates.
[Manage device restarts after updates](update/waas-restart.md) Explains how to manage update related device restarts.
[Manage additional Windows Update settings](update/waas-wu-settings.md) Provides details about settings available to control and configure Windows Update.
[Windows Insider Program for Business](update/waas-windows-insider-for-business.md) Explains how the Windows Insider Program for Business works and how to become an insider.
- " -- title: Additional topics -- items: - - type: markdown - text: " -
- [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md) This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. - -  " +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Overview + linkLists: + - linkListType: overview + links: + - text: Windows 10 deployment scenarios + url: windows-10-deployment-scenarios.md + - text: What is Windows as a service? + url: update/waas-overview.md + - text: Types of Windows updates + url: update/waas-quick-start.md#definitions + + # Card (optional) + - title: Get started + linkLists: + - linkListType: get-started + links: + - text: Demonstrate Autopilot deployment + url: windows-autopilot/demonstrate-deployment-on-vm.md + - text: Servicing the Windows 10 operating system + url: update/waas-servicing-strategy-windows-10-updates.md + - text: Deploy Windows 10 in a test lab + url: windows-10-poc.md + + # Card (optional) + - title: Deployment planning + linkLists: + - linkListType: architecture + links: + - text: Create a deployment plan + url: update/create-deployment-plan.md + - text: Evaluate infrastructure and tools + url: update/eval-infra-tools.md + - text: Define your servicing strategy + url: update/waas-servicing-strategy-windows-10-updates.md + + # Card + - title: Prepare to deploy Windows 10 + linkLists: + - linkListType: how-to-guide + links: + - text: Prepare to deploy Windows 10 + url: deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md + - text: Evaluate and update infrastructure + url: update/update-policies.md + - text: Build a successful servicing strategy + url: update/waas-deployment-rings-windows-10-updates.md + + # Card + - title: Deploy Windows 10 + linkLists: + - linkListType: deploy + links: + - text: Deploy Windows 10 with Autopilot + url: windows-autopilot/windows-autopilot-scenarios.md + - text: Assign devices to servicing channels + url: update/waas-servicing-channels-windows-10-updates.md + - text: Deploy Windows 10 updates + url: update/index.md + + # Card (optional) + - title: Also see + linkLists: + - linkListType: reference + links: + - text: Windows 10 release information + url: https://docs.microsoft.com/en-us/windows/release-information/ + - text: What's new in Windows 10 + url: https://docs.microsoft.com/en-us/windows/whats-new/ + - text: Windows 10 Enterprise Security + url: https://docs.microsoft.com/en-us/windows/security/ diff --git a/windows/deployment/planning/TOC.md b/windows/deployment/planning/TOC.md deleted file mode 100644 index fc4cb8fefa..0000000000 --- a/windows/deployment/planning/TOC.md +++ /dev/null @@ -1,37 +0,0 @@ -# [Plan for Windows 10 deployment](index.md) -## [Windows 10 Enterprise FAQ for IT Pros](windows-10-enterprise-faq-itpro.md) -## [Windows 10 deployment considerations](windows-10-deployment-considerations.md) -## [Windows 10 compatibility](windows-10-compatibility.md) -## [Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) - -## Features removed or planned for replacement -### [Windows 10 features lifecycle](features-lifecycle.md) -### [Features we're no longer developing](windows-10-deprecated-features.md) -### [Features we removed](windows-10-removed-features.md) - -## Application Compatibility Toolkit (ACT) -### [Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) -### [SUA User's Guide](sua-users-guide.md) -#### [Using the SUA Wizard](using-the-sua-wizard.md) -#### [Using the SUA Tool](using-the-sua-tool.md) -##### [Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md) -##### [Showing Messages Generated by the SUA Tool](showing-messages-generated-by-the-sua-tool.md) -##### [Applying Filters to Data in the SUA Tool](applying-filters-to-data-in-the-sua-tool.md) -##### [Fixing Applications by Using the SUA Tool](fixing-applications-by-using-the-sua-tool.md) -### [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) -#### [Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md) -##### [Available Data Types and Operators in Compatibility Administrator](available-data-types-and-operators-in-compatibility-administrator.md) -##### [Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md) -##### [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md) -##### [Creating a Custom Compatibility Fix in Compatibility Administrator](creating-a-custom-compatibility-fix-in-compatibility-administrator.md) -##### [Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md) -##### [Creating an AppHelp Message in Compatibility Administrator](creating-an-apphelp-message-in-compatibility-administrator.md) -##### [Viewing the Events Screen in Compatibility Administrator](viewing-the-events-screen-in-compatibility-administrator.md) -##### [Enabling and Disabling Compatibility Fixes in Compatibility Administrator](enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md) -##### [Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md) -#### [Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md) -##### [Understanding and Using Compatibility Fixes](understanding-and-using-compatibility-fixes.md) -##### [Compatibility Fix Database Management Strategies and Deployment](compatibility-fix-database-management-strategies-and-deployment.md) -##### [Testing Your Application Mitigation Packages](testing-your-application-mitigation-packages.md) -#### [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md) -### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) diff --git a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md index 0652569347..41c34aec02 100644 --- a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md +++ b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md @@ -1,54 +1,55 @@ ---- -title: Best practice recommendations for Windows To Go (Windows 10) -description: Best practice recommendations for Windows To Go -ms.assetid: 05e6e0ab-94ed-4c0c-a195-0abd006f0a86 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: best practices, USB, device, boot -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: mobility -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Best practice recommendations for Windows To Go - - -**Applies to** - -- Windows 10 - ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - -The following are the best practice recommendations for using Windows To Go: - -- Always shut down Windows and wait for shutdown to complete before removing the Windows To Go drive. -- Do not insert the Windows To Go drive into a running computer. -- Do not boot the Windows To Go drive from a USB hub. Always insert the Windows To Go drive directly into a port on the computer. -- If available, use a USB 3.0 port with Windows To Go. -- Do not install non-Microsoft core USB drivers on Windows To Go. -- Suspend BitLocker on Windows host computers before changing the BIOS settings to boot from USB and then resume BitLocker protection. - -Additionally, we recommend that when you plan your deployment you should also plan a standard operating procedure for answering questions about which USB drives can be used for Windows To Go and how to enable booting from USB to assist your IT department or help desk in supporting users and work groups that want to use Windows To Go. It may be very helpful for your organization to work with your hardware vendors to create an IT standard for USB drives for use with Windows To Go, so that if groups within your organization want to purchase drives they can quickly determine which ones they should obtain. - -## More information - - -[Windows To Go: feature overview](windows-to-go-overview.md)
-[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
-[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
-[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
- -  - -  - - - - - +--- +title: Best practice recommendations for Windows To Go (Windows 10) +description: Best practice recommendations for Windows To Go +ms.assetid: 05e6e0ab-94ed-4c0c-a195-0abd006f0a86 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: best practices, USB, device, boot +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: mobility +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Best practice recommendations for Windows To Go + + +**Applies to** + +- Windows 10 + +> [!IMPORTANT] +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. + +The following are the best practice recommendations for using Windows To Go: + +- Always shut down Windows and wait for shutdown to complete before removing the Windows To Go drive. +- Do not insert the Windows To Go drive into a running computer. +- Do not boot the Windows To Go drive from a USB hub. Always insert the Windows To Go drive directly into a port on the computer. +- If available, use a USB 3.0 port with Windows To Go. +- Do not install non-Microsoft core USB drivers on Windows To Go. +- Suspend BitLocker on Windows host computers before changing the BIOS settings to boot from USB and then resume BitLocker protection. + +Additionally, we recommend that when you plan your deployment you should also plan a standard operating procedure for answering questions about which USB drives can be used for Windows To Go and how to enable booting from USB to assist your IT department or help desk in supporting users and work groups that want to use Windows To Go. It may be very helpful for your organization to work with your hardware vendors to create an IT standard for USB drives for use with Windows To Go, so that if groups within your organization want to purchase drives they can quickly determine which ones they should obtain. + +## More information + + +[Windows To Go: feature overview](windows-to-go-overview.md)
+[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
+[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
+[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
+[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
+ +  + +  + + + + + diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md index d57413d357..8724e8278a 100644 --- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md @@ -23,7 +23,7 @@ ms.topic: article - Windows 10 > [!IMPORTANT] -> Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. From the start, Windows To Go was designed to minimize differences between the user experience of working on a laptop and Windows To Go booted from a USB drive. Given that Windows To Go was designed as an enterprise solution, extra consideration was given to the deployment workflows that enterprises already have in place. Additionally, there has been a focus on minimizing the number of differences in deployment between Windows To Go workspaces and laptop PCs. diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md index a9f0103eb9..c896c72fde 100644 --- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md +++ b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md @@ -22,8 +22,8 @@ ms.topic: article - Windows 10 ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. +> [!IMPORTANT] +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. The following information is provided to help you plan and design a new deployment of a Windows To Go in your production environment. It provides answers to the “what”, “why”, and “when” questions an IT professional might have when planning to deploy Windows To Go. diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md index 905e495858..952f743607 100644 --- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md @@ -22,8 +22,8 @@ ms.topic: article - Windows 10 ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. +> [!IMPORTANT] +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure. diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md index 5a34226e0f..fba2f6ef1d 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/deployment/planning/windows-10-deprecated-features.md @@ -26,7 +26,9 @@ The features described below are no longer being actively developed, and might b |Feature | Details and mitigation | Announced in version | | ----------- | --------------------- | ---- | -| Hyper-V vSwitch on LBFO | In a future release, the Hyper-V vSwitch will no longer have the capability to be bound to an LBFO team. Instead, it can be bound via [Switch Embedded Teaming](https://docs.microsoft.com/windows-server/virtualization/hyper-v-virtual-switch/rdma-and-switch-embedded-teaming#bkmk_sswitchembedded) (SET).| 1909 | +| Companion Device Framework | The [Companion Device Framework](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 | +| Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 | +| Dynamic Disks | The [Dynamic Disks](https://docs.microsoft.com/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](https://docs.microsoft.com/windows-server/storage/storage-spaces/overview) in a future release.| 2004 | | Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 | | My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 | | Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
 
