Microsoft System Center Configuration Manager 2007 R2 or later |
SP1 or later |
64-bit
@@ -441,6 +454,8 @@ The following table lists the server processor, RAM, and disk space requirements
### Client operating system requirements
+We strongly recommend that you run the MBAM Client and MBAM Server on the same line of operating systems. For example, Windows 10 with Windows Server 2016, Windows 8.1 with Windows Server 2012 R2, and so on.
+
The following table lists the operating systems that are supported for MBAM Client installation. The same requirements apply to the Stand-alone and the Configuration Manager Integration topologies.
@@ -472,20 +487,14 @@ The following table lists the operating systems that are supported for MBAM Clie
32-bit or 64-bit |
-Windows 8 |
-Enterprise |
- |
-32-bit or 64-bit |
-
-
Windows 7 |
Enterprise or Ultimate |
SP1 |
32-bit or 64-bit |
-
+
Windows To Go |
-Windows 8, Windows 8.1, and Windows 10 Enterprise |
+Windows 8.1 and Windows 10 Enterprise |
|
32-bit or 64-bit |
@@ -532,30 +541,24 @@ The following table lists the operating systems that are supported for MBAM Grou
32-bit or 64-bit |
-Windows 8 |
-Enterprise, or Pro |
- |
-32-bit or 64-bit |
-
-
Windows 7 |
Enterprise, or Ultimate |
SP1 |
32-bit or 64-bit |
-
+
Windows Server 2012 R2 |
Standard or Datacenter |
|
64-bit |
-
+
Windows Server 2012 |
Standard or Datacenter |
|
64-bit |
-
+
Windows Server 2008 R2 |
Standard, Enterprise, or Datacenter |
SP1 |
diff --git a/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md b/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md
index 3fcb31c12e..7779461ff4 100644
--- a/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md
+++ b/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md
@@ -72,8 +72,7 @@ Before you install the MBAM Client software on end users' computers, ensure that
**Important**
-If BitLocker was used without MBAM, you must decrypt the drive and then clear TPM using tpm.msc. MBAM cannot take ownership of TPM if the client PC is already encrypted and the TPM owner password created.
-
+If BitLocker was used without MBAM, MBAM can be installed and utilize the existing TPM information.
## Got a suggestion for MBAM?
diff --git a/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md b/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md
index 7a1f4ce2ae..b52e59331b 100644
--- a/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md
+++ b/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md
@@ -118,6 +118,22 @@ If Internet Explorer Enhanced Security Configuration (ESC) is turned on, an "Acc
**Workaround:** If the "Access Denied" error message appears when you try to view reports on the MBAM Server, you can set a Group Policy Object or change the default manually in your image to disable Enhanced Security Configuration. You can also alternatively view the reports from another computer on which ESC is not enabled.
+### Support for Bitlocker XTS-AES encryption algorithm
+Bitlocker added support for the XTS-AES encryption algorithm in Windows 10, version 1511.
+As of HF02, MBAM now supports this Bitlocker option and is a client-only update.
+However, there are two known limitations:
+
+* MBAM will correctly report compliance status but the **Cipher Strength** field in MBAM reports will be empty.
+MBAM pre-built reports and compliance charts won’t break but the **Cipher Strength** column will be empty for XTS machines.
+Also, if a customer has a custom report that uses this particular field, they may have to make adjustments to accommodate this update.
+
+* Customers must use the same encryption strength for OS and data volumes on the same machine.
+If different encryption strengths are used, MBAM will report the machine as **non-compliant**.
+
+### Self-Service Portal automatically adds "-" on Key ID entry
+As of HF02, the MBAM Self-Service Portal automatically adds the '-' on Key ID entry.
+**Note:** The Server has to be reconfigured for the Javascript to take effect.
+
## Got a suggestion for MBAM?
diff --git a/mdop/mbam-v25/using-windows-powershell-to-administer-mbam-25.md b/mdop/mbam-v25/using-windows-powershell-to-administer-mbam-25.md
index 41833fc753..a10a065f72 100644
--- a/mdop/mbam-v25/using-windows-powershell-to-administer-mbam-25.md
+++ b/mdop/mbam-v25/using-windows-powershell-to-administer-mbam-25.md
@@ -66,7 +66,7 @@ Windows PowerShell Help for MBAM cmdlets is available in the following formats:
At a Windows PowerShell command prompt, type Get-Help <cmdlet> |
-To upload the latest Windows PowerShell cmdlets, follow the instructions in [Configuring MBAM 2.5 Server Features by Using Windows PowerShell](configuring-mbam-25-server-features-by-using-windows-powershell.md#bkmk-loadposhhelp) |
+To upload the latest Windows PowerShell cmdlets, follow the instructions in [Configuring MBAM 2.5 Server Features by Using Windows PowerShell](configuring-mbam-25-server-features-by-using-windows-powershell.md) |
On TechNet as webpages |
diff --git a/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md b/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md
index c4a9a942e4..548d28f073 100644
--- a/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md
+++ b/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md
@@ -51,7 +51,7 @@ Follow these steps to configure your MED-V image for running first time setup:
After you have completed customization of your MED-V image, you are ready to seal the image by using Sysprep.
-**Sealing the MED-V Image by Using Sysprep**
+**Sealing the MED-V Image by Using Sysprep**
1. The System Preparation tool (Sysprep) is a technology that you can use to perform image-based installations throughout the network with minimal intervention by an administrator or IT-Professional.
diff --git a/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md b/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md
index 544141d6d3..51bf199255 100644
--- a/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md
+++ b/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md
@@ -29,7 +29,7 @@ You can add and remove URL redirection information by performing one of the foll
- [Edit the URL Redirection Text File and Rebuild the MED-V Workspace](#bkmk-edittext)
-**To update URL Redirection information by using Group Policy**
+**To update URL Redirection information by using Group Policy**
1. Edit the registry key multi-string value that is named `RedirectUrls`. This value is typically located at:
@@ -44,7 +44,7 @@ This method of editing URL redirection information is a MED-V best practice.