The recommended replacement for PSR is [Azure App Service](https://docs.microsoft.com/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 | diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md index 508cc788a8..b79a9e0b9d 100644 --- a/windows/deployment/planning/windows-10-removed-features.md +++ b/windows/deployment/planning/windows-10-removed-features.md @@ -27,6 +27,9 @@ The following features and functionalities have been removed from the installed |Feature | Details and mitigation | Removed in version | | ----------- | --------------------- | ------ | +| Cortana | Cortana has been updated and enhanced in the Windows 10 May 2020 Update. With [these changes](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-2004#cortana), some previously available consumer skills such as music, connected home, and other non-Microsoft skills are no longer available. | 2004 | +| Windows To Go | Windows To Go was announced as deprecated in Windows 10, version 1903 and is removed in this release. | 2004 | +| Mobile Plans and Messaging apps | Both apps are still supported, but are now distributed in a different way. OEMs can now include these apps in Windows images for cellular enabled devices. The apps are removed for non-cellular devices.| 2004 | | PNRP APIs| ​The Peer Name Resolution Protocol (PNRP) cloud service was removed in Windows 10, version 1809. We are planning to complete the removal process by removing the corresponding APIs. | 1909 | | Taskbar settings roaming | Roaming of taskbar settings is removed in this release. This feature was announced as no longer being developed in Windows 10, version 1903. | 1909 | | Desktop messaging app doesn't offer messages sync | The messaging app on Desktop has a sync feature that can be used to sync SMS text messages received from Windows Mobile and keep a copy of them on the Desktop. The sync feature has been removed from all devices. Due to this change, you will only be able to access messages from the device that received the message. | 1903 | diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md index d888468cfe..2a8889f1ab 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md @@ -22,8 +22,8 @@ ms.topic: article - Windows 10 ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. +> [!IMPORTANT] +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. The following list identifies some commonly asked questions about Windows To Go. diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md index 23fefc02cd..c978295e6e 100644 --- a/windows/deployment/planning/windows-to-go-overview.md +++ b/windows/deployment/planning/windows-to-go-overview.md @@ -23,7 +23,7 @@ ms.topic: article - Windows 10 > [!IMPORTANT] -> Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs. diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md new file mode 100644 index 0000000000..da1db27ff2 --- /dev/null +++ b/windows/deployment/update/create-deployment-plan.md @@ -0,0 +1,140 @@ +--- +title: Create a deployment plan +description: Devise the number of deployment rings you need and how you want to populate them +ms.prod: w10 +ms.mktglfcycl: manage +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Create a deployment plan + +A service management mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. And once this process is used for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity. + +When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices, and we’ve found that ring-based deployment is a methodology that works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades--they are simply a method by which to separate devices into a deployment timeline. + +At the highest level, each “ring” comprise a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur. + +A common ring structure comprises three deployment groups: + +- Preview: Planning and development +- Limited: Pilot and validation +- Broad: Wide deployment + +> [!NOTE] +> Organizations often use different names for their “rings," for example: +> - First > Fast > Broad +> - Canaries > Early Adopters > Users +> - Preview > Broad > Critical + + +## How many rings should I have? + +There are no definite rules for exactly how many rings to have for your deployments. As mentioned previously, you might want to ensure zero downtime for mission-critical devices by putting them in their own ring. If you have a large +organization, you might want to consider assigning devices to rings based on geographic location or the size of rings so that helpdesk resources are more available. Consider the needs of your business and introduce rings that make sense for your organization. + +## Advancing between rings + +There are basically two strategies for moving deployments from one ring to the next. One is service based, the other project based. + +- "Red button" (service based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the “red button” to stop further distribution. +- Green button (project based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the “green button” to push the content to the next ring. + +When it comes to deployments, having manual steps in the process usually impedes update velocity, so a "red button" strategy is better when that is your goal. + +## Preview ring + +The purpose of the Preview ring is to evaluate the new features of the update. This is specifically *not* for broad parts of the organization but is limited to the people who are responsible for knowing what is coming next, +generally IT administrators. Ultimately, this is the time the design and planning work happens so that when the public update is actually shipped, you can have greater confidence in the update. + +> [!NOTE] +> Being part of the [Windows Insider Program](https://insider.windows.com/for-business/) gives you early access to Windows releases so that you can use Insider Preview builds in your Preview ring to validate your apps and infrastructure, preparing you for public Windows releases. + + +### Who goes in the Preview ring? + +The Preview ring users are the most tech savvy and resilient people, who will not lose productivity if something goes wrong. In general, these are IT pros, and perhaps a few people in the business organization. + +During your plan and prepare phases, these are the activities you should focus on: + +- Work with Windows Insider Preview builds. +- Identify the features and functionality your organization can or wants to use. +- Establish who will use the features and how they will benefit. +- Understand why you are putting the update out. +- Plan for usage feedback. + +Remember, you are working with pre-release software in the Preview ring and you will be evaluating features and testing the update for a targeted release. + +> [!IMPORTANT] +> If you are using Windows Insider (pre-release) releases for your preview ring and you are using WSUS or Windows Update for Business, be sure to set the following policies to allow for Preview builds: +> - **Manage Preview Builds: 2 - Enable preview builds** +> • Under **Branch Readiness Level**, select **When Preview Builds and Feature Updates are Received: 4--Windows Insider Program Slow** + +## Limited ring + +The purpose of the Limited ring is to validate the update on representative devices across the network. During this period, data, and feedback is generated to enable the decision to move forward to broader deployment. Desktop +Analytics can help with defining a good Limited ring of representative devices and assist in monitoring the deployment. + +### Who goes in the Limited ring? + +The most important part of this phase is finding a representative sample of devices and applications across your network. If possible, all hardware and all applications should be represented, and it's important that the people selected for this ring are using their devices regularly in order to generate the data you will need to make a decision for broader deployment across your organization. The IT department, lab devices, and users with the most cutting-edge hardware usually don’t have the applications or device drivers that are truly a representative sample of your network. + + +During your pilot and validate phases, these are the activities you should focus on: + +- Deploy new innovations. +- Assess and act if issues are encountered. +- Move forward unless blocked. + +When you deploy to the Limited ring, you’ll be able to gather data and react to incidents happening in the environment, quickly addressing any issues that might arise. Ensure you monitor for sufficient adoption within this ring, because your Limited ring represents your organization across the board, and when you achieve sufficient adoption, you can have confidence that your broader deployment will run more smoothly. + +## Broad deployment + +Once the devices in the Limited ring have had a sufficient stabilization period, it’s time for broad deployment across the network. + +### Who goes in the Broad deployment ring? + +In most businesses, the Broad ring includes the rest of your organization. Because of the work in the previous ring to vet stability and minimize disruption (with diagnostic data to support your decision) broad deployment can occur relatively quickly. + +> [!NOTE] +> In some instances, you might hold back on mission critical devices (such as medical devices) until deployment in the Broad ring is complete. Get best practices and recommendations for deploying Windows 10 feature +> updates to mission critical devices. + +During the broad deployment phase, these are the activities you should focus on: + +- Deploy to all devices in the organization. +- Work through any final unusual issues that were not detected in your Limited ring. + + +## Ring deployment planning + +Previously, we have provided methods for analyzing your deployments, but these have generally been standalone tools to assess, manage and execute deployments. In other words, you would generate an analysis, make a deployment strategy, and then move to your console for implementation, repeating these steps for each deployment. We have combined many of these tasks, and more, into a single interface with Desktop Analytics. + + +[Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview) is a cloud-based service and a key tool in [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/configmgr/core/understand/microsoft-endpoint-manager-faq). Using artificial intelligence and machine learning, Desktop Analytics is a powerful tool to give you insights and intelligence to +make informed decisions about the readiness of your Windows devices. + +In Windows 10 deployments, we have seen compatibility issues on < 0.5% of apps when using Desktop Analytics. Using Desktop Analytics with Microsoft Endpoint Manager can help you assess app compatibility with the latest +feature update and create groups that represent the broadest number of hardware and software configurations on the smallest set of devices across your organization. In addition, Desktop Analytics can provide you with a device and software inventory and identify issues, giving you data that equate to actionable decisions. + +> [!IMPORTANT] +> Desktop Analytics does not support preview (Windows Insider) builds; use Configuration Manager to deploy to your Preview ring. As noted previously, the Preview ring is a small group of devices represents your ecosystem very well in terms of app, driver, and hardware diversity. + +### Deployment plan options + +There are two ways to implement a ring deployment plan, depending on how you manage your devices: + +- If you are using Configuration Manager: Desktop Analytics provides end-to-end deployment plan integration so that you can also kick off phased deployments within a ring. Learn more about [deployment plans in Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/about-deployment-plans). +- If you are using Microsoft Intune, see [Create deployment plans directly in Intune](https://docs.microsoft.com/mem/intune/fundamentals/planning-guide). + +For more about Desktop Analytics, see these articles: + +- [How to set up Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/set-up) +- [Tutorial: Deploy Windows 10 to Pilot](https://docs.microsoft.com/mem/configmgr/desktop-analytics/tutorial-windows10) +- [Desktop Analytics documentation](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview) +- [Intune deployment planning, design, and implementation guide](https://docs.microsoft.com/mem/intune/fundamentals/planning-guide) + diff --git a/windows/deployment/update/deploy-updates-configmgr.md b/windows/deployment/update/deploy-updates-configmgr.md new file mode 100644 index 0000000000..202b4531b9 --- /dev/null +++ b/windows/deployment/update/deploy-updates-configmgr.md @@ -0,0 +1,20 @@ +--- +title: Deploy Windows 10 updates with Configuration Manager (Windows 10) +description: Deploy Windows 10 updates with Configuration Manager +ms.prod: w10 +ms.mktglfcycl: manage +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Deploy Windows 10 updates with Configuration Manager + +**Applies to** + +- Windows 10 + +See the Microsoft Endpoint Configuration Manager [documentation](https://docs.microsoft.com/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates. \ No newline at end of file diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md new file mode 100644 index 0000000000..af6fe156e8 --- /dev/null +++ b/windows/deployment/update/eval-infra-tools.md @@ -0,0 +1,71 @@ +--- +title: Evaluate infrastructure and tools +ms.reviewer: +manager: laurawi +description: +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +author: jaimeo +ms.localizationpriority: medium +ms.audience: itpro +author: jaimeo +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Evaluate infrastructure and tools + +Before you deploy an update, it's best to assess your deployment infrastucture (that is, tools such as Configuration Manager, Microsoft Intune, or similar) and current configurations (such as security baselines, administrative templates, and policies that affect updates). Then, set some criteria to define your operational readiness. + +## Infrastructure + +Do your deployment tools need updates? + +- If you use Configuration Manager, is it on the Current Branch with the latest release installed. This ensures that it supports the next Windows 10 feature update. Configuration Manager releases are supported for 18 months. +- Using a cloud-based management tool like Microsoft Intune reduces support challenges, since no related products need to be updated. +- If you use a non-Microsoft tool, check with its product support to make sure you're using the current version and that it supports the next Windows 10 feature update. + +Rely on your experiences and data from previous deployments to help you judge how long infrastructure changes take and identify any problems you've encountered while doing so. + +## Device settings + +Make sure your security basline, administrative templates, and policies have the right settings to support your devices once the new Windows 10 update is installed. + +### Security baseline + +Keep security baslines current to help ensure that your environment is secure and that new security feature in the coming Windows 10 update are set properly. + +- **Microsoft security baselines**: You should implement security baselines from Microsoft. They are included in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319), along with tools for managing them. +- **Industry- or region-specific baselines**: Your specific industry or region might have particular baselines that you must follow per regulations. Ensure that any new baselines support the version of Windows 10 you are about to deploy. + +### Configuration updates + +There are a number of Windows policies (set by Group Policy, Intune, or other methods) that affect when Windows updates are installed, deferral, end-user experience, and many other aspects. Check these policies to make sure they are set appropriately. + +- **Windows 10 Administrative templates**: Each Windows 10 feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 10, version 1909](https://www.microsoft.com/download/100591). +- **Policies for update compliance and end-user experience**: A number of settings affect when a device installs updates, whether and for how long a user can defer an update, restart behavior after installation, and many other aspects of update behavior. It's especially important to look for existing policies that are out of date or could conflict with new ones. + + +## Define operational readiness criteria + +When you’ve deployed an update, you’ll need to make sure the update isn’t introducing new operational issues. And you’ll also ensure that if incidents arise, the needed documentation and processes are available. To achieve this, work with your operations and support team to define acceptable trends and what documents or processes require updating: + +- **Call trend**: Define what percentage increase in calls relating to Windows 10 feature updates are acceptable or can be supported. +- **Incident trend**: Define what percentage of increase in calls asking for support relating to Windows 10 feature updates are acceptable or can be supported. +- **Support documentation**: Review supporting documentation that requires an update to support new infrastructure tooling or configuration as part of the Windows 10 feature update. +- **Process changes:** Define and update any processes that will change as a result of the Windows 10 feature update. + +Your operations and support staff can help you determine if the appropriate information is being tracked at the moment. If it isn't, work out how to get get this information so you can gain the right insight. + +## Tasks + +Finally, you can begin to carry out the work needed to ensure your infrastructure and configuration can support the update. To help you keep track, you can classify the work into the following overarching tasks: + +- **Review infrastructure requirements**: Go over the details of requirements to support the update, and ensure they’ve all been defined. +- **Validate infrastructure against requirements**: Compare your infrastructure against the requirements that have been identified for the update. +- **Define infrastructure update plan**: Detail how your infrastructure must change to support the update. +- **Review current support volume**: Understand the current support volume to understand how much of an effect the update has when it’s been deployed. +- **Identify gaps that require attention**: Identify issues that will need to be addressed to successfully deploy the update. For example, will your infrastructure engineer have to research how a new feature that comes with the update might affect the infrastructure? +- **Define operational update plan**: Detail how your operational services and processes must change to support the update. diff --git a/windows/deployment/update/images/DO-absolute-bandwidth.png b/windows/deployment/update/images/DO-absolute-bandwidth.png new file mode 100644 index 0000000000..a13d5393e6 Binary files /dev/null and b/windows/deployment/update/images/DO-absolute-bandwidth.png differ diff --git a/windows/deployment/update/images/annual-calendar.png b/windows/deployment/update/images/annual-calendar.png new file mode 100644 index 0000000000..1ff15bed76 Binary files /dev/null and b/windows/deployment/update/images/annual-calendar.png differ diff --git a/windows/deployment/update/images/rapid-calendar.png b/windows/deployment/update/images/rapid-calendar.png new file mode 100644 index 0000000000..35aec71626 Binary files /dev/null and b/windows/deployment/update/images/rapid-calendar.png differ diff --git a/windows/deployment/update/plan-define-readiness.md b/windows/deployment/update/plan-define-readiness.md new file mode 100644 index 0000000000..a2ff53df19 --- /dev/null +++ b/windows/deployment/update/plan-define-readiness.md @@ -0,0 +1,115 @@ +--- +title: Define readiness criteria +ms.reviewer: +manager: laurawi +description: Identify important roles and figure out how to classify apps +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +author: jaimeo +ms.localizationpriority: medium +ms.audience: itpro +author: jaimeo +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Define readiness criteria + +## Figure out roles and personnel + +Planning and managing a deployment involves a variety of distinct activies and roles best suited to each. As you plan, it's worth figuring out which roles you'll need to carry out the deployment and who should fill them. Different roles are active at various phases of a deployment. Depending on the size and complexity of your organization, some of the roles could be filled by the same person. However, it's best to have an established *process manager*, who will oversee all of the tasks for the deployment. + +### Process manager + +The process manager leads the update deployment process and has the authority to push the process forward--or halt it if necessary. They also have responsibilities in organizing these activities: + + +|Compatibility workstream |Deployment |Capability and modernization | +|---------|---------|---------| +|[Assigning application priority](#set-criteria-for-rating-apps) | Reviewing infrastructure requirements | Determining infrastructure changes | +|Application assessment | Validating infrastructure against requirements | Determining configuration changes | +|Device assessment | Creating infrastructure update plan | Create capability proposal | + +It's the process manager's role to collect reports on remediation efforts, escalate failures, and to decide whether your environment is ready for pilot deployment and then broad deployment. + + +This table sketches out one view of the other roles, with their responsibilities, relevant skills, and the deployment phases where they are needed: + + +|Role |Responsibilities |Skills |Active phases | +|---------|---------|---------|---------| +|Process manager | Manages the process end to end; ensures inputs and outputs are captures; ensures that activities progress | IT service management | Plan, prepare, pilot deployment, broad deployment | +|Application owner | Define application test plan; assign user acceptance testers; certify the application | Knowledge of critical and important applications | Plan, prepare, pilot deployment | +|Application developer | Ensure apps are developed to stay compatible with current Windows versions | Application development; application remediation | Plan, prepare | +|End-user computing | Typically a group including infrastructure engineers or deployment engineers who ensure upgrade tools are compatible with Windows | Bare-metal deployment; infrastructure management; application delivery; update management | Plan, prepare, pilot deployment, broad deployment | +|Operations | Ensure that support is available for current Windows version. Provide post-deployment support, including user communication and rollbacks. | Platform security | Prepare, pilot deployment, broad deployment | +|Security | Review and approve the security baseline and tools | Platform security | Prepare, pilot deployment | +|Stakeholders | Represent groups affected by updates, for example, heads of finance, end-user services, or change management | Key decision maker for a business unit or department | Plan, pilot deployment, broad deployment | + + + + + + +## Set criteria for rating apps + +Some apps in your environment are fundamental to your core business activities. Other apps help workers perform their roles, but aren’t critical to your business operations. Before you start inventorying and assessing the apps in your environment, you should establish some criteria for categorizing your apps, and then determine a priority for each. This will help you understand how best to deploy updates and how to resolve any issues that could arise. + +In the Prepare phase, you'll apply the criteria you define now to every app in your organization. + +Here's a suggested classification scheme: + + +|Classification |Definition| +|---------|---------| +|Critical | The most vital applications that handle core business activities and processes. If these applications were not available, the business, or a business unit, couldn't function at all. | +|Important | Applications that individual staff members need to support their productivity. Downtime here would affect individual users, but would only have a minimal impact on the business. | +|Not important | There is no impact on the business if these apps are not available for a while. | + +Once you have classified your applications, you should agree what each classification means to the organization in terms of priority and severity. This will help ensure that you can triage problems with the right level of urgency. You should assign each app a time-based priority. + +Here's an example priority rating system; of course the specifics could vary for your organization: + + +|Priority |Definition | +|---------|---------| +|1 | Any issues or risks identified must be investigated and resolved as soon as possible. | +|2 | Start investigating risks and issues within two business days and fix them *during* the current deployment cycle. | +|3 | Start investigating risks and issues within 10 business days. You don’t have to fix them all within the current deployment cycle. However, all issues must be fixed by the end of the next deployment cycle. | +|4 | Start investigating risks and issues within 20 business days. You can fix them in the current or any future development cycle. | + +Related to priority, but distinct, is the concept of severity. You should define a severity ranking as well, based on how you feel a problem with an app should affect the deployment cycle. + +Here's an example: + + +|Severity |Effect | +|---------|---------| +|1 | Work stoppage or loss of revenue | +|2 | Productivity loss for a business unit | +|3 | Productivity loss for individual users | +|4 | Minimal impact on users | + +## Example: a large financial corporation + +Using the suggested scheme, a financial corporation might classify their apps like this: + + +|App |Classification | +|---------|---------| +|Credit processing app | Critical | +|Frontline customer service app | Critical | +|PDF viewer | Important | +|Image processing app | Not important | + +Further, they might combine this classification with severity and priority rankings like this: + + +|Classification |Severity |Priority |Response | +|---------|---------|---------|---------| +|Critical | 1 or 2 | 1 or 2 | For 1, stop deployment until resolved; for 2, stop deployment for affected devices or users only. | +|Important | 3 or 4 | 3 or 4 | For 3, continue deployment, even for affected devices, as long as there is workaround guidance. | +|Not important | 4 | 4 | Continue deployment for all devices. | + diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md new file mode 100644 index 0000000000..29c3c93099 --- /dev/null +++ b/windows/deployment/update/plan-determine-app-readiness.md @@ -0,0 +1,76 @@ +--- +title: Determine application readiness +ms.reviewer: +manager: laurawi +description: How to test your apps to know which need attention prior to deploying an update +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +author: jaimeo +ms.localizationpriority: medium +ms.audience: itpro +author: jaimeo +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Determine application readiness + +Before you deploy a Windows 10 update, you should know which apps will continue to work without problems, which need their own updates, and which just won't work and must be replaced. If you haven't already, it's worth [classifying your apps] with respect to their criticality in your organization. + +## Validation methods + +You can choose from a variety of methods to validate apps. Exactly which ones to use will depend on the specifics of your environment. + + +|Validation method |Description | +|---------|---------| +|Full regression | A full quality assurance probing. Staff who know the application very well and can validate its core functionality should do this. | +|Smoke testing | The application goes through formal validation. That is, a user validates the application following a detailed plan, ideally with limited, or no knowledge of the application they’re validating. | +|Automated testing | Software performs tests automatically. The software will let you know whether the tests have passed or failed, and will provide detailed reporting for you automatically. | +|Test in pilot | You pre-select users to be in the pilot deployment group and carry out the same tasks they do on a day-to-day basis to validate the application. Normally you use this method in addition to one of the other validation types. | +|Reactive response | Applications are validated in late pilot, and no specific users are selected. These are normally applications aren't installed on many devices and aren’t handled by enterprise application distribution. | + +Combining the various validation methods with the app classifications you've previously established might look like this: + + +|Validation method |Critical apps |Important apps |Not important apps | +|---------|---------|---------|---------| +|Full regression | x | | | +|Smoke testing | | x | | +|Automated testing | x | x | x | +|Test in pilot | x | x | x | + + +## Identify users + +Since your organization no doubt has a wide variety of users, each with different background and regular tasks, you'll have to choose which users are best suited for validation testing. Some factors to consider include: + +- **Location**: If users are in different physical locations, can you support them and get validation feedback from the region they're in? +- **Application knowledge**: Do the users have appropriate knowledge of how the app is supposed to work? +- **Technical ability**: Do the users have enough technical competence to provide useful feedback from various test scenarios? + +You could seek volunteers who enjoy working with new features and include them in the pilot deployment. You might want to avoid using core users like department heads or project managers. Current application owners, operations personnel, and developers can help you identify the most appropriate pilot users. + +## Identify and set up devices for validation + +In addition to users, it's important to carefully choose devices to participate in app validation as well. For example, ideally, your selection will include devices representing all of the hardware models in your environment. + +There is more than one way to choose devices for app validation: + +- **Existing pilot devices**: You might already have a list of devices that you regularly use for testing updates as part of release cycles. +- **Manual selection**: Some internal groups like operations will have expertise to help choose devices manually based on specifications, usage, or records of past support problems. +- **Data-driven analysis**: With appropriate tools, you can use diagnostic data from devices to inform your choices. + + +## Desktop Analytics + +Desktop Analytics can make all of the tasks discussed in this article significantly easier: + +- Creating and maintaining an application and device inventory +- Assign owners to applications for testing +- Automatically apply your app classifications (critical, important, not important) +- Automatically identify application compatibility risks and provide recommendations for reducing those risks + +For more information, see [What is Desktop Analytics?](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview) diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md new file mode 100644 index 0000000000..dbf94c9677 --- /dev/null +++ b/windows/deployment/update/update-policies.md @@ -0,0 +1,204 @@ +--- +title: Policies for update compliance, activity, and end-user experience +ms.reviewer: +manager: laurawi +description: +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +author: jaimeo +ms.localizationpriority: medium +ms.audience: itpro +author: jaimeo +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Policies for update compliance, activity, and end-user experience +Keeping devices up to date is the best way to keep them working smoothly and securely. + +## Deadlines for update compliance + +You can control how strictly devices must reliably keep to your desired update schedule by using update deadline policies. Windows components adapt based on these deadlines. Also, they can make tradeoffs between user experience and velocity in order to meet your desired update deadlines. For example, they can prioritize user experience well before the +deadline approaches, and then prioritize velocity as the deadline nears, while still affording the user some control. + +### Deadlines + +Beginning with Windows 10, version 1903 and with the August 2019 security update for Windows 10, version 1709 +and late, a new policy was introduced to replace older deadline-like policies: **Specify deadlines for automatic updates and restarts**. + +The older policies started enforcing deadlines once the device reached a “restart pending” state for +an update. The new policy starts the countdown for the update installation deadline from when the +update is published plus any deferral. In addition, this policy includes a configurable grace period and the option +to opt out of automatic restarts until the deadline is reached (although we recommend always allowing automatic +restarts for maximum update velocity). + +> [!IMPORTANT] +> If you use the new **Specify deadlines for automatic updates and restarts** setting in Windows 10, +> version 1903, you must disable the [older deadline policies](wufb-compliancedeadlines.md#prior-to-windows-10-version-1709) because they could conflict. + +We recommend you set deadlines as follows: +- Quality update deadline, in days: 3 +- Feature update deadline, in days: 7 +- +Notifications are automatically presented to the user at appropriate times, and users can choose to be reminded +later, to reschedule, or to restart immediately, depending on how close the deadline is. We recommend that you +do **not** set any notification policies, because they are automatically configured with appropriate defaults. An exception is if you +have kiosks or digital signage. + +While three days for quality updates and seven days for feature updates is our recommendation, you might decide +you want more or less, depending on your organization and its requirements, and this policy is configurable down +to a minimum of two days. + + +> [!IMPORTANT] +> If the device is unable to reach the Internet, it can't determine when Microsoft +> published the update, so it won't be able to enforce the deadline. Learn more about [low activity devices](#device-activity-policies). + +### Grace periods + +You can set a period of days for Windows to find a minimally disruptive automatic restart time before the restart is enforced. This +is especially useful in cases where a user has been away for many days (for example, on vacation) so that the device will not +be forced to update immediately when the user returns. + +We recommend you set the following: + +- Grace period, in days: 2 + +Once the deadline and grace period have passed, updates are applied automatically, and a restart occurs +regardless of [active hours](#active-hours). + + +### Let Windows choose when to restart + +Windows can use user interactions to dynamically identify the least disruptive time for an +automatic restart. To take advantage of this feature, ensure **ConfigureDeadlineNoAutoReboot** is set to +**Disabled**. + +## Device activity policies + +Windows typically requires that a device is active and connected to the internet for at least six hours, with at least two +of continuous activity, in order to successfully complete a system update. The device could have other +physical circumstances that prevent successful installation of an update--for example, if a laptop is running low +on battery power, or the user has shut down the device before active hours end and the device cannot comply +with the deadline. + +You can use the settings in this section to ensure that devices are actually available to install updates during the update compliance period. + +### Active hours + +"Active hours" identify the period of time when a device is expected to be in use. Normally, restarts will occur outside of +these hours. Windows 10, version 1903 introduced "intelligent active hours," which allow the system to learn active hours based on a user’s activities, rather than you as an administrator having to make decisions for your organization or allowing the user to choose active hours that minimize the period when the system can install an update. + +> [!IMPORTANT] +> If you used the **Configure Active Hours** setting in previous versions of Windows 10, these +options must be **Disabled** in order to take advantage of intelligent active hours. + +If you do set active hours, we recommend setting the following policies to **Disabled** in order to increase update +velocity: + +- [Delay automatic reboot](waas-restart.md#delay-automatic-reboot). While it’s possible to set the system to delay restarts for users who are logged +in, this might delay an update indefinitely if a user is always either logged in or shut down. Instead, we +recommend setting the following polices to **Disabled**: + - **Turn off auto-restart during active hours** + - **No auto-restart with logged on users for scheduled automatic updates** + + - [Limit restart delays](waas-restart.md#limit-restart-delays). By using compliance deadlines, your users will receive notifications that +updates will occur, so we recommend that you set this policy to **Disabled**, to allow compliance deadlines to eliminate the user’s ability to delay a restart outside of compliance deadline settings. + +- **Do not allow users to approve updates and reboots**. Letting users approve or engage with the update process outside of the deadline policies decreases update velocity and increases risk. These policies should be set to **Disabled**: + - [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval) + - [Update/EngagedRestartDeadline](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestartdeadline) + - [Update/EngagedRestartDeadlineForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestartdeadlineforfeatureupdates) + - [Update/EngagedRestartSnoozeSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestartsnoozeschedule) + - [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestartsnoozescheduleforfeatureupdates) + - [Update/EngagedRestartTransitionSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestarttransitionschedule) + +- [Configure automatic update](waas-wu-settings.md#configure-automatic-updates). By properly setting policies to configure automatic updates, you can increase update velocity by having clients contact a Windows Server Update Services (WSUS) server so it can manage them. We recommend that you set this policy to **Disabled**. However, if you need to provide values, ensure that you set downloads to install automatically by setting the [Group Policy](waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) to **4**. If you’re using Microsoft Intune, setting the value to [Reset to Default](https://docs.microsoft.com/mem/intune/protect/windows-update-settings#user-experience-settings). +- **Allow auto Windows Update to download over metered networks**. Since more and more devices primarily use cellular data and do not have wi-fi access, consider allowing users to automatically download updates from a metered network. Though the default setting does not allow download over a metered network, setting this value to **1** can increase velocity by enabling users to get updates whether they are connected to the internet or not, provided they have cellular service. + +> [!IMPORTANT] +> Older versions of Windows don't support intelligent active hours. If your device runs a version of Windows prior to Windows 10, version 1903, we recommend setting the following policies: +>- [Configure active hours](waas-restart.md#configure-active-hours). Starting with Windows 10, version 1703, you can specify a maximum active-hour range which is counted from the active hours start time. We recommend setting +this value to **10**. +>- [Schedule update installation](waas-restart.md#schedule-update-installation). In the **Configure Automatic