-**To rebuild the MED-V workspace by using an updated URL text file**
+**To rebuild the MED-V workspace by using an updated URL text file**
- Another method of adding and removing URLs from the redirection list is to update the URL redirection text file and then use it to build a new MED-V workspace. You can then redeploy the MED-V workspace as before, by using your standard process of deployment, such as an ESD system.
diff --git a/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md b/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md
index 171a89953e..202fcf0954 100644
--- a/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md
+++ b/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md
@@ -47,21 +47,15 @@ You must install the MED-V workspace packager and build your MED-V workspaces be
3. **MED-V Host Agent Installation File** – installs the Host Agent (MED-V\_HostAgent\_Setup installation file). For more information, see [How to Manually Install the MED-V Host Agent](how-to-manually-install-the-med-v-host-agent.md).
**Warning**
- Close Internet Explorer before you install the MED-V Host Agent, otherwise conflicts can occur later with URL redirection. You can also do this by specifying a computer restart during a distribution.
-
-
+ Close Internet Explorer before you install the MED-V Host Agent, otherwise conflicts can occur later with URL redirection. You can also do this by specifying a computer restart during a distribution.
4. **MED-V Workspace Installer, VHD, and Setup Executable** – created in the **MED-V Workspace Packager**. For more information, see [Create a MED-V Workspace Package](create-a-med-v-workspace-package.md).
**Important**
The compressed virtual hard disk file (.medv) and the Setup executable program (setup.exe) must be in the same folder as the MED-V workspace installer. Then, install the MED-V workspace installer by running setup.exe.
-
-
**Tip**
- Because problems that can occur when you install MED-V from a network location, we recommend that you copy the MED-V workspace setup files locally and then run setup.exe.
-
-
+ Because problems that can occur when you install MED-V from a network location, we recommend that you copy the MED-V workspace setup files locally and then run setup.exe.
3. Configure the packages to run in silent mode (no user interaction is required).
@@ -70,15 +64,11 @@ You must install the MED-V workspace packager and build your MED-V workspaces be
**Note**
Installation of Windows Virtual PC requires you to restart the computer. You can create a single installation process and install all the components at the same time if you suppress the restart and ignore the prerequisites necessary for MED-V to install. You can also do this by using command-line arguments. For an example of these arguments, see [To install the MED-V components by using a batch file](#bkmk-batch). MED-V automatically starts when the computer is restarted.
-
-
4. Install MED-V and its components before installing Windows Virtual PC. See the example batch file later in this topic.
**Important**
Select the **IGNORE\_PREREQUISITES** option as shown in the example batch file so that the MED-V components can be installed prior to the required VPC components. Install the MED-V components in this order to allow for the single restart.
-
-
5. Identify any other requirements necessary for the installation and for your software distribution system, such as target platforms and the free disk space.
6. Assign the packages to the target set of computers/users.
@@ -91,7 +81,7 @@ You must install the MED-V workspace packager and build your MED-V workspaces be
First time setup starts and might take several minutes to finish, depending on the size of the virtual hard disk that you specified and the number of policies applied to the MED-V workspace on startup. The end user can track the progress by watching the MED-V icon in the notification area. For more information about first time setup, see [MED-V 2.0 Deployment Overview](med-v-20-deployment-overview.md).
-**To install the MED-V components by using a batch file**
+**To install the MED-V components by using a batch file**
1. Run the installation at a command prompt with administrative credentials.
diff --git a/mdop/medv-v2/how-to-test-application-publishing.md b/mdop/medv-v2/how-to-test-application-publishing.md
index ad7c458632..7791f99e06 100644
--- a/mdop/medv-v2/how-to-test-application-publishing.md
+++ b/mdop/medv-v2/how-to-test-application-publishing.md
@@ -15,7 +15,7 @@ ms.prod: w7
After your test of first time setup finishes, you can verify that the application publishing functionality is working as expected by performing the following tasks.
-**To test application publishing**
+**To test application publishing**
1. Verify that the applications that you specified for publishing are visible.
@@ -34,8 +34,6 @@ After your test of first time setup finishes, you can verify that the applicatio
**Important**
Because Windows Virtual PC does not support creating a share from a folder that is already shared, redirection does not occur for any documents that open from a shared folder, such as a My Documents folder that is located on the network. For more information, see [Operations Troubleshooting](operations-troubleshooting-medv2.md).
-
-
After you have verified that published applications are installed and functioning correctly, you can test whether applications can be added or removed from the MED-V workspace.
**To test that an application can be added or removed**
@@ -51,15 +49,12 @@ After you have verified that published applications are installed and functionin
**Note**
If you encounter any problems when verifying your application publication settings, see [Operations Troubleshooting](operations-troubleshooting-medv2.md).
-
-
After you have completed testing application publishing, you can test other MED-V workspace configurations to verify that they function as intended.
After you have completed testing your MED-V workspace package and have verified that it is functioning as intended, you can deploy the MED-V workspace to your enterprise.
## Related topics
-
[How to Test URL Redirection](how-to-test-url-redirection.md)
[How to Verify First Time Setup Settings](how-to-verify-first-time-setup-settings.md)
diff --git a/mdop/medv-v2/how-to-test-url-redirection.md b/mdop/medv-v2/how-to-test-url-redirection.md
index 292c86b05c..21781c9cab 100644
--- a/mdop/medv-v2/how-to-test-url-redirection.md
+++ b/mdop/medv-v2/how-to-test-url-redirection.md
@@ -18,9 +18,7 @@ After your test of first time setup finishes, you can verify that the URL redire
**Important**
The MED-V Host Agent must be running for URL redirection to function correctly.
-
-
-**To test URL Redirection**
+**To test URL Redirection**
1. Open an Internet Explorer browser in the host computer and enter a URL that you specified for redirection.
@@ -45,20 +43,15 @@ The MED-V Host Agent must be running for URL redirection to function correctly.