Updates** settings, there are two ways to control a forced restart after a specified installation time. If you use **schedule update installation**, do not enable both settings because they will most likely conflict. +> - **Specify automatic maintenance time**. This setting lets you set broader maintenance windows for updates and ensures that this schedule does not conflict with active hours. We +recommend setting this value to **3** (corresponding to 3 AM). If 3:00 AM is in the middle of the work shift, pick another time that is at least a couple hours before your scheduled work time begins. +> - **Schedule the install time**. This setting allows you to schedule an installation time for a restart. We do *not* recommend you set this to **Disabled** as it could conflict with active hours. + +### Power policies + +Devices must actually be available during non-active hours in order to an update. They can't do this if power policies prevent them from waking up. In our organization, we strive to set a balance between security and eco-friendly configurations. We recommend the following settings to achieve what we feel are the appropriate tradeoffs: + +To a user, a device is either on or off, but for Windows, there are states that will allow an update to occur (active) and states that do not (inactive). Some states are considered active (sleep), but the user may think the device is off. Also, there are power statuses (plugged in/battery) that Windows checks before starting an update. + +You can override the default settings and prevent users from changing them in order to ensure that devices are available for updates during non-active hours. + +> [!NOTE] +> One way to ensure that devices can install updates when you need them to is to educate your users to keep devices plugged in during non-active hours. Even with the best policies, a device that isn't plugged in will not be updated, even in sleep mode. + +We recommend these power management settings: + +- Sleep mode (S1 or S0 Low Power Idle or [Modern Standby](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby)). When a device is in sleep mode, the system +appears to be off but if an update is available, it can wake the device up in order to take an update. The +power consumption in sleep mode is between working (system fully usable) and hibernate (S4 - lowest +power level before shutdown). When a device is not being used, the system will generally move to sleep +mode before it goes to hibernate. Issues in velocity arise when the time between sleep and hibernate is +too short and Windows does not have time to complete an update. Sleep mode is an important setting +because the system can wake the system from sleep in order to start the update process, as long as there +is enough power. + +Set the following policies to **Enable** or **Do Not Configure** in order to allow the device to use sleep mode: +- [Power/AllowStandbyStatesWhenSleepingOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-allowstandbystateswhensleepingonbattery) +- [Power/AllowStandbyWhenSleepingPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-selectlidcloseactionpluggedin) + +Set the following policies to **1 (Sleep)** so that when a user closes the lid of a device, the system goes to +sleep mode and the device has an opportunity to take an update: +- [Power/SelectLidCloseActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-selectlidcloseactiononbattery) +- [Power/SelectLidCloseActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-selectlidcloseactionpluggedin) + +- **Hibernate**. When a device is hibernating, power consumption is very low and the system cannot wake up +without user intervention, like pressing the power button. If a device is in this state, it cannot be updated +unless it supports an ACPI Time and Alarm Device (TAD). That said, if a device supporting Traditional Sleep +(S3) is plugged in, and a Windows update is available, a hibernate state will be delayed until the update is complete. + +> [!NOTE] +> This does not apply to devices that support Modern Standby (S0 Low Power Idle). You can check which system sleep state (S3 or S0 Low Power Idle) a device supports by running `powercfg /a` at a command prompt. For more, see [Powercfg options](https://docs.microsoft.com/windows-hardware/design/device-experiences/powercfg-command-line-options#option_availablesleepstates). + +The default timeout on devices that support traditional sleep is set to three hours. We recommend that you do not reduce these policies in order to allow Windows Update the opportunity to restart the device before sending it into hibernation: + +- [Power/HibernateTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-hibernatetimeoutonbattery) +- [Power/HibernateTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-hibernatetimeoutpluggedin) + +## Old or conflicting policies + +Each release of Windows 10 can introduce new policies to make the experience better for both administrators and their organizations. When we release a new client policy, we either release it purely for that release and later or we backport the policy to make it available on earlier versions. + +> [!IMPORTANT] +> If you are using Group Policy, note that we don't update the old ADMX templates and you must use the newer (1903) ADMX template in order to use the newer policy. Also, if you are +> using an MDM tool (Microsoft or non-Microsoft), you can't use the new policy until it's available in the tool interface. + +As administrators, you have set up and expect certain behaviors, so we expressly do not remove older policies since they were set up for your particular use cases. However, if you set a new policy without disabling a similar older policy, you could have conflicting behavior and updates might not perform as expected. + +> [!IMPORTANT] +> We sometimes find that administrators set devices to get both Group Policy settings and MDM settings from an MDM server such as Microsoft Intune. Policy conflicts are handled differently, depending on how they are ultimately set up: +> - Windows updates: Group Policy settings take precedence over MDM. +> - Microsoft Intune: If you set different values for the same policy on two different groups, you will +> receive an alert and neither policy will be set until the conflict is resolved. +> It is crucial that you disable conflicting policies in order for devices in your organization to take updates as +> expected. For example, if a device is not reacting to your MDM policy changes, check to see if a similar +> policy is set in Group Policy with a differing value. +> If you find that update velocity is not as high as you expect or if some devices are slower than others, it might be +> time to clear all polices and settings and specify only the recommended update policies. See the Policy and settings reference for a consolidated list of recommended polices. + +The following are policies that you might want to disable because they could decrease update velocity or there are better policies to use that might conflict: +- **Defer Feature Updates Period in Days**. For maximum update velocity, it's best to set this to **0** (no +deferral) so that the feature update can complete and monthly security updates will be offered again. Even if there is an urgent quality update that must be quickly deployed, it is best to use **Pause Feature +Updates** rather than setting a deferral policy. You can choose a longer period if you don't want to stay up to date with the latest feature update. +- **Defer Quality Updates Period in Days**. To minimize risk and maximize update velocity, the maximum time you might want to consider while evaluating the update with a different ring of devices is two to three days. +- **Pause Feature Updates Start Time**. Set to **Disabled** unless there is a known issue requiring time for a resolution. +- **Pause Quality Updates Start Time**. Set to **Disabled** unless there is a known issue requiring time for a resolution. +- **Deadline No Auto Reboot**. Default is **Disabled – Set to 0** . We recommend that devices automatically try to restart when an update is received. Windows uses user interactions to dynamically identify the least disruptive time to restart. + +There are additional policies are no longer supported or have been superseded. diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index 0c96d3ba90..d25d48f473 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -99,9 +99,9 @@ In cases where the pause policy is first applied after the configured start date | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for Windows 10, version 1607 and later:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates
**1703 and later:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartDate | +| GPO for Windows 10, version 1607 and later:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates
**1703 and later:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartTime | | GPO for Windows 10, version 1511:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | -| MDM for Windows 10, version 1607 and later:
../Vendor/MSFT/Policy/Config/Update/
**PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates
**1703 and later:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartDate | +| MDM for Windows 10, version 1607 and later:
../Vendor/MSFT/Policy/Config/Update/
**PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates
**1703 and later:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartTime | | MDM for Windows 10, version 1511:
../Vendor/MSFT/Policy/Config/Update/
**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | You can check the date that Feature Updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. @@ -223,10 +223,10 @@ The following are quick-reference tables of the supported policy values for Wind | BranchReadinessLevel | REG_DWORD | 2: systems take Feature Updates for the Windows Insider build - Fast (added in Windows 10, version 1709)
4: systems take Feature Updates for the Windows Insider build - Slow (added in Windows 10, version 1709)
8: systems take Feature Updates for the Release Windows Insider build (added in Windows 10, version 1709)
16: for Windows 10, version 1703: systems take Feature Updates for the Current Branch (CB); for Windows 10, version 1709, 1803 and 1809: systems take Feature Updates from Semi-annual Channel (Targeted) (SAC-T); for Windows 10, version 1903 or later: systems take Feature Updates from Semi-annual Channel
32: systems take Feature Updates from Semi-annual Channel
Note: Other value or absent: receive all applicable updates | | DeferQualityUpdates | REG_DWORD | 1: defer quality updates
Other value or absent: don’t defer quality updates | | DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days | -| PauseQualityUpdatesStartDate | REG_DWORD | 1: pause quality updates
Other value or absent: don’t pause quality updates | +| PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updates
Other value or absent: don’t pause quality updates | |DeferFeatureUpdates | REG_DWORD | 1: defer feature updates
Other value or absent: don’t defer feature updates | | DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days | -| PauseFeatureUpdatesStartDate | REG_DWORD |1: pause feature updates
Other value or absent: don’t pause feature updates | +| PauseFeatureUpdatesStartTime | REG_DWORD |1: pause feature updates
Other value or absent: don’t pause feature updates | | ExcludeWUDriversInQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers
Other value or absent: offer Windows Update drivers | @@ -236,9 +236,9 @@ The following are quick-reference tables of the supported policy values for Wind | --- | --- | --- | | BranchReadinessLevel | REG_DWORD |2: systems take Feature Updates for the Windows Insider build - Fast (added in Windows 10, version 1709)
4: systems take Feature Updates for the Windows Insider build - Slow (added in Windows 10, version 1709)
8: systems take Feature Updates for the Release Windows Insider build (added in Windows 10, version 1709)
16: for Windows 10, version 1703: systems take Feature Updates for the Current Branch (CB); for Windows 10, version 1709, 1803 and 1809: systems take Feature Updates from Semi-annual Channel (Targeted) (SAC-T); for Windows 10, version 1903 or later: systems take Feature Updates from Semi-annual Channel
32: systems take Feature Updates from Semi-annual Channel
Note: Other value or absent: receive all applicable updates | | DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days | -| PauseQualityUpdatesStartDate | REG_DWORD | 1: pause quality updates
Other value or absent: don’t pause quality updates | +| PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updates
Other value or absent: don’t pause quality updates | | DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days | -| PauseFeatureUpdatesStartDate | REG_DWORD | 1: pause feature updates
Other value or absent: don’t pause feature updates | +| PauseFeatureUpdatesStartTime | REG_DWORD | 1: pause feature updates
Other value or absent: don’t pause feature updates | | ExcludeWUDriversinQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers
Other value or absent: offer Windows Update drivers | ## Update devices to newer versions diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index a5d605d778..b4bb57aef5 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -119,7 +119,7 @@ Download mode dictates which download sources clients are allowed to use when do By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. -[//]: # (Configuration Manager Boundary Group option; GroupID Source policy) +[//]: # (Configuration Manager boundary group option; GroupID Source policy) >[!NOTE] >To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/) diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md index ac14bcf549..584aa81202 100644 --- a/windows/deployment/update/waas-delivery-optimization-setup.md +++ b/windows/deployment/update/waas-delivery-optimization-setup.md @@ -35,6 +35,9 @@ Delivery Optimization offers a great many settings to fine-tune its behavior (se >[!NOTE] >These scenarios (and the recommended settings for each) are not mutually exclusive. It's possible that your deployment might involve more than one of these scenarios, in which case you can employ the related settings in any combination as needed. In all cases, however, "download mode" is the most important one to set. +> [!NOTE] +> Microsoft Intune includes a profile to make it easier to set Delivery Optimization policies. For details, see [Delivery Optimization settings for Intune](https://docs.microsoft.com/mem/intune/configuration/delivery-optimization-settings). + Quick-reference table: | Use case | Policy | Recommended value | Reason | @@ -66,6 +69,9 @@ To do this in Group Policy go to **Configuration\Policies\Administrative Templat To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DODownloadMode** to **2**. +> [!NOTE] +> For more about using Delivery Optimization with Configuration Manager boundary groups, see [Delivery Optmization](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#delivery-optimization). + ### Large number of mobile devices @@ -122,6 +128,8 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** | PredefinedCallerApplication | Indicates the last caller that initiated a request for the file. | | ExpireOn | The target expiration date and time for the file. | | Pinned | A yes/no value indicating whether an item has been "pinned" in the cache (see `setDeliveryOptmizationStatus`). | + +Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers. `Get-DeliveryOptimizationPerfSnap` returns a list of key performance data: @@ -139,7 +147,9 @@ Using the `-Verbose` option returns additional information: - Bytes from CDN (the number of bytes received over HTTP) - Average number of peer connections per download  -Starting in Window 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status. +Starting in Windows 10, version 2004, `Get-DeliveryOptimizationPerfSnap` has a new option `-PeerInfo` which returns a real-time list of the connected peers. + +Starting in Windows 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status. Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month. @@ -166,6 +176,30 @@ You can now "pin" files to keep them persistent in the cache. You can only do th #### Work with Delivery Optimization logs +**Starting in Windows 10, version 2004:** + +`Get-DeliveryOptimizationLogAnalysis [ETL Logfile path] [-ListConnections]` + +With no options, this cmdlet returns these data: + +- total number of files +- number of foreground files +- minimum file size for it to be cached +- number of eligible files +- number of files with peers +- number of peering files [how different from the above?] +- overall efficiency +- efficiency in the peered files + +Using the `-ListConnections` option returns these detauls about peers: + +- destination IP address +- peer type +- status code +- bytes sent +- bytes received +- file ID + **Starting in Windows 10, version 1803:** `Get-DeliveryOptimizationLog [-Path ] [-Flush]` diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index d37589c3e6..d39db925b7 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -32,6 +32,15 @@ Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimi >[!NOTE] >WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. +## New in Windows 10, version 2004 + +- Enterprise network throttling: new settings have been added in Group Policy and MDM to control foreground and background throttling as absolute values (Maximum Background Download Bandwidth in (in KB/s)). These settings are also available in the Windows user interface: + +![absolute bandwidth settings in delivery optimization interface](images/DO-absolute-bandwidth.png) + +- Activity Monitor now identifies the cache server used for as the source for Microsoft Connected Cache. For more information about using Microsoft Connected Cache with Configuration Manager, see [Microsoft Connected Cache](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#microsoft-connected-cache). + + ## Requirements The following table lists the minimum Windows 10 version that supports Delivery Optimization: @@ -54,11 +63,16 @@ The following table lists the minimum Windows 10 version that supports Delivery | Windows Defender definition updates | 1511 | | Office Click-to-Run updates | 1709 | | Win32 apps for Intune | 1709 | +| Office installations and updates | 2004 | +| Xbox game pass games | 2004 | +| MSIX apps (HTTP downloads only) | 2004 | | Configuration Manager Express Updates | 1709 + Configuration Manager version 1711 | - @@ -124,6 +138,30 @@ For the payloads (optional): **How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?**: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more details see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). +**How does Delivery Optimization handle VPNs?