**Note**
It can take several seconds for the URL redirection changes to take place.
-
-
**Note**
If you encounter any problems when verifying your URL redirection settings, see [Operations Troubleshooting](operations-troubleshooting-medv2.md).
-
-
After you have completed testing URL redirection in your MED-V workspace, you can test other configurations to verify that they function as intended.
After you have completed testing your MED-V workspace package and have verified that it is functioning as intended, you can deploy the MED-V workspace to your enterprise.
## Related topics
-
[How to Test Application Publishing](how-to-test-application-publishing.md)
[How to Verify First Time Setup Settings](how-to-verify-first-time-setup-settings.md)
diff --git a/mdop/uev-v2/changing-the-frequency-of-ue-v-2x-scheduled-tasks-both-uevv2.md b/mdop/uev-v2/changing-the-frequency-of-ue-v-2x-scheduled-tasks-both-uevv2.md
index da5caca883..75c4d4f4b9 100644
--- a/mdop/uev-v2/changing-the-frequency-of-ue-v-2x-scheduled-tasks-both-uevv2.md
+++ b/mdop/uev-v2/changing-the-frequency-of-ue-v-2x-scheduled-tasks-both-uevv2.md
@@ -70,7 +70,7 @@ If upon installation the user or administrator choses to participate in the Cust
### Monitor Application Settings
-The **Monitor Application Settings** task is used to synchronize settings for Windows apps. It is runs at logon but is delayed by 30 seconds to not affect the logon detrimentally. The Monitor Application Status task runs the UevAppMonitor.exe file, which is located in the UE-V Agent installation directory.
+The **Monitor Application Settings** task is used to synchronize settings for Windows apps. It is run at logon but is delayed by 30 seconds to not affect the logon detrimentally. The Monitor Application Status task runs the UevAppMonitor.exe file, which is located in the UE-V Agent installation directory.
@@ -96,7 +96,7 @@ The **Monitor Application Settings** task is used to synchronize settings for Wi
### Sync Controller Application
The **Sync Controller Application** task is used to start the Sync Controller to synchronize settings from the computer to the settings storage location. By default, the task runs every 30 minutes. At that time, local settings are synchronized to the settings storage location, and updated settings on the settings storage location are synchronized to the computer. The Sync Controller application runs the Microsoft.Uev.SyncController.exe, which is located in the UE-V Agent installation directory.
-
+**Note:** As per the **Monitor Application Settings** task, this task is run at logon but is delayed by 30 seconds to not affect the logon detrimentally.
@@ -305,7 +305,7 @@ The following additional information applies to UE-V scheduled tasks:
- ll task sequence programs are located in the UE-V Agent installation folder, `%programFiles%\Microsoft User Experience Virtualization\Agent\[architecture]\`, by default.
-- The Sync Controller Application Scheduled task is the crucial component when the UE-V SyncMethod is set to “SyncProvider” (UE-V 2 default configuration). This scheduled task keeps the SettingsSToragePath synchronized with the locally cached versions of the settings package files. If users complain that settings do not synchronize often enough, then you can reduce the scheduled task setting to as little as 1 minute. You can also increase the 30 min default to a higher amount if necessary.
+- The Sync Controller Application Scheduled task is the crucial component when the UE-V SyncMethod is set to “SyncProvider” (UE-V 2 default configuration). This scheduled task keeps the SettingsSToragePath synchronized with the locally cached versions of the settings package files. If users complain that settings do not synchronize often enough, then you can reduce the scheduled task setting to as little as 1 minute. You can also increase the 30 min default to a higher amount if necessary. If users complain that settings do not synchronize fast enough on logon, then you can remove the delay setting for the scheduled task. (You can find the delay setting in the **Edit Trigger** dialogue box)
- You do not need to disable the Template Auto Update scheduled task if you use another method to keep the clients’ templates in sync (i.e. Group Policy or Configuration Manager Baselines). Leaving the SettingsTemplateCatalog property value blank prevents UE-V from checking the settings catalog for custom templates. This scheduled task runs ApplySettingsCatalog.exe and will essentially return immediately.
diff --git a/mdop/uev-v2/configuring-ue-v-2x-with-system-center-configuration-manager-2012-both-uevv2.md b/mdop/uev-v2/configuring-ue-v-2x-with-system-center-configuration-manager-2012-both-uevv2.md
index 036cada1cc..cecf6f4ceb 100644
--- a/mdop/uev-v2/configuring-ue-v-2x-with-system-center-configuration-manager-2012-both-uevv2.md
+++ b/mdop/uev-v2/configuring-ue-v-2x-with-system-center-configuration-manager-2012-both-uevv2.md
@@ -103,9 +103,7 @@ It might be necessary to change the PowerShell execution policy to allow these s
2. In the **User Agent** tab, set the **PowerShell Execution Policy** to **Bypass**
-
-
-**Create the First UE-V Policy Configuration Item**
+**Create the First UE-V Policy Configuration Item**
1. Copy the default settings configuration file from the UE-V Config Pack installation directory to a location visible to your ConfigMgr Admin Console:
@@ -173,8 +171,6 @@ It might be necessary to change the PowerShell execution policy to allow these s
3. Reimport the CAB file. The version in ConfigMgr will be updated.
## Generate a UE-V Template Baseline
-
-
UE-V templates are distributed using a baseline containing multiple configuration items. Each configuration item contains the discovery and remediation scripts needed to install one UE-V template. The actual UE-V template is embedded within the remediation script for distribution using standard Configuration Item functionality.
The UE-V template baseline is created using the UevTemplateBaselineGenerator.exe command line tool, which has these parameters:
diff --git a/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md b/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
index a97b55540e..886b343e52 100644
--- a/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
+++ b/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
@@ -45,7 +45,7 @@ This workflow diagram provides a high-level understanding of a UE-V deployment a
-**Planning a UE-V deployment:** First, you want to do a little bit of planning so that you can determine which UE-V components you’ll be deploying. Planning a UE-V deployment involves these things:
+**Planning a UE-V deployment:** First, you want to do a little bit of planning so that you can determine which UE-V components you’ll be deploying. Planning a UE-V deployment involves these things:
- [Decide whether to synchronize settings for custom applications](#deciding)
diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md
index 893c06b098..4fed1981ec 100644
--- a/windows/deploy/TOC.md
+++ b/windows/deploy/TOC.md
@@ -45,6 +45,7 @@
### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
## [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
## [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)
+## [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md)
## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
## [Windows 10 upgrade paths](windows-10-upgrade-paths.md)
## [Windows 10 edition upgrade](windows-10-edition-upgrades.md)
diff --git a/windows/deploy/activate-using-active-directory-based-activation-client.md b/windows/deploy/activate-using-active-directory-based-activation-client.md
index a3dce6ef96..82c95ff35b 100644
--- a/windows/deploy/activate-using-active-directory-based-activation-client.md
+++ b/windows/deploy/activate-using-active-directory-based-activation-client.md
@@ -91,7 +91,7 @@ To verify your Active Directory-based activation configuration, complete the fol
6. Scroll down to the **Windows activation** section, and verify that this client has been activated.
**Note**
- If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmrg.vbs /dlv** command also indicates whether KMS has been used.
+ If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used.
## See also
- [Volume Activation for Windows 10](volume-activation-windows-10.md)
diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md
index fb3f4478ec..f7e67993e5 100644
--- a/windows/deploy/change-history-for-deploy-windows-10.md
+++ b/windows/deploy/change-history-for-deploy-windows-10.md
@@ -11,10 +11,18 @@ author: greg-lindsay
# Change history for Deploy Windows 10
This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+## October 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) | New |
+
## September 2016
| New or changed topic | Description |
|----------------------|-------------|
| [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md) | New |
+| [Get started with Upgrade Analytics](upgrade-analytics-get-started.md) | Updated with prerequisites for site discovery |
+| [Resolve application and driver issues](upgrade-analytics-resolve-issues.md) | Updated with app status info for Ready For Windows |
+| [Review site discovery](upgrade-analytics-review-site-discovery.md) | New |
## RELEASE: Windows 10, version 1607
diff --git a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
index 3d55bb7385..bfb8f98424 100644
--- a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ b/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -47,10 +47,8 @@ By using the MDT wizard to create the boot image in Configuration Manager, you g
2. On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Boot\\Zero Touch WinPE x64** and click **Next**.
- **Note**
- The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard.
-
-
+ >[!NOTE]
+ >The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard.
3. On the **General Settings** page, assign the name **Zero Touch WinPE x64** and click **Next**.
@@ -58,16 +56,14 @@ By using the MDT wizard to create the boot image in Configuration Manager, you g
5. On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
- 
+ 
Figure 15. Add the DaRT component to the Configuration Manager boot image.
6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ ContosoBackground.bmp**. Then click **Next** twice.
- **Note**
- It will take a few minutes to generate the boot image.
-
-
+ >[!NOTE]
+ >It will take a few minutes to generate the boot image.
7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**.
@@ -75,9 +71,9 @@ By using the MDT wizard to create the boot image in Configuration Manager, you g
9. Using Configuration Manager Trace, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads STATMSG: ID=2301. You also can view Content Status in the Configuration Manager Console by selecting **the Zero Touch WinPE x86** boot image.
- 
+ 
- Figure 16. Content status for the Zero Touch WinPE x64 boot image.
+ Figure 16. Content status for the Zero Touch WinPE x64 boot image
10. Using the Configuration Manager Console, right-click the **Zero Touch WinPE x64** boot image and select **Properties**.
diff --git a/windows/deploy/images/upgrade-process.png b/windows/deploy/images/upgrade-process.png
new file mode 100644
index 0000000000..b2b77708fc
Binary files /dev/null and b/windows/deploy/images/upgrade-process.png differ
diff --git a/windows/deploy/index.md b/windows/deploy/index.md
index 504b8b4dc8..38c64b3abc 100644
--- a/windows/deploy/index.md
+++ b/windows/deploy/index.md
@@ -21,6 +21,7 @@ Learn about deploying Windows 10 for IT professionals.
|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2. |
|[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. |
|[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. |
+|[Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
|[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. |
| [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md) | Create a provisioning package to apply commonly used settings to a PC running Windows 10. |
diff --git a/windows/deploy/introduction-vamt.md b/windows/deploy/introduction-vamt.md
index 3d51c0dd02..133b8e6966 100644
--- a/windows/deploy/introduction-vamt.md
+++ b/windows/deploy/introduction-vamt.md
@@ -22,18 +22,18 @@ VAMT can be installed on, and can manage, physical or virtual instances. VAMT ca
- [Enterprise Environment](#bkmk-enterpriseenvironment)
- [VAMT User Interface](#bkmk-userinterface)
-## Managing Multiple Activation Key (MAK) and Retail Activation
+## Managing Multiple Activation Key (MAK) and Retail Activation
You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
-## Managing Key Management Service (KMS) Activation
+## Managing Key Management Service (KMS) Activation
In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.
VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types.
-## Enterprise Environment
+## Enterprise Environment
VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab.
@@ -42,7 +42,7 @@ VAMT is commonly implemented in enterprise environments. The following illustrat
In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab.