** +Delivery Optimization attempts to identify VPNs by checking the network adapter type and details and will treat the connection as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." + +If the connection is identified as a VPN, Delivery Optimization will not use any peer-to-peer activity. However, you can allow peer-to-peer activity over a VPN by using the [Enable Peer Caching while the device connects via VPN](waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. + +If you have defined a boundary group in Configuration Manager and have for VPN IP ranges, you can set the DownloadMode policy to 0 for that boundary group to ensure that there will be no peer-to-peer activity over the VPN. + +With split tunnelling, it's best to exclude the boundary group for the VPN devices to exclude it from using peer-to-peer. (In this case, those devices won't get the policy and will default to using LAN.) If you're using split tunnelling, you should allow direct access for these endpoints: + +Delivery Optimization service endpoint: +- `https://*.prod.do.dsp.mp.microsoft.com` + +Delivery Optimization metadata: +- `http://emdl.ws.microsoft.com` +- `http://*.dl.delivery.mp.microsoft.com` + +Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads + +- `http://*.windowsupdate.com` +- `https://*.delivery.mp.microsoft.com` +- `https://*.update.microsoft.com` +- `https://tsfe.trafficshaping.dsp.mp.microsoft.com` + +For more information about this if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). ## Troubleshooting diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index 0e9f6ba908..e0d6464259 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -1,5 +1,5 @@ --- -title: Deploy updates using Windows Update for Business (Windows 10) +title: Windows Update for Business (Windows 10) ms.reviewer: manager: laurawi description: Windows Update for Business lets you manage when devices received updates from Windows Update. @@ -11,24 +11,118 @@ ms.author: jaimeo ms.topic: article --- -# Deploy updates using Windows Update for Business +# What is Windows Update for Business? **Applies to** - Windows 10 -- Windows Server 2016 -- Windows Server 2019 -Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro for Workstation, and Education editions. + +Windows Update for Business is a free service that is available for all premium editions including Windows 10 Pro, Enterprise, Pro for Workstation, and Education editions. > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -Windows Update for Business enables IT administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. +Windows Update for Business enables IT administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. -Specifically, Windows Update for Business allows for control over update offering and experience to allow for reliability and performance testing on a subset of systems before rolling out updates across the organization as well as a positive update experience for those within your organization. +Specifically, Windows Update for Business allows for control over update offerings and experiences to allow for reliability and performance testing on a subset of devices before deploying updates across the organization as well as a positive update experience for those in your organization. + +## What can I do with Windows Update for Business? + +Windows Update for Business enables commercial customers to manage which Windows Updates are received when as well as the experience a device has when it receives them. + +You can control Windows Update for Business policies by using either Mobile Device Management (MDM) tools such as Microsoft Intune or Group Policy management tools such as local group policy or the Group Policy Management Console (GPMC), as well as a variety of other non-Microsoft management tools. MDMs use Configuration Service Provider (CSP) policies instead of Group Policy. Intune additionally uses Cloud Policies. Not all policies are available in all formats (CSP, Group Policy, or Cloud policy). + + +### Manage deployment of Windows Updates +By using Windows Update for Business, you can control which types of Windows Updates are offered to devices in your ecosystem, when updates are applied, and deployment to devices in your organization in waves. + +### Manage which updates are offered +Windows Update for Business enables an IT administrator to receive and manage a variety of different types of Windows Updates. + +## Types of updates managed by Windows Update for Business + +Windows Update for Business provides management policies for several types of updates to Windows 10 devices: + +- **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released semi-annually in the fall and in the spring. +- **Quality updates:** These are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and you can set devices to receive such updates (or not) along with their Windows updates. +- **Driver updates:** These are non-Microsoft drivers that are applicable to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer. +- **Microsoft product updates**: These are updates for other Microsoft products, such as Office. Product updates are off by default. You can turn them on by using Windows Update for Business policies. + + +## Offering +You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period. + +### Manage when updates are offered +You can defer or pause the installation of updates for a set period of time. + +#### Enroll in pre-release updates + +The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both pre-release and released updates: + +- Windows Insider Fast +- Windows Insider Slow +- Windows Insider Release Preview +- Semi-annual Channel + +Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days are calculated against a release’s Semi-annual Channel release date. For exact release dates, see [Windows Release Information](https://docs.microsoft.com/windows/release-information/). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. To use this policy to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy. + +#### Defer an update + +A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device. That is, if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days. To defer feature updates use the **Select when Preview Builds and Feature Updates are Received** policy. + + +|Category |Maximum deferral period | +|---------|---------| +|Feature updates | 365 days | +|Quality updates | 30 days | +|Non-deferrable | none | + + + +#### Pause an update + +If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days from a specified start date to prevent other devices from installing it until the issue is mitigated. +If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set. + +To pause feature updates use the **Select when Preview Builds and Feature Updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates). + +Built in benefits: +When updating from Windows Update you get the added benefits of built in compatibility checks to prevent against a poor update experience for your device as well as a check to prevent repeated rollbacks. + +### Recommendations + +For the best experience with Windows Update, follow these guidelines: + +- Use devices for at least 6 hours per month, including at least 2 hours of continuous use. +- Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours. +- Make sure that devices have at least 10 GB of free space. +- Give devices unobstructed access to the Windows Update service. + +### Manage the end-user experience when receiving Windows Updates + +Windows Update for Business provides controls to help meet your organization’s security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for those in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's usually better to use fewer controls to manage the end-user experience. + +#### Recommended experience settings + +Features like the smart busy check (which ensure updates don't happen when a user is signed in) and active hours help provide the best experience for end users while keeping devices more secure and up to date. Follow these steps to take advantage of these features: + +1. Automatically download, install and restart (default if no restart policies are set up or enabled) +2. Use the default notifications +3. Set update deadlines + +##### Setting deadlines + +A compliance deadline policy (released in June 2019) enables you to set separate deadlines and grace periods for feature and quality updates. + +This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This is extremely beneficial in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation. + + + + + 0x$("{0:X16}" -f $LibHandle.ToInt64())" Log "HstiTest2::QueryHSTIdetails 64bit --> 0x$("{0:X16}" -f $FuncHandle.ToInt64())" } @@ -450,7 +452,7 @@ function Instantiate-HSTI { $hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $null, [ref] $providerErrorDupleCount, $null, [ref] $blobByteSize) [byte[]]$blob = New-Object byte[] $blobByteSize - [HstiTest3+HstiProviderErrorDuple[]]$providerErrors = New-Object HstiTest3+HstiProviderErrorDuple[] $providerErrorDupleCount + [HstiTest3+HstiProviderErrorDuple[]]$providerErrors = New-Object HstiTest3+HstiProviderErrorDuple[] $providerErrorDupleCount $hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $providerErrors, [ref] $providerErrorDupleCount, $blob, [ref] $blobByteSize) $string = $null $blob | foreach { $string = $string + $_.ToString("X2")+"," } @@ -479,7 +481,7 @@ function Instantiate-HSTI { LogAndConsoleError $ErrorMessage $DGVerifyCrit.AppendLine($ErrorMessage) | Out-Null } - else + else { LogAndConsoleWarning $ErrorMessage $DGVerifyWarn.AppendLine("HSTI is absent") | Out-Null @@ -487,9 +489,9 @@ function Instantiate-HSTI { } } - catch + catch { - LogAndConsoleError $_.Exception.Message + LogAndConsoleError $_.Exception.Message LogAndConsoleError "Instantiate-HSTI failed" } } @@ -613,10 +615,10 @@ function ExecuteCommandAndLog($_cmd) $CmdOutput = Invoke-Expression $_cmd | Out-String Log "Output: $CmdOutput" } - catch + catch { Log "Exception while exectuing $_cmd" - Log $_.Exception.Message + Log $_.Exception.Message } @@ -676,7 +678,7 @@ function CheckDriverCompat verifier.exe /flags 0x02000000 /all /log.code_integrity LogAndConsole "Enabling Driver Verifier and Rebooting system" - Log $verifier_state + Log $verifier_state LogAndConsole "Please re-execute this script after reboot...." if($AutoReboot) { @@ -692,7 +694,7 @@ function CheckDriverCompat else { LogAndConsole "Driver verifier already enabled" - Log $verifier_state + Log $verifier_state ListDrivers($verifier_state.Trim().ToLowerInvariant()) } } @@ -700,23 +702,23 @@ function IsDomainController { $_isDC = 0 $CompConfig = Get-WmiObject Win32_ComputerSystem - foreach ($ObjItem in $CompConfig) + foreach ($ObjItem in $CompConfig) { $Role = $ObjItem.DomainRole Log "Role=$Role" - Switch ($Role) + Switch ($Role) { 0 { Log "Standalone Workstation" } 1 { Log "Member Workstation" } 2 { Log "Standalone Server" } 3 { Log "Member Server" } - 4 + 4 { Log "Backup Domain Controller" $_isDC=1 break } - 5 + 5 { Log "Primary Domain Controller" $_isDC=1 @@ -735,7 +737,7 @@ function CheckOSSKU Log "OSNAME:$osname" $SKUarray = @("Enterprise", "Education", "IoT", "Windows Server", "Pro", "Home") $HLKAllowed = @("microsoft windows 10 pro") - foreach ($SKUent in $SKUarray) + foreach ($SKUent in $SKUarray) { if($osname.ToString().Contains($SKUent.ToLower())) { @@ -762,7 +764,7 @@ function CheckOSSKU } ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "OSSKU" /t REG_DWORD /d 2 /f ' } - else + else { LogAndConsoleError "This PC edition is Unsupported for Device Guard" $DGVerifyCrit.AppendLine("OS SKU unsupported") | Out-Null @@ -773,14 +775,14 @@ function CheckOSSKU function CheckOSArchitecture { $OSArch = $(gwmi win32_operatingsystem).OSArchitecture.ToLower() - Log $OSArch - if($OSArch.Contains("64-bit")) + Log $OSArch + if($OSArch -match ("^64\-?\s?bit")) { - LogAndConsoleSuccess "64 bit archictecture" + LogAndConsoleSuccess "64 bit architecture" } - elseif($OSArch.Contains("32-bit")) + elseif($OSArch -match ("^32\-?\s?bit")) { - LogAndConsoleError "32 bit archictecture" + LogAndConsoleError "32 bit architecture" $DGVerifyCrit.AppendLine("32 Bit OS, OS Architecture failure.") | Out-Null } else @@ -878,7 +880,7 @@ function CheckTPM function CheckSecureMOR { $isSecureMOR = CheckDGFeatures(4) - Log "isSecureMOR= $isSecureMOR " + Log "isSecureMOR= $isSecureMOR " if($isSecureMOR -eq 1) { LogAndConsoleSuccess "Secure MOR is available" @@ -904,7 +906,7 @@ function CheckSecureMOR function CheckNXProtection { $isNXProtected = CheckDGFeatures(5) - Log "isNXProtected= $isNXProtected " + Log "isNXProtected= $isNXProtected " if($isNXProtected -eq 1) { LogAndConsoleSuccess "NX Protector is available" @@ -921,7 +923,7 @@ function CheckNXProtection function CheckSMMProtection { $isSMMMitigated = CheckDGFeatures(6) - Log "isSMMMitigated= $isSMMMitigated " + Log "isSMMMitigated= $isSMMMitigated " if($isSMMMitigated -eq 1) { LogAndConsoleSuccess "SMM Mitigation is available" @@ -938,15 +940,15 @@ function CheckSMMProtection function CheckHSTI { LogAndConsole "Copying HSTITest.dll" - try + try { $HSTITest_Decoded = [System.Convert]::FromBase64String($HSTITest_Encoded) [System.IO.File]::WriteAllBytes("$env:windir\System32\hstitest.dll",$HSTITest_Decoded) } - catch + catch { - LogAndConsole $_.Exception.Message + LogAndConsole $_.Exception.Message LogAndConsole "Copying and loading HSTITest.dll failed" } @@ -959,7 +961,7 @@ function PrintToolVersion LogAndConsole "" LogAndConsole "###########################################################################" LogAndConsole "" - LogAndConsole "Readiness Tool Version 3.7.1 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard." + LogAndConsole "Readiness Tool Version 3.7.2 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard." LogAndConsole "" LogAndConsole "###########################################################################" LogAndConsole "" @@ -1030,7 +1032,7 @@ if(!($Ready) -and !($Capable) -and !($Enable) -and !($Disable) -and !($Clear) -a } $user = [Security.Principal.WindowsIdentity]::GetCurrent(); -$TestForAdmin = (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) +$TestForAdmin = (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) if(!$TestForAdmin) { @@ -1065,7 +1067,7 @@ if($Ready) { Log "_CGState: $_CGState" PrintCGDetails $_CGState - + if($_CGState) { ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Running" /t REG_DWORD /d 1 /f' @@ -1077,28 +1079,28 @@ if($Ready) } elseif($DG) { - Log "_HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState" + Log "_HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState" PrintHVCIDetails $_HVCIState - PrintConfigCIDetails $_ConfigCIState + PrintConfigCIDetails $_ConfigCIState if($_ConfigCIState -and $_HVCIState) { LogAndConsoleSuccess "HVCI, and Config-CI are enabled and running." - + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 1 /f' } else { LogAndConsoleWarning "Not all services are running." - + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 0 /f' } } - else + else { - Log "_CGState: $_CGState, _HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState" - + Log "_CGState: $_CGState, _HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState" + PrintCGDetails $_CGState PrintHVCIDetails $_HVCIState PrintConfigCIDetails $_ConfigCIState @@ -1147,7 +1149,7 @@ if($Enable) { ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f' } - else + else { ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f' ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f' @@ -1158,8 +1160,8 @@ if($Enable) { if(!$HVCI -and !$CG) { - if(!$SIPolicyPath) - { + if(!$SIPolicyPath) + { Log "Writing Decoded SIPolicy.p7b" $SIPolicy_Decoded = [System.Convert]::FromBase64String($SIPolicy_Encoded) [System.IO.File]::WriteAllBytes("$env:windir\System32\CodeIntegrity\SIPolicy.p7b",$SIPolicy_Decoded) @@ -1182,7 +1184,7 @@ if($Enable) if(!$_isRedstone) { LogAndConsole "OS Not Redstone, enabling IsolatedUserMode separately" - #Enable/Disable IOMMU seperately + #Enable/Disable IOMMU separately ExecuteCommandAndLog 'DISM.EXE /Online /Enable-Feature:IsolatedUserMode /NoRestart' } $CmdOutput = DISM.EXE /Online /Enable-Feature:Microsoft-Hyper-V-Hypervisor /All /NoRestart | Out-String @@ -1251,7 +1253,7 @@ if($Disable) if(!$_isRedstone) { LogAndConsole "OS Not Redstone, disabling IsolatedUserMode separately" - #Enable/Disable IOMMU seperately + #Enable/Disable IOMMU separately ExecuteCommandAndLog 'DISM.EXE /Online /disable-Feature /FeatureName:IsolatedUserMode /NoRestart' } $CmdOutput = DISM.EXE /Online /disable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /NoRestart | Out-String @@ -1270,7 +1272,7 @@ if($Disable) } #set of commands to run SecConfig.efi to delete UEFI variables if were set in pre OS - #these steps can be performed even if the UEFI variables were not set - if not set it will lead to No-Op but this can be run in general always + #these steps can be performed even if the UEFI variables were not set - if not set it will lead to No-Op but this can be run in general always #this requires a reboot and accepting the prompt in the Pre-OS which is self explanatory in the message that is displayed in pre-OS $FreeDrive = ls function:[s-z]: -n | ?{ !(test-path $_) } | random Log "FreeDrive=$FreeDrive" @@ -1314,7 +1316,7 @@ if($Capable) } $_StepCount = 1 if(!$CG) - { + { LogAndConsole " ====================== Step $_StepCount Driver Compat ====================== " $_StepCount++ CheckDriverCompat @@ -1323,15 +1325,15 @@ if($Capable) LogAndConsole " ====================== Step $_StepCount Secure boot present ====================== " $_StepCount++ CheckSecureBootState - + if(!$HVCI -and !$DG -and !$CG) - { + { #check only if sub-options are absent LogAndConsole " ====================== Step $_StepCount MS UEFI HSTI tests ====================== " $_StepCount++ CheckHSTI } - + LogAndConsole " ====================== Step $_StepCount OS Architecture ====================== " $_StepCount++ CheckOSArchitecture @@ -1345,11 +1347,11 @@ if($Capable) CheckVirtualization if(!$HVCI -and !$DG) - { + { LogAndConsole " ====================== Step $_StepCount TPM version ====================== " $_StepCount++ CheckTPM - + LogAndConsole " ====================== Step $_StepCount Secure MOR ====================== " $_StepCount++ CheckSecureMOR @@ -1358,11 +1360,11 @@ if($Capable) LogAndConsole " ====================== Step $_StepCount NX Protector ====================== " $_StepCount++ CheckNXProtection - + LogAndConsole " ====================== Step $_StepCount SMM Mitigation ====================== " $_StepCount++ CheckSMMProtection - + LogAndConsole " ====================== End Check ====================== " LogAndConsole " ====================== Summary ====================== " @@ -1371,7 +1373,6 @@ if($Capable) } - # SIG # Begin signature block ## REPLACE # SIG # End signature block diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index f42095fd31..a51e3b166f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -75,8 +75,9 @@ Sign-in the federation server with domain administrator equivalent credentials. 6. On the **Request Certificates** page, Select the **Internal Web Server** check box. 7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/hello-internal-web-server-cert.png) -8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Click **OK** when finished. -9. Click **Enroll**. +8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. +9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Repeat the same to add device registration service name (*enterpriseregistration.contoso.com*) as another alternative name. Click **OK** when finished. +10. Click **Enroll**. A server authentication certificate should appear in the computer’s Personal certificate store. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md index 067d2d3504..3fc4c88711 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md @@ -150,7 +150,7 @@ Domain controllers automatically request a certificate from the domain controlle 7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. 8. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. 9. Select **Enabled** from the **Configuration Model** list. -10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. +10. Select the **Renew expired certificates, update pending certificates, and remove revoked certificates** check box. 11. Select the **Update certificates that use certificate templates** check box. 12. Click **OK**. Close the **Group Policy Management Editor**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index ce973a2827..ae11903279 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -294,6 +294,8 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted 5. In the **Enterprise Root Certificate** blade, click **Assignments**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**. ![Intune Profile assignment](images/aadj/intune-device-config-enterprise-root-assignment.png) 6. Sign out of the Microsoft Azure Portal. +> [!NOTE] +> After the creation, the **supported platform** parameter of the profile will contain the value "Windows 8.1 and later", as the certificate configuration for Windows 8.1 and Windows 10 is the same. ## Configure Windows Hello for Business Device Enrollment diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index be3bc06968..328c9513bf 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -19,7 +19,7 @@ ms.reviewer: # Configure Windows Hello for Business: Active Directory Federation Services **Applies to** -- Windows10, version 1703 or later +- Windows 10, version 1703 or later - Hybrid deployment - Certificate trust @@ -36,15 +36,14 @@ The Windows Hello for Business Authentication certificate template is configured Sign-in the AD FS server with *Domain Admin* equivalent credentials. 