-## VAMT User Interface
+## VAMT User Interface
The following screenshot shows the VAMT graphical user interface.
diff --git a/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md b/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md
index 637b6aaaca..546035f735 100644
--- a/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md
+++ b/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md
@@ -92,9 +92,10 @@ By default MDT stores the log files locally on the client. In order to capture a
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create and share the **E:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt:
+
``` syntax
New-Item -Path E:\Logs -ItemType directory
- New-SmbShare ?Name Logs$ ?Path E:\Logs -ChangeAccess EVERYONE
+ New-SmbShare -Name Logs$ -Path E:\Logs -ChangeAccess EVERYONE
icacls E:\Logs /grant '"MDT_BA":(OI)(CI)(M)'
```
diff --git a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
index 4f25bc9987..ea62cd3903 100644
--- a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -49,25 +49,25 @@ To configure permissions for the various service accounts needed for operating s
2. Select the Service Accounts OU and create the CM\_JD account using the following settings:
- 1. Name: CM\_JD
+ * Name: CM\_JD
- 2. User logon name: CM\_JD
+ * User logon name: CM\_JD
- 3. Password: P@ssw0rd
+ * Password: P@ssw0rd
- 4. User must change password at next logon: Clear
+ * User must change password at next logon: Clear
- 5. User cannot change password: Select
+ * User cannot change password: Select
- 6. Password never expires: Select
+ * Password never expires: Select
3. Repeat the step, but for the CM\_NAA account.
4. After creating the accounts, assign the following descriptions:
- 1. CM\_JD: Configuration Manager Join Domain Account
+ * CM\_JD: Configuration Manager Join Domain Account
- 2. CM\_NAA: Configuration Manager Network Access Account
+ * CM\_NAA: Configuration Manager Network Access Account
@@ -93,39 +93,37 @@ In order for the Configuration Manager Join Domain Account (CM\_JD) to join mach
3. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following is a list of the permissions being granted:
- 1. Scope: This object and all descendant objects
+ * Scope: This object and all descendant objects
- 2. Create Computer objects
+ * Create Computer objects
- 3. Delete Computer objects
+ * Delete Computer objects
- 4. Scope: Descendant Computer objects
+ * Scope: Descendant Computer objects
- 5. Read All Properties
+ * Read All Properties
- 6. Write All Properties
+ * Write All Properties
- 7. Read Permissions
+ * Read Permissions
- 8. Modify Permissions
+ * Modify Permissions
- 9. Change Password
+ * Change Password
- 10. Reset Password
+ * Reset Password
- 11. Validated write to DNS host name
+ * Validated write to DNS host name
- 12. Validated write to service principal name
+ * Validated write to service principal name
## Review the Sources folder structure
To support the packages you create in this section, the following folder structure should be created on the Configuration Manager primary site server (CM01):
-**Note**
-In most production environments, the packages are stored on a Distributed File System (DFS) share or a "normal" server share, but in a lab environment you can store them on the site server.
-
-
+>[!NOTE]
+>In most production environments, the packages are stored on a Distributed File System (DFS) share or a "normal" server share, but in a lab environment you can store them on the site server.
- E:\\Sources
@@ -168,9 +166,9 @@ To extend the Configuration Manager console with MDT 2013 Update 2 wizards and t
5. From the Start screen, run Configure ConfigManager Integration with the following settings:
- 1. Site Server Name: CM01.contoso.com
+ * Site Server Name: CM01.contoso.com
- 2. Site code: PS1
+ * Site code: PS1
@@ -221,15 +219,15 @@ Configuration Manager has many options for starting a deployment, but starting v
3. In the **PXE** tab, select the following settings:
- 1. Enable PXE support for clients
+ * Enable PXE support for clients
- 2. Allow this distribution point to respond to incoming PXE requests
+ * Allow this distribution point to respond to incoming PXE requests
- 3. Enable unknown computer support
+ * Enable unknown computer support
- 4. Require a password when computers use PXE
+ * Require a password when computers use PXE
- 5. Password and Confirm password: Passw0rd!
+ * Password and Confirm password: Passw0rd!
diff --git a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
index fe8e875c6b..6f41793f47 100644
--- a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -40,30 +40,30 @@ In this topic, we assume that you have a Windows 7 SP1 client named PC0003 with
1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
- 1. General
+ * General
- 2. Name: Install Windows 10 Enterprise x64
+ * Name: Install Windows 10 Enterprise x64
- 3. Limited Collection: All Systems
+ * Limited Collection: All Systems
- 4. Membership rules:
+ * Membership rules:
- 5. Direct rule
+ * Direct rule
- 6. Resource Class: System Resource
+ * Resource Class: System Resource
- 7. Attribute Name: Name
+ * Attribute Name: Name
- 8. Value: PC0003
+ * Value: PC0003
- 9. Select **Resources**
+ * Select **Resources**
- 10. Select **PC0003**
+ * Select **PC0003**
2. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0003 machine in the collection.
-**Note**
-It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
+ >[!NOTE]
+ >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
@@ -82,8 +82,8 @@ Using the Configuration Manager console, in the Software Library workspace, sele
- Make available to the following: Configuration Manager clients, media and PXE
- **Note**
- It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
+ >[!NOTE]
+ >It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
@@ -110,10 +110,8 @@ Now you can start the computer refresh on PC0003.
1. Using the Configuration Manager console, in the Asset and Compliance workspace, in the Install Windows 10 Enterprise x64 collection, right-click **PC0003** and select **Client Notification / Download Computer Policy**. Click **OK**.
- **Note**
- The Client Notification feature is new in Configuration Manager.
-
-
+ >[!NOTE]
+ >The Client Notification feature is new in Configuration Manager.
2. On PC0003, using the Software Center (begin using the Start screen, or click the **New software is available** balloon in the system tray), select the **Windows 10 Enterprise x64 RTM** deployment and click **INSTALL**.
diff --git a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
index 450e831b33..91eb3986c7 100644
--- a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
+++ b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
@@ -20,7 +20,7 @@ This topic will show you how to use MDT 2013 Update 2 Lite Touch Installation (L
For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 Standard server. PC0001 is a machine with Windows 7 Service Pack 1 (SP1) that is going to be refreshed into a Windows 10 machine, with data and settings restored. MDT01 and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
+
Figure 1. The machines used in this topic.
@@ -28,15 +28,21 @@ Figure 1. The machines used in this topic.
Even though a computer will appear, to the end user, to be upgraded, a computer refresh is not, technically, an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation.