1. Open a **Windows PowerShell** prompt. -2. Type the following command +2. Enter the following command: ```PowerShell Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication -WindowsHelloCertificateProxyEnabled $true ``` - ->[!NOTE] -> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. + >[!NOTE] + > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the preceding command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. ### Group Memberships for the AD FS Service Account @@ -66,8 +65,8 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva ### Section Review > [!div class="checklist"] -> * Configure the registration authority -> * Update group memberships for the AD FS service account +> * Configure the registration authority. +> * Update group memberships for the AD FS service account. > > > [!div class="step-by-step"] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 0aa43d1982..7576402a17 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -16,6 +16,7 @@ localizationpriority: medium ms.date: 10/23/2017 ms.reviewer: --- + # Configure Hybrid Windows Hello for Business: Directory Synchronization **Applies to** @@ -26,7 +27,7 @@ ms.reviewer: ## Directory Synchronization -In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. +In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. The key-trust model needs Windows Server 2016 domain controllers, which configure the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. @@ -45,12 +46,12 @@ Sign-in a domain controller or management workstations with *Domain Admin* equiv 6. In the **Applies to** list box, select **Descendant User objects**. 7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**. 8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCredentialLink**. -9. Click **OK** three times to complete the task. +9. Click **OK** three times to complete the task. ### Group Memberships for the Azure AD Connect Service Account -The KeyAdmins or KeyCredential Admins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory. +The KeyAdmins or KeyCredential Admins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory. Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. @@ -62,14 +63,14 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 6. Click **OK** to return to **Active Directory Users and Computers**. > [!NOTE] -> If your AD forest has multiple domains. Please make sure you add the ADConnect sync service account (that is, MSOL_12121212) into "Enterprise Key Admins" group to gain permission across the domains in the forest. +> If your AD forest has multiple domains, make sure you add the ADConnect sync service account (ie. MSOL_12121212) into "Enterprise Key Admins" group to gain permission across the domains in the forest. ### Section Review > [!div class="checklist"] > * Configure Permissions for Key Synchronization > * Configure group membership for Azure AD Connect -> +> > [!div class="step-by-step"] > [< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md) > [Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 20e50b5d3a..0f6cbee626 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -63,7 +63,7 @@ The Windows Hello for Business deployment depends on an enterprise public key in Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object. -The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party enterprise certification authority. The detailed requirements for the Domain Controller certificate are shown below. +The minimum required Enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party Enterprise certification authority. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA](https://support.microsoft.com/help/291010/requirements-for-domain-controller-certificates-from-a-third-party-ca). * The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL. * The certificate Subject section should contain the directory path of the server object (the distinguished name). @@ -71,7 +71,7 @@ The minimum required enterprise certificate authority that can be used with Wind * Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None]. * The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5). * The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name. -* The certificate template must have an extension that has the BMP data value "DomainController". +* The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](https://docs.microsoft.com/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template. * The domain controller certificate must be installed in the local computer's certificate store. diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 406d096165..96fc9bd8c2 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -457,7 +457,7 @@ Checking BitLocker status with the control panel is the most common method used | **Suspended** | BitLocker is suspended and not actively protecting the volume | | **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected| -If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on volume E. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status. +If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status. Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume. The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process. diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md index 09d6973301..436ef15fe7 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md @@ -1882,7 +1882,7 @@ This policy controls how BitLocker-enabled system volumes are handled in conjunc Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing preboot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8. When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored, and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker. ->**Warning:** Enabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates. +>**Warning:** Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates. ### Provide the unique identifiers for your organization diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md index 74a43afb5e..b8f2f1dbc6 100644 --- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -111,7 +111,7 @@ For example: If you want to prevent the installation of a device class or certain devices, you can use the prevent device installation policies: 1. Enable **Prevent installation of devices that match any of these device IDs**. -2. Enable **Prevent installation of devices that match these device setup classes**. +2. Enable **Prevent installation of devices using drivers that match these device setup classes**. > [!Note] > The prevent device installation policies take precedence over the allow device installation policies. @@ -145,6 +145,14 @@ Get-WMIObject -Class Win32_DiskDrive | Select-Object -Property * ``` +The **Prevent installation of devices using drivers that match these device setup classes** policy allows you to specify device setup classes that Windows is prevented from installing. + +To prevent installation of particular classes of devices: + +1. Find the GUID of the device setup class from [System-Defined Device Setup Classes Available to Vendors](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors). +2. Enable **Prevent installation of devices using drivers that match these device setup classes** and add the class GUID to the list. +![Add device setup class to prevent list](images/Add-device-setup-class-to-prevent-list.png) + ### Block installation and usage of removable storage 1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). diff --git a/windows/security/threat-protection/device-control/images/Add-device-setup-class-to-prevent-list.png b/windows/security/threat-protection/device-control/images/Add-device-setup-class-to-prevent-list.png new file mode 100644 index 0000000000..043da38016 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/Add-device-setup-class-to-prevent-list.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md index dec845f1d0..54109e5159 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md @@ -29,7 +29,9 @@ ms.topic: article Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. -You'll need to know the exact Linux distros and macOS versions that are compatible with Microsoft Defender ATP for the integration to work. +You'll need to know the exact Linux distros and macOS versions that are compatible with Microsoft Defender ATP for the integration to work. For more information, see: +- [Microsoft Defender ATP for Linux system requirements](microsoft-defender-atp-linux.md#system-requirements) +- [Microsoft Defender ATP for Mac system requirements](microsoft-defender-atp-mac.md#system-requirements). ## Onboarding non-Windows machines You'll need to take the following steps to onboard non-Windows machines: diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index e31b0b4fc7..a0a0720c4e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -12,14 +12,14 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 05/20/2020 +ms.date: 05/29/2020 ms.reviewer: manager: dansimp --- # Enable attack surface reduction rules -[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions that malware often abuses to compromise devices and networks. You can set attack surface reduction rules for devices running any of the following editions and versions of Windows: +[Attack surface reduction rules](attack-surface-reduction.md) (ASR rules) help prevent actions that malware often abuses to compromise devices and networks. You can set ASR rules for devices running any of the following editions and versions of Windows: - Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later - Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later - Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later @@ -27,22 +27,22 @@ manager: dansimp Each ASR rule contains one of three settings: -* Not configured: Disable the ASR rule -* Block: Enable the ASR rule -* Audit: Evaluate how the ASR rule would impact your organization if enabled +- Not configured: Disable the ASR rule +- Block: Enable the ASR rule +- Audit: Evaluate how the ASR rule would impact your organization if enabled -To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules. +To use ASR rules, you must have either a Windows 10 Enterprise E3 or E5 license. We recommend E5 licenses so you can take advantage of the advanced monitoring and reporting capabilities that are available in [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP). Advanced monitoring and reporting capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules. > [!TIP] > To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf). You can enable attack surface reduction rules by using any of these methods: -* [Microsoft Intune](#intune) -* [Mobile Device Management (MDM)](#mdm) -* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) -* [Group Policy](#group-policy) -* [PowerShell](#powershell) +- [Microsoft Intune](#intune) +- [Mobile Device Management (MDM)](#mdm) +- [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) +- [Group Policy](#group-policy) +- [PowerShell](#powershell) Enterprise-level management such as Intune or Microsoft Endpoint Configuration Manager is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup. @@ -50,6 +50,8 @@ Enterprise-level management such as Intune or Microsoft Endpoint Configuration M You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices. +You can also exclude ASR rules from triggering based on certificate and file hashes by allowing specified Microsoft Defender ATP file and certificate indicators. (See [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).) + > [!IMPORTANT] > Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded. > If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md). @@ -67,9 +69,9 @@ The following procedures for enabling ASR rules include instructions for how to 2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule. -3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format: +3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be formatted as follows: - *C:\folder*, *%ProgramFiles%\folder\file*, *C:\path* + `C:\folder`, `%ProgramFiles%\folder\file`, `C:\path` 4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one. @@ -79,23 +81,23 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https The following is a sample for reference, using [GUID values for ASR rules](attack-surface-reduction.md#attack-surface-reduction-rules). -OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules +`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules` -Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1 +`Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1` The values to enable, disable, or enable in audit mode are: -* Disable = 0 -* Block (enable ASR rule) = 1 -* Audit = 2 +- Disable = 0 +- Block (enable ASR rule) = 1 +- Audit = 2 Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions. Example: -OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions +`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions` -Value: c:\path|e:\path|c:\Whitelisted.exe +`Value: c:\path|e:\path|c:\Whitelisted.exe` > [!NOTE] > Be sure to enter OMA-URI values without spaces. @@ -103,11 +105,16 @@ Value: c:\path|e:\path|c:\Whitelisted.exe ## Microsoft Endpoint Configuration Manager 1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. -1. Click **Home** > **Create Exploit Guard Policy**. -1. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**. -1. Choose which rules will block or audit actions and click **Next**. -1. Review the settings and click **Next** to create the policy. -1. After the policy is created, click **Close**. + +2. Click **Home** > **Create Exploit Guard Policy**. + +3. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**. + +4. Choose which rules will block or audit actions and click **Next**. + +5. Review the settings and click **Next** to create the policy. + +6. After the policy is created, click **Close**. ## Group Policy @@ -120,15 +127,15 @@ Value: c:\path|e:\path|c:\Whitelisted.exe 3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**. -4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section: +4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section. - * Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: + Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: - * Disable = 0 - * Block (enable ASR rule) = 1 - * Audit = 2 + - Disable = 0 + - Block (enable ASR rule) = 1 + - Audit = 2 - ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](../images/asr-rules-gp.png) + ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](../images/asr-rules-gp.png) 5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. @@ -169,11 +176,11 @@ Value: c:\path|e:\path|c:\Whitelisted.exe > Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode > ``` - You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list. + You can also use the `Add-MpPreference` PowerShell verb to add new rules to the existing list. > [!WARNING] > `Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead. - > You can obtain a list of rules and their current state by using `Get-MpPreference` + > You can obtain a list of rules and their current state by using `Get-MpPreference`. 3. To exclude files and folders from ASR rules, use the following cmdlet: @@ -186,9 +193,12 @@ Value: c:\path|e:\path|c:\Whitelisted.exe > [!IMPORTANT] > Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. -## Related topics +## Related articles -* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md) -* [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md) -* [Attack surface reduction FAQ](attack-surface-reduction.md) -* [Enable cloud-delivered protection](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) +- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md) + +- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md) + +- [Attack surface reduction FAQ](attack-surface-reduction.md) + +- [Enable cloud-delivered protection](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md index 33337c0f38..f150156c0e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md @@ -26,7 +26,7 @@ ms.topic: article ## API description Retrieves a collection of Alerts.
Supports [OData V4 queries](https://www.odata.org/documentation/). -
The OData's ```$filter``` query is supported on: ```alertCreationTime```, ```incidentId```, ```InvestigationId```, ```status```, ```severity``` and ```category``` properties. +
The OData's ```$filter``` query is supported on: ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```,```InvestigationId```, ```status```, ```severity``` and ```category``` properties.
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md index 066146d158..fe2ddd1f2d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md @@ -46,6 +46,15 @@ To have your company listed as a partner in the in-product partner page, you wil 3. Provide a 15-word product description. 4. Link to the landing page for the customer to complete the integration or blog post that will include sufficient information for customers. Please note that any press release including the Microsoft Defender ATP product name should be reviewed by the marketing and engineering teams. You should allow at least 10 days for review process to be performed. 5. If you use a multi-tenant Azure AD approach, we will need the AAD application name to track usage of the application. +6. We'd like to request that you include the User-Agent field in each API call made to Microsoft Defender ATP public set of APIs or Graph Security APIs. This will be used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA). + Follow these steps: + 1. Identify a name adhering to the following nomenclature that includes your company name and the Microsoft Defender ATP integrated product with the version of the product that includes this integration. + + - ISV Nomenclature: `MdatpPartner-{CompanyName}-{TenantID}/{Version}`. + - Security partner Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{Version}`. + + 2. Set the User-Agent field in each HTTP request header to the name based on the above nomenclature. + For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43). For example, User-Agent: `MdatpPartner-Contoso-ContosoCognito/1.0.0` Partnership with Microsoft Defender ATP help our mutual customers to further streamline, integrate, and orchestrate defenses. We are happy that you chose to become a Microsoft Defender ATP partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together. diff --git a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md index e570e0634a..f243b53767 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md @@ -53,7 +53,13 @@ The risk level reflects the overall risk assessment of the machine based on a co ### Exposure level -The exposure level reflects the current exposure of the machine based on the cumulative impact of its pending security recommendations. +The exposure level reflects the current exposure of the machine based on the cumulative impact of its pending security recommendations. The possible levels are low, medium, and high. Low exposure means your machines are less vulnerable from exploitation. + +If the exposure level says "No data available," there are a few reasons why this may be the case: + +- Device stopped reporting for more than 30 days – in that case it is considered inactive, and the exposure isn't computed +- Device OS not supported - see [minimum requirements for Microsoft Defender ATP](minimum-requirements.md) +- Device with stale agent (very unlikely) ### OS Platform diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md index 3c7b1fa724..531278a14a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md @@ -76,7 +76,7 @@ Create custom rules to control when alerts are suppressed, or resolved. You can * URL - wildcard supported * Command line - wildcard supported -3. Select the **Trigerring IOC**. +3. Select the **Triggering IOC**. 4. Specify the action and scope on the alert.
You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue, alert page, and machine timeline and will appear as resolved across Microsoft Defender ATP APIs.

Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard and will not be streamed across Microsoft Defender ATP APIs. diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md index 5b7477d473..30538a9a58 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md @@ -34,7 +34,8 @@ Offboard machine from Microsoft Defender ATP. [!include[Machine actions note](../../includes/machineactionsnote.md)] >[!Note] -> This does not support offboarding macOS Devices. +> This API is supported on Windows 10, version 1703 and later, or Windows Server 2019 and later. +> This API is not supported on MacOS or Linux devices. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md index 0f4c5a7201..3e320c90a9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md @@ -145,7 +145,7 @@ Appendix section in this document for the URLs Whitelisting or on Docs](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). > [!NOTE] -> For a detailed list of URLs that need to be whitelisted, please see [this article](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus). +> For a detailed list of URLs that need to be whitelisted, please see [this article](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus). **Manual static proxy configuration:** diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md index 3aa61ca9b4..1c74391497 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 06/27/2019 +ms.date: 05/29/2020 --- # Domain member: Maximum machine account password age @@ -42,8 +42,7 @@ For more information, see [Machine Account Password Process](https://techcommuni ### Best practices -1. We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would affect domain controllers in large organizations that have many computers or slow links between sites. -2. Some organizations pre-build computers and then store them for later use or ship them to remote locations. When a computer is turned on after being offline more than 30 days, the Netlogon service notices the password age and initiates a secure channel to a domain controller to change it. If the secure channel cannot be established, the computer does not authenticate with the domain. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and then configure the value for this policy setting to a greater number of days. +We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would affect domain controllers in large organizations that have many computers or slow links between sites. ### Location diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md index 7917efbce4..b57e36e03e 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md @@ -20,18 +20,18 @@ ms.date: 04/19/2017 # Minimum password length **Applies to** -- Windows 10 +- Windows 10 Describes the best practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting. ## Reference -The **Minimum password length** policy setting determines the least number of characters that can make up a password for a user account. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0. +The **Minimum password length** policy setting determines the least number of characters that can make up a password for a user account. You can set a value of between 1 and 20 characters, or you can establish that no password is required by setting the number of characters to 0. ### Possible values -- User-specified number of characters between 0 and 14 -- Not defined +- User-specified number of characters between 0 and 20 +- Not defined ### Best practices @@ -51,13 +51,13 @@ The following table lists the actual and effective default policy values. Defaul | Server type or Group Policy Object (GPO) | Default value | | - | - | -| Default domain policy| 7 characters| -| Default domain controller policy | Not defined| -| Stand-alone server default settings | 0 characters| -| Domain controller effective default settings | 7 characters| -| Member server effective default settings | 7 characters| -| Effective GPO default settings on client computers | 0 characters| - +| Default domain policy| 7 characters| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | 0 characters| +| Domain controller effective default settings | 7 characters| +| Member server effective default settings | 7 characters| +| Effective GPO default settings on client computers | 0 characters| + ## Policy management This section describes features, tools, and guidance to help you manage this policy. @@ -80,8 +80,9 @@ Configure the **** policy setting to a value of 8 or more. If the number of char In most environments, we recommend an eight-character password because it is long enough to provide adequate security, but not too difficult for users to easily remember. This configuration provides adequate defense against a brute force attack. Using the [Password must meet complexity requirements](password-must-meet-complexity-requirements.md) policy setting in addition to the **Minimum password length** setting helps reduce the possibility of a dictionary attack. ->**Note:**  Some jurisdictions have established legal requirements for password length as part of establishing security regulations. - +> [!NOTE] +> Some jurisdictions have established legal requirements for password length as part of establishing security regulations. + ### Potential impact Requirements for extremely long passwords can actually decrease the security of an organization because users might leave the information in an unsecured location or lose it. If very long passwords are required, mistyped passwords could cause account lockouts and increase the volume of Help Desk calls. If your organization has issues with forgotten passwords due to password length requirements, consider teaching your users about passphrases, which are often easier to remember and, due to the larger number of character combinations, much harder to discover. diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md index e702402c80..ebb66d445a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 05/14/2019 +ms.date: 05/29/2020 --- # Manage Packaged Apps with Windows Defender Application Control @@ -65,8 +65,10 @@ Below are the list of steps you can follow to block one or more packaged apps in 1. Get the app identifier for an installed package ```powershell - $package = Get-AppxPackage -name + $package = Get-AppxPackage -name ** ``` + Where the name of the app is surrounded by asterisks, for example *windowsstore* + 2. Make a rule by using the New-CIPolicyRule cmdlet ```powershell @@ -119,9 +121,9 @@ If the app you intend to block is not installed on the system you are using the 3. Copy the GUID in the URL for the app - Example: the GUID for the Microsoft To-Do app is 9nblggh5r558 - - https://www.microsoft.com/p/microsoft-to-do-list-task-reminder/9nblggh5r558?activetab=pivot:overviewtab + - `https://www.microsoft.com/p/microsoft-to-do-list-task-reminder/9nblggh5r558?activetab=pivot:overviewtab` 4. Use the GUID in the following REST query URL to retrieve the identifiers for the app - - Example: for the Microsoft To-Do app, the URL would be https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblggh5r558/applockerdata + - Example: for the Microsoft To-Do app, the URL would be `https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblggh5r558/applockerdata` - The URL will return: ``` @@ -141,4 +143,4 @@ The method for allowing specific packaged apps is similar to the method outlined $Rule = New-CIPolicyRule -Package $package -allow ``` -Since a lot of system apps are packaged apps, it is generally advised that customers rely on the sample policies in C:\Windows\schemas\CodeIntegrity\ExamplePolicies to help allow all inbox apps by the Store signature already included in the policies and control apps with deny rules. +Since a lot of system apps are packaged apps, it is generally advised that customers rely on the sample policies in `C:\Windows\schemas\CodeIntegrity\ExamplePolicies` to help allow all inbox apps by the Store signature already included in the policies and control apps with deny rules. diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index 7826641e1f..61bdb73f63 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -1,6 +1,6 @@ --- -title: Configure the Group Policy settings for Windows Defender Application Guard (Windows 10) -description: Learn about the available Group Policy settings for Windows Defender Application Guard. +title: Configure the Group Policy settings for Microsoft Defender Application Guard (Windows 10) +description: Learn about the available Group Policy settings for Microsoft Defender Application Guard. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -8,18 +8,18 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 10/17/2017 +ms.date: 05/27/2020 ms.reviewer: manager: dansimp ms.custom: asr --- -# Configure Windows Defender Application Guard policy settings +# Configure Microsoft Defender Application Guard policy settings **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain. +Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain. Application Guard uses both network isolation and application-specific settings. @@ -36,7 +36,7 @@ These settings, located at **Computer Configuration\Administrative Templates\Net |-----------|------------------|-----------| |Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| |Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Note: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| -|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment. Note: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| +|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment. Proxies should be added to this list. Note: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| ## Network isolation settings wildcards @@ -53,9 +53,9 @@ These settings, located at **Computer Configuration\Administrative Templates\Win |Name|Supported versions|Description|Options| |-----------|------------------|-----------|-------| |Configure Windows Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
-Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| -|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.