For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh you will:
+
1. Back up data and settings locally, in a backup folder.
+
2. Wipe the partition, except for the backup folder.
+
3. Apply the new operating system image.
+
4. Install other applications.
+
5. Restore data and settings.
+
During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are simply linked in the file system, which allows for fast migration, even when there is a lot of data.
-**Note**
-In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file will contain the entire volume from the computer, and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire machine is not a supported scenario.
+>[!NOTE]
+>In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file will contain the entire volume from the computer, and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire machine is not a supported scenario.
### Multi-user migration
@@ -45,8 +51,8 @@ by configuring command-line switches to ScanState (added as rules in MDT).
As an example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: ScanStateArgs=/ue:\*\\\* /ui:CONTOSO\\\*
-**Note**
-You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
+>[!NOTE]
+>You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
### Support for additional settings
@@ -55,12 +61,15 @@ In addition to the command-line switches that control which profiles to migrate,
## Create a custom User State Migration Tool (USMT) template
In this section, you learn to migrate additional data using a custom template. You configure the environment to use a custom USMT XML template that will:
+
1. Back up the **C:\\Data** folder (including all files and folders).
+
2. Scan the local disk for PDF documents (\*.pdf files) and restore them into the **C:\\Data\\PDF Documents** folder on the destination machine.
-The custom USMT template is named MigContosoData.xml, and you can find it in the sample files for this documentation, which include:
-- [Gather script](https://go.microsoft.com/fwlink/p/?LinkId=619361)
-- [Set-OUPermissions](https://go.microsoft.com/fwlink/p/?LinkId=619362) script
-- [MDT Sample Web Service](https://go.microsoft.com/fwlink/p/?LinkId=619363)
+ The custom USMT template is named MigContosoData.xml, and you can find it in the sample files for this documentation, which include:
+
+ * [Gather script](https://go.microsoft.com/fwlink/p/?LinkId=619361)
+ * [Set-OUPermissions](https://go.microsoft.com/fwlink/p/?LinkId=619362) script
+ * [MDT Sample Web Service](https://go.microsoft.com/fwlink/p/?LinkId=619363)
### Add the custom XML template
@@ -77,27 +86,30 @@ In order to use the custom MigContosoData.xml USMT template, you need to copy it
After adding the additional USMT template and configuring the CustomSettings.ini file to use it, you are now ready to refresh a Windows 7 SP1 client to Windows 10. In these steps, we assume you have a Windows 7 SP1 client named PC0001 in your environment that is ready for a refresh to Windows 10.
-**Note**
-MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property in the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
+>[!NOTE]
+>MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property in the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
### Upgrade (refresh) a Windows 7 SP1 client
1. On PC0001, log on as **CONTOSO\\Administrator**. Start the Lite Touch Deploy Wizard by executing **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**. Complete the deployment guide using the following settings:
- 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM
- 2. Computer name: <default>
- 3. Specify where to save a complete computer backup: Do not back up the existing computer
- **Note**
- Skip this optional full WIM backup. The USMT backup will still run.
+
+ * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM
+ * Computer name: <default>
+ * Specify where to save a complete computer backup: Do not back up the existing computer
+ >[!NOTE]
+ >Skip this optional full WIM backup. The USMT backup will still run.
2. Select one or more applications to install: Install - Adobe Reader XI - x86
-3. The setup now starts and does the following:
- 1. Backs up user settings and data using USMT.
- 2. Installs the Windows 10 Enterprise x64 operating system.
- 3. Installs the added application(s).
- 4. Updates the operating system via your local Windows Server Update Services (WSUS) server.
- 5. Restores user settings and data using USMT.
-
+3. The setup now starts and does the following:
+
+ * Backs up user settings and data using USMT.
+ * Installs the Windows 10 Enterprise x64 operating system.
+ * Installs the added application(s).
+ * Updates the operating system via your local Windows Server Update Services (WSUS) server.
+ * Restores user settings and data using USMT.
+
+
Figure 2. Starting the computer refresh from the running Windows 7 SP1 client.
@@ -109,7 +121,6 @@ Figure 2. Starting the computer refresh from the running Windows 7 SP1 client.
[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
-
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
diff --git a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 5691f94681..397914bb14 100644
--- a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -32,9 +32,9 @@ In this topic, you will create a backup-only task sequence that you run on PC000
3. On the **General** page, assign the following settings and click **Next**:
- 1. Task sequence name: Replace Task Sequence
+ * Task sequence name: Replace Task Sequence
- 2. Task sequence comments: USMT backup only
+ * Task sequence comments: USMT backup only
4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
@@ -48,9 +48,11 @@ In this topic, you will create a backup-only task sequence that you run on PC000
9. On the **Confirmation** page, click **Finish**.
-10. Review the Replace Task Sequence. Note: This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence.
+10. Review the Replace Task Sequence.
+>[!NOTE]
+>This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence.
-
+
Figure 34. The backup-only task sequence (named Replace Task Sequence).
@@ -67,13 +69,13 @@ This section walks you through the process of associating a blank machine, PC000
4. On the **Single Computer** page, use the following settings and then click **Next**:
- 1. Computer Name: PC0006
+ * Computer Name: PC0006
- 2. MAC Address: <the mac address from step 1>
+ * MAC Address: <the mac address from step 1>
- 3. Source Computer: PC0004
+ * Source Computer: PC0004
- 
+ 
Figure 35. Creating the computer association between PC0004 and PC0006.
@@ -96,25 +98,25 @@ This section walks you through the process of associating a blank machine, PC000
1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings.