**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| -|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container. **Note:** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.

**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | -|Allow Persistence|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

**Disabled or not configured.** All user data within Application Guard is reset between sessions.

**Note**
If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| +|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.

**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.

**Note**
Network printers must be published by Active Directory to work in Application Guard.| +|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container. **Note:** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.

**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard.

**Note**
This policy is no longer supported in the 2004 update and later.| +|Allow Persistence|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

**Disabled or not configured.** All user data within Application Guard is reset between sessions.

**Note**
If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| |Turn on Windows Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Windows Defender Application Guard only for Microsoft Edge
- Enable Windows Defender Application Guard only for Microsoft Office
- Enable Windows Defender Application Guard for both Microsoft Edge and Microsoft Office

**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.| |Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.

**Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.| |Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, 1803 or higher

Windows 10 Pro, 1803 or higher|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

**Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 1e8839b354..bcc04ffc9b 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -1,6 +1,6 @@ --- -title: FAQ - Windows Defender Application Guard (Windows 10) -description: Learn about the commonly asked questions and answers for Windows Defender Application Guard. +title: FAQ - Microsoft Defender Application Guard (Windows 10) +description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -8,17 +8,17 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 12/04/2019 +ms.date: 06/02/2020 ms.reviewer: manager: dansimp ms.custom: asr --- -# Frequently asked questions - Windows Defender Application Guard +# Frequently asked questions - Microsoft Defender Application Guard **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Answering frequently asked questions about Windows Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration. +Answering frequently asked questions about Microsoft Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration. ## Frequently Asked Questions @@ -83,7 +83,7 @@ To trust a subdomain, you must precede your domain with two dots, for example: ` ### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? -When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). +When using Windows Pro or Windows Enterprise, you have access to using Application Guard's Standalone Mode. However, when using Windows Enterprise, you have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). ### Is there a size limit to the domain lists that I need to configure? @@ -91,4 +91,8 @@ Yes, both the Enterprise Resource domains hosted in the cloud and the Domains ca ### Why does my encryption driver break Windows Defender Application Guard? -Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message ("0x80070013 ERROR_WRITE_PROTECT"). +Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (`0x80070013 ERROR_WRITE_PROTECT`). + +### Why did Application Guard stop working after I turned off hyperthreading? + +If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index e5630f24a3..2ef6c54364 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -1,6 +1,6 @@ --- title: Enable hardware-based isolation for Microsoft Edge (Windows 10) -description: Learn about the Windows Defender Application Guard modes (Standalone or Enterprise-managed) and how to install Application Guard in your enterprise. +description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed) and how to install Application Guard in your enterprise. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -14,19 +14,19 @@ manager: dansimp ms.custom: asr --- -# Prepare to install Windows Defender Application Guard +# Prepare to install Microsoft Defender Application Guard **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ## Review system requirements -See [System requirements for Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard) to review the hardware and software installation requirements for Windows Defender Application Guard. +See [System requirements for Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard) to review the hardware and software installation requirements for Windows Defender Application Guard. >[!NOTE] ->Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host. +>Microsoft Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host. -## Prepare for Windows Defender Application Guard -Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode. +## Prepare for Microsoft Defender Application Guard +Before you can install and use Microsoft Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode. ### Standalone mode diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md index ca449ea92c..0f700a7b26 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -1,6 +1,6 @@ --- -title: System requirements for Windows Defender Application Guard (Windows 10) -description: Learn about the system requirements for installing and running Windows Defender Application Guard. +title: System requirements for Microsoft Defender Application Guard (Windows 10) +description: Learn about the system requirements for installing and running Microsoft Defender Application Guard. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -14,17 +14,17 @@ manager: dansimp ms.custom: asr --- -# System requirements for Windows Defender Application Guard +# System requirements for Microsoft Defender Application Guard **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. +The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. >[!NOTE] ->Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host. +>Microsoft Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host. ## Hardware requirements -Your environment needs the following hardware to run Windows Defender Application Guard. +Your environment needs the following hardware to run Microsoft Defender Application Guard. |Hardware|Description| |--------|-----------| diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md index a5eebdf2a2..f380bebaa0 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -1,6 +1,6 @@ --- -title: Testing scenarios with Windows Defender Application Guard (Windows 10) -description: Suggested testing scenarios for Windows Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode. +title: Testing scenarios with Microsoft Defender Application Guard (Windows 10) +description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md index 1c44d0d42f..a0f657a331 100644 --- a/windows/security/threat-protection/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-baselines.md @@ -22,6 +22,7 @@ ms.reviewer: - Windows 10 - Windows Server - Microsoft 365 Apps for enterprise +- Microsoft Edge ## Using security baselines in your organization diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md index a043492918..edb6146667 100644 --- a/windows/whats-new/TOC.md +++ b/windows/whats-new/TOC.md @@ -1,4 +1,5 @@ # [What's new in Windows 10](index.md) +## [What's new in Windows 10, version 2004](whats-new-windows-10-version-2004.md) ## [What's new in Windows 10, version 1909](whats-new-windows-10-version-1909.md) ## [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md) ## [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md) diff --git a/windows/whats-new/images/system-guard2.png b/windows/whats-new/images/system-guard2.png new file mode 100644 index 0000000000..5505ffa78c Binary files /dev/null and b/windows/whats-new/images/system-guard2.png differ diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index b7051cfee0..f8674a3abf 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -18,6 +18,7 @@ Windows 10 provides IT professionals with advanced protection against modern sec ## In this section +- [What's new in Windows 10, version 2004](whats-new-windows-10-version-2004.md) - [What's new in Windows 10, version 1909](whats-new-windows-10-version-1909.md) - [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md) - [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md) diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index e49c027a4d..6898dce476 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, versions 1507 and 1511 (Windows 10) -description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 (versions 1507 and 1511) and Windows 10 Mobile. +description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511) and Windows 10 Mobile. ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6 ms.reviewer: ms.prod: w10 @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.topic: article --- -# What's new in Windows 10, versions 1507 and 1511 +# What's new in Windows 10, versions 1507 and 1511 for IT Pros Below is a list of some of the new and updated features included in the initial release of Windows 10 (version 1507) and the Windows 10 update to version 1511. diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index f27cc65739..2b6f691d44 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1607 (Windows 10) -description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 (version 1607) and Windows 10 Mobile. +description: What's new in Windows 10 for Windows 10 (version 1607) and Windows 10 Mobile. keywords: ["What's new in Windows 10", "Windows 10", "anniversary update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.author: greglin ms.topic: article --- -# What's new in Windows 10, version 1607 +# What's new in Windows 10, version 1607 for IT Pros Below is a list of some of the new and updated features in Windows 10, version 1607 (also known as the Anniversary Update). diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 1a4c0d57c0..bcec94de57 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1703 -description: New and updated IT pro content about new features in Windows 10, version 1703 (also known as the Creators Updated). +description: New and updated features in Windows 10, version 1703 (also known as the Creators Updated). keywords: ["What's new in Windows 10", "Windows 10", "creators update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ ms.author: greglin ms.topic: article --- -# What's new in Windows 10, version 1703 IT pro content +# What's new in Windows 10, version 1703 for IT Pros Below is a list of some of what's new in Information Technology (IT) pro features in Windows 10, version 1703 (also known as the Creators Update). diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index 0aaaa4cb45..17f5cb4dfe 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1709 -description: New and updated IT Pro content about new features in Windows 10, version 1709 (also known as the Fall Creators Update). +description: New and updated features in Windows 10, version 1709 (also known as the Fall Creators Update). keywords: ["What's new in Windows 10", "Windows 10", "Fall Creators Update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.topic: article --- -# What's new in Windows 10, version 1709 IT Pro content +# What's new in Windows 10, version 1709 for IT Pros **Applies to** - Windows 10, version 1709 diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md index 051d5d4b6e..acd7f43bb2 100644 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1803 -description: New and updated IT Pro content about new features in Windows 10, version 1803 (also known as the Windows 10 April 2018 Update). +description: New and updated features in Windows 10, version 1803 (also known as the Windows 10 April 2018 Update). keywords: ["What's new in Windows 10", "Windows 10", "April 2018 Update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.topic: article --- -# What's new in Windows 10, version 1803 IT Pro content +# What's new in Windows 10, version 1803 for IT Pros **Applies to** - Windows 10, version 1803 diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index ec640e3eea..795fbe2644 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1903 -description: New and updated IT Pro content about new features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update). +description: New and updated features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update). keywords: ["What's new in Windows 10", "Windows 10", "May 2019 Update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.topic: article --- -# What's new in Windows 10, version 1903 IT Pro content +# What's new in Windows 10, version 1903 for IT Pros **Applies to** - Windows 10, version 1903 diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md index 6d20ec5fa7..27fc2277eb 100644 --- a/windows/whats-new/whats-new-windows-10-version-1909.md +++ b/windows/whats-new/whats-new-windows-10-version-1909.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1909 -description: New and updated IT Pro content about new features in Windows 10, version 1909 (also known as the Windows 10 November 2019 Update). +description: New and updated features in Windows 10, version 1909 (also known as the Windows 10 November 2019 Update). keywords: ["What's new in Windows 10", "Windows 10", "November 2019 Update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.topic: article --- -# What's new in Windows 10, version 1909 IT Pro content +# What's new in Windows 10, version 1909 for IT Pros **Applies to** - Windows 10, version 1909 @@ -60,10 +60,6 @@ An experimental implementation of TLS 1.3 is included in Windows 10, version 190 ## Virtualization -### Containers on Windows - -This update includes 5 fixes to allow the host to run down-level containers on up-level for process (Argon) isolation. Previously [Containers on Windows](https://docs.microsoft.com/virtualization/windowscontainers/) required matched host and container version. This limited Windows containers from supporting mixed-version container pod scenarios. - ### Windows Sandbox [Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849) is an isolated desktop environment where you can install software without the fear of lasting impact to your device. This feature is available in Windows 10, version 1903. In Windows 10, version 1909 you have even more control over the level of isolation. diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md new file mode 100644 index 0000000000..a722dcf90c --- /dev/null +++ b/windows/whats-new/whats-new-windows-10-version-2004.md @@ -0,0 +1,243 @@ +--- +title: What's new in Windows 10, version 2004 +description: New and updated features in Windows 10, version 2004 (also known as the Windows 10 May 2020 Update). +keywords: ["What's new in Windows 10", "Windows 10", "May 2020 Update"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.author: greglin +manager: laurawi +ms.localizationpriority: high +ms.topic: article +--- + +# What's new in Windows 10, version 2004 for IT Pros + +**Applies to** +- Windows 10, version 2004 + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 2004, also known as the Windows 10 May 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1909. + +> [!NOTE] +> The month indicator for this release is 04 instead of 03 to avoid confusion with Windows releases in the year 2003. + +## Security + +### Windows Hello + +- Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox. +- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN. +- Windows Hello PIN sign-in support is [added to Safe mode](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#windows-hello-pin-in-safe-mode-build-18995). +- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894). + +### Windows Defender System Guard + +In this release, [Windows Defender System Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to additional resources like registers and IO. + +With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. This feature is forward-looking and currently requires new hardware available soon. + + ![System Guard](images/system-guard2.png) + +### Windows Defender Application Guard + +[Windows Defender Application Guard](https://docs.microsoft.com/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020. + +Note: [Application Guard for Office](https://support.office.com/article/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46) is coming soon. + +## Deployment + +### Windows Setup + +Improvements in Windows Setup with this release include: +- Reduced offline time during feature updates +- Improved controls for reserved storage +- Improved controls and diagnostics +- New recovery options + +For more information, see Windows Setup enhancements in the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/pilot-new-features-with-the-windows-insider-program-for-business/ba-p/1220464). + +### SetupDiag + +In Windows 10, version 2004, SetupDiag is now automatically installed. + +[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. + +During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, Windows Setup now also installs SetupDiag.exe to this directory. If there is an issue with the upgrade, SetupDiag is automatically run to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under %SystemDrive%\Windows.Old for cleanup. + +### Windows Autopilot + +With this release, you can configure [Windows Autopilot user-driven](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903. + +If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, this was only supported with self-deploying profiles. + +### Microsoft Endpoint Manager + +An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364). + +Also see [What's new in Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/whats-new). + +### Windows Assessment and Deployment Toolkit (ADK) + +Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 [here](https://docs.microsoft.com/windows-hardware/get-started/adk-install). + +For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004). + +### Microsoft Deployment Toolkit (MDT) + +MDT version 8456 supports Windows 10, version 2004, but there is currently an issue that causes MDT to incorrectly detect that UEFI is present. This issue is currently under investigation. + +For the latest information about MDT, see the [MDT release notes](https://docs.microsoft.com/mem/configmgr/mdt/release-notes). + +## Servicing + +### Delivery Optimization + +Windows PowerShell cmdlets have been improved: + +- **Get-DeliveryOptimizationStatus** has added the **-PeerInfo** option for a real-time peak behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent). +- **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections. +- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting. + +Additional improvements: +- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling. +- Automatic cloud-based congestion detection is available for PCs with cloud service support. + +The following [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) policies are removed in this release: + +- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth) + - Reason: Replaced with separate policies for foreground and background +- Max Upload Bandwidth (DOMaxUploadBandwidth) + - Reason: impacts uploads to internet peers only, which isn't used in Enterprises. +- Absolute max throttle (DOMaxDownloadBandwidth) + - Reason: separated to foreground and background + +### Windows Update for Business + +[Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) enhancements in this release include: +- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. +- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds. + +## Virtualization + +### Windows Sandbox + +[Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849) is an isolated desktop environment where you can install software without the fear of lasting impact to your device. This feature was released with Windows 10, version 1903. Windows 10, version 2004 includes bug fixes and enables even more control over configuration. + +[Windows Sandbox configuration](https://docs.microsoft.com/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file) includes: +- MappedFolders now supports a destination folder. Previously no destination could be specified, it was always mapped to the Sandbox desktop. +- AudioInput/VideoInput settings now enable you to share their host microphone or webcam with the Sandbox. +- ProtectedClient is a new security setting that runs the connection to the Sandbox with extra security settings enabled. This is disabled by default due to issues with copy & paste. +- PrinterRedirection: You can now enable and disable host printer sharing with the Sandbox. +- ClipboardRedirection: You can now enable and disable host clipboard sharing with the Sandbox. +- MemoryInMB adds the ability to specify the maximum memory usage of the Sandbox. + +Windows Media Player is also added back to the Sandbox image in this release. + +Windows Sandbox also has improved accessibility in this release, including: +- Microphone support is available. +- Added functionality to configure the audio input device via the Windows Sandbox config file. +- A Shift + Alt + PrintScreen key sequence that activates the ease of access dialog for enabling high contrast mode. +- A ctrl + alt + break key sequence that allows entering/exiting fullscreen mode. + +### Windows Subsystem for Linux (WSL) + +With this release, memory that is no longer in use in a Linux VM will be freed back to Windows. Previously, a WSL VM's memory could grow, but would not shrink when no longer needed. + +[WSL2](https://docs.microsoft.com/windows/wsl/wsl2-index) support is has been added for ARM64 devices if your device supports virtualization. + +For a full list of updates to WSL, see the [WSL release notes](https://docs.microsoft.com/windows/wsl/release-notes). + +### Windows Virtual Desktop (WVD) + +Windows 10 is an integral part of WVD, and several enhancements are available in the Spring 2020 update. Check out [Windows Virtual Desktop documentation](https://aka.ms/wvdgetstarted) for the latest and greatest information, as well as the [WVD Virtual Event from March](https://aka.ms/wvdvirtualevent). + +## Microsoft Edge + +Read about plans for the new Microsoft Edge and other innovations announced at [Build 2020](https://blogs.windows.com/msedgedev/2020/05/19/microsoft-edge-news-developers-build-2020/) and [What's new at Microsoft Edge Insider](https://www.microsoftedgeinsider.com/whats-new). + +Also see information about the exciting new Edge browser [here](https://blogs.windows.com/windowsexperience/2020/01/15/new-year-new-browser-the-new-microsoft-edge-is-out-of-preview-and-now-available-for-download/). + +## Application settings + +This release enables explicit [control over when Windows automatically restarts apps](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#control-over-restarting-apps-at-sign-in-build-18965) that were open when you restart your PC. + +## Windows Shell + +Several enhancements to the Windows 10 user interface are implemented in this release: + +### Cortana + +[Cortana](https://www.microsoft.com/cortana) has been updated and enhanced in Windows 10, version 2004: +- Productivity: chat-based UI gives you the ability to [interact with Cortana using typed or spoken natural language queries](https://support.microsoft.com/help/4557165) to easily get information across Microsoft 365 and stay on track. Productivity focused capabilities such as finding people profiles, checking schedules, joining meetings, and adding to lists in Microsoft To Do are currently available to English speakers in the US. + - In the coming months, with regular app updates through the Microsoft Store, we’ll enhance this experience to support wake word invocation and enable listening when you say “Cortana,” offer more productivity capabilities such as surfacing relevant emails and documents to help you prepare for meetings, and expand supported capabilities for international users. +- Security: tightened access to Cortana so that you must be securely logged in with your work or school account or your Microsoft account before using Cortana. Because of this tightened access, some consumer skills including music, connected home, and third-party skills will no longer be available. Additionally, users [get cloud-based assistance services that meet Office 365’s enterprise-level privacy, security, and compliance promises](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide) as set out in the Online Services Terms. +- Move the Cortana window: drag the Cortana window to a more convenient location on your desktop. + +For updated information, see the [Microsoft 365 blog](https://aka.ms/CortanaUpdatesMay2020). + +### Windows Search + +Windows Search is improved in several ways. For more information, see [Supercharging Windows Search](https://aka.ms/AA8kllm). + +### Virtual Desktops + +You can now [rename your virtual desktops](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#renaming-your-virtual-desktops-build-18975), instead of getting stuck with the system-issued names like Desktop 1. + +### Bluetooth pairing + +Pairing Bluetooth devices with your computer will occur through notifications, so you won't need to go to the Settings app to finish pairing. Other improvements include faster pairing and device name display. For more information, see [Improving your Bluetooth pairing experience](https://docs.microsoft.com/windows-insider/at-home/Whats-new-wip-at-home-20h1#improving-your-bluetooth-pairing-experience-build-18985). + +### Reset this PC + +The 'reset this PC' recovery function now includes a [cloud download](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-reset-this-pc-option-cloud-download-build-18970) option. + +### Task Manager + +The following items are added to Task Manager in this release: +- GPU Temperature is available on the Performance tab for devices with a dedicated GPU card. +- Disk type is now [listed for each disk on the Performance tab](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#disk-type-visible-in-task-manager-performance-tab-build-18898). + +## Graphics & display + +### DirectX + +[New DirectX 12 features](https://devblogs.microsoft.com/directx/dev-preview-of-new-directx-12-features/) are available in this release. + +### 2-in-1 PCs + +A [new tablet experience](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-tablet-experience-for-2-in-1-convertible-pcs-build-18970) for two-in-one convertible PCs is available. The screen will be optimized for touch When you detach your two-in-one's keyboard, but you'll still keep the familiar look of your desktop without interruption. + +### Specialized displays + +With this update, devices running Windows 10 Enterprise or Windows 10 Pro for Workstations with multiple displays can be configured to prevent Windows from using a display, making it available for a specialized purpose. + +Examples include: +- Fixed-function arcade & gaming such as cockpit, driving, flight, and military simulators +- Medical imaging devices with custom panels, such as grayscale X-ray displays +- Video walls like those displayed in Microsoft Store +- Dedicated video monitoring +- Monitor panel testing and validation +- Independent Hardware Vendor (IHV) driver testing and validation + +To prevent Windows from using a display, choose Settings > Display and click Advanced display settings. Select a display to view or change, and then set the Remove display from desktop setting to On. The display will now be available for a specialized use. + +## Desktop Analytics + +[Desktop Analytics](https://docs.microsoft.com/configmgr/desktop-analytics/overview) is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license. + +For information about Desktop Analytics and this release of Windows 10, see [What's new in Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/whats-new). + +## See Also + +[What’s new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog.
+[What’s new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog.
+[What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
+[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
+[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
+[Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.
+[What's new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new): A preview of new features for businesses.
+[What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.
+[Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.
+[Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.