- 1. General
+ * General
- 2. Name: USMT Backup (Replace)
+ * Name: USMT Backup (Replace)
- 3. Limited Collection: All Systems
+ * Limited Collection: All Systems
- 4. Membership rules:
+ * Membership rules:
- 5. Direct rule
+ * Direct rule
- 6. Resource Class: System Resource
+ * Resource Class: System Resource
- 7. Attribute Name: Name
+ * Attribute Name: Name
- 8. Value: PC0004
+ * Value: PC0004
- 9. Select **Resources**
+ * Select **Resources**
- 10. Select **PC0004**
+ * Select **PC0004**
2. Review the USMT Backup (Replace) collection. Do not continue until you see the PC0004 machine in the collection.
@@ -158,10 +160,8 @@ This section assumes that you have a machine named PC0004 with the Configuration
2. In the **Actions** tab, select the **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and click **OK**.
- **Note**
- You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
-
-
+ >[!NOTE]
+ >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
3. Using the Software Center, select the **Replace Task Sequence** deployment and click **INSTALL**.
@@ -173,8 +173,8 @@ This section assumes that you have a machine named PC0004 with the Configuration
7. Using the Configuration Manager console, in the Asset and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. Note that the object now also has a user state store location.
-**Note**
-It may take a few minutes for the user state store location to be populated.
+ >[!NOTE]
+ >It may take a few minutes for the user state store location to be populated.
@@ -183,21 +183,21 @@ It may take a few minutes for the user state store location to be populated.
1. Start the PC0006 virtual machine, press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings:
- 1. Password: P@ssw0rd
+ * Password: P@ssw0rd
- 2. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 Custom Image
+ * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 Custom Image
2. The setup now starts and does the following:
- 1. Installs the Windows 10 operating system
+ * Installs the Windows 10 operating system
- 2. Installs the Configuration Manager client
+ * Installs the Configuration Manager client
- 3. Joins it to the domain
+ * Joins it to the domain
- 4. Installs the applications
+ * Installs the applications
- 5. Restores the PC0004 backup
+ * Restores the PC0004 backup
When the process is complete, you will have a new Windows 10 machine in your domain with user data and settings restored.
diff --git a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
index c4d80c812b..a3e51c36b6 100644
--- a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
+++ b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
@@ -19,7 +19,7 @@ author: mtniehaus
A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10; however, because you are replacing a machine, you cannot store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it.
For the purposes of this topic, we will use four machines: DC01, MDT01, PC0002, and PC0007. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. PC0002 is an old machine running Windows 7 SP1. It is going to be replaced by a new Windows 10 machine, PC0007. User State Migration Tool (USMT) will be used to backup and restore data and settings. MDT01, PC0002, and PC0007 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
+
Figure 1. The machines used in this topic.
@@ -30,11 +30,13 @@ When preparing for the computer replace, you need to create a folder in which to
### Configure the rules on the Microsoft Deployment Toolkit (MDT) Production share
1. On MDT01, using the Deployment Workbench, update the MDT Production deployment share rules.
+
2. Change the **SkipUserData=YES** option to **NO**, and click **OK**.
### Create and share the MigData folder
1. On MDT01, log on as **CONTOSO\\Administrator**.
+
2. Create and share the **E:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt:
``` syntax
New-Item -Path E:\MigData -ItemType directory
@@ -45,75 +47,90 @@ When preparing for the computer replace, you need to create a folder in which to
### Create a backup only (replace) task sequence
1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node and create a new folder named **Other**.
+
2. Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- 1. Task sequence ID: REPLACE-001
- 2. Task sequence name: Backup Only Task Sequence
- 3. Task sequence comments: Run USMT to backup user data and settings
- 4. Template: Standard Client Replace Task Sequence
+
+ * Task sequence ID: REPLACE-001
+ * Task sequence name: Backup Only Task Sequence
+ * Task sequence comments: Run USMT to backup user data and settings
+ * Template: Standard Client Replace Task Sequence
+
3. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions.
- 
+ 
Figure 2. The Backup Only Task Sequence action list.
## Perform the computer replace
During a computer replace, these are the high-level steps that occur:
+
1. On the computer you are replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Window Imaging (WIM) backup.
+
2. On the new machine, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored.
### Execute the replace task sequence
1. On PC0002, log on as **CONTOSO\\Administrator**.
+
2. Verify that you have write access to the **\\\\MDT01\\MigData$** share.
+
3. Execute **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**.
+
4. Complete the Windows Deployment Wizard using the following settings:
+
1. Select a task sequence to execute on this computer: Backup Only Task Sequence
- 1. Specify where to save your data and settings: Specify a location
- 2. Location: \\\\MDT01\\MigData$\\PC0002
- **Note**
- If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead.
+ * Specify where to save your data and settings: Specify a location
+ * Location: \\\\MDT01\\MigData$\\PC0002
+
+ >[!NOTE]
+ >If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead.
2. Specify where to save a complete computer backup: Do not back up the existing computer
3. Password: P@ssw0rd
The task sequence will now run USMT (Scanstate.exe) to capture user data and settings of the machine.
- 
+ 
Figure 3. The new task sequence running the Capture User State action on PC0002.
5. On MDT01, verify that you have an USMT.MIG compressed backup file in the **E:\\MigData\\PC0002\\USMT** folder.
- 
+ 
Figure 4. The USMT backup of PC0002.
### Deploy the PC0007 virtual machine
1. Create a virtual machine with the following settings:
- 1. Name: PC0007
- 2. Location: C:\\VMs
- 3. Generation: 2
- 4. Memory: 2048 MB
- 5. Hard disk: 60 GB (dynamic disk)
+
+ * Name: PC0007
+ * Location: C:\\VMs
+ * Generation: 2
+ * Memory: 2048 MB
+ * Hard disk: 60 GB (dynamic disk)
+
2. Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The machine will now load the Windows PE boot image from the WDS server.
- 
+ 
Figure 5. The initial PXE boot process of PC0005.
3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings:
- 1. Password: P@ssw0rd
- 2. Select a task sequence to execute on this computer:
- 1. Windows 10 Enterprise x64 RTM Custom Image
- 2. Computer Name: PC0007
- 3. Applications: Select the Install - Adobe Reader XI - x86 application.
+
+ * Password: P@ssw0rd
+ * Select a task sequence to execute on this computer:
+ * Windows 10 Enterprise x64 RTM Custom Image
+ * Computer Name: PC0007
+ * Applications: Select the Install - Adobe Reader XI - x86 application.
+
4. The setup now starts and does the following:
- 1. Installs the Windows 10 Enterprise operating system.
- 2. Installs the added application.
- 3. Updates the operating system via your local Windows Server Update Services (WSUS) server.
- 4. Restores the USMT backup from PC0002.
+
+ * Installs the Windows 10 Enterprise operating system.
+ * Installs the added application.
+ * Updates the operating system via your local Windows Server Update Services (WSUS) server.
+ * Restores the USMT backup from PC0002.
## Related topics
diff --git a/windows/deploy/resolve-windows-10-upgrade-errors.md b/windows/deploy/resolve-windows-10-upgrade-errors.md
new file mode 100644
index 0000000000..dc86e81da7
--- /dev/null
+++ b/windows/deploy/resolve-windows-10-upgrade-errors.md
@@ -0,0 +1,897 @@
+---
+title: Resolve Windows 10 upgrade errors
+description: Resolve Windows 10 upgrade errors
+ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
+keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+localizationpriority: high
+---
+
+# Resolve Windows 10 upgrade errors
+
+**Applies to**
+- Windows 10
+
+This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade.
+
+If you are not an IT administrator, you can try the [quick fixes](#quick-fixes) listed in this topic. If the quick fixes do not resolve your issue, see [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/en-us/help/10587/windows-10-get-help-with-upgrade-installation-errors) for more information.
+
+## In this topic
+
+The following sections and procedures are provided in this guide:
+
+- [The Windows 10 upgrade process](#the-windows-10-upgrade-process): An explanation of phases used during the upgrade process.
+- [Quick fixes](#quick-fixes): Steps you can take to eliminate many Windows upgrade errors.
+- [Upgrade error codes](#upgrade-error-codes): The components of an error code are explained.
+ - [Result codes](#result-codes): Information about result codes.
+ - [Extend codes](#extend-codes): Information about extend codes.
+- [Log files](#log-files): A list and description of log files useful for troubleshooting.
+ - [Log entry structure](#log-entry-structure): The format of a log entry is described.
+ - [Analyze log files](#analyze-log-files): General procedures for log file analysis, and an example.
+- [Resolution procedures](#resolution-procedures): Causes and mitigation procedures associated with specific error codes.
+ - [0xC1900101](#0xc1900101): Information about the 0xC1900101 result code.
+ - [0x800xxxxx](#0x800xxxxx): Information about result codes that start with 0x800.
+ - [Other result codes](#other-result-codes): Additional causes and mitigation procedures are provided for some result codes.
+ - [Other error codes](#other-error-codes): Additional causes and mitigation procedures are provided for some error codes.
+
+## The Windows 10 upgrade process
+
+The Windows Setup application is used to upgrade a computer to Windows 10, or to perform a clean installation. Windows Setup starts and restarts the computer, gathers information, copies files, and creates or adjusts configuration settings. When performing an operating system upgrade, Windows Setup uses the following phases:
+
+1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Installation components are gathered.
+2. **Safe OS phase**: A recovery partition is configured and updates are installed. An OS rollback is prepared if needed.
+ - Example error codes: 0x2000C, 0x20017
+3. **First boot phase**: Initial settings are applied.
+ - Example error codes: 0x30018, 0x3000D
+4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**.
+ - Example error: 0x4000D, 0x40017
+5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful.
+ - Example error: 0x50000
+
+**Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown):
+
+
+
+DU = Driver/device updates.
+OOBE = Out of box experience.
+WIM = Windows image (Microsoft)
+
+## Quick fixes
+
+The following steps can resolve many Windows upgrade problems.
+
+
+- Remove nonessential external hardware, such as docks and USB devices.
+- Check all hard drives for errors and attempt repairs. To automatically repair hard drives, open an elevated command prompt, switch to the drive you wish to repair, and type the following command. You will be required to reboot the computer if the hard drive being repaired is also the system drive.
+
+
+- Attept to restore and repair system files by typing the following commands at an elevated command prompt. It may take several minutes for the command operations to be completed. For more information, see [Repair a Windows Image](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/repair-a-windows-image).
+
+- DISM.exe /Online /Cleanup-image /Restorehealth
+- sfc /scannow
+
+
+- Update Windows so that all available recommended updates are installed.
+- Uninstall non-Microsoft antivirus software.
+
+ - Use Windows Defender for protection during the upgrade.
+
- Verify compatibility information and re-install antivirus applications after the upgrade.
+
+- Uninstall all nonessential software.
+- Update firmware and drivers.
+- Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.
+- Verify at least 16 GB of free space is available to upgrade a 32-bit OS, or 20 GB for a 64-bit OS.
+
+
+
+## Upgrade error codes
+
+If the upgrade process is not successful, Windows Setup will return two codes:
+
+1. **A result code**: The result code corresponds to a specific Win32 error.
+2. **An extend code**: The extend code contains information about both the *phase* in which an error occurred, and the *operation* that was being performed when the error occurred.
+
+>For example, a result code of **0xC1900101** with an extend code of **0x4000D** will be returned as: **0xC1900101 - 0x4000D**.
+
+Note: If only a result code is returned, this can be because a tool is being used that was not able to capture the extend code. For example, if you are using the [Windows 10 Upgrade Assistant](https://support.microsoft.com/en-us/kb/3159635) then only a result code might be returned.
+
+### Result codes
+
+>A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue.
To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](#resolution-procedures) section later in this topic.
+
+Result codes can be matched to the type of error encountered. To match a result code to an error:
+
+1. Identify the error code type, either Win32 or NTSTATUS, using the first hexidecimal digit:
+
8 = Win32 error code (ex: 0x**8**0070070)
+
C = NTSTATUS value (ex: 0x**C**1900107)
+2. Write down the last 4 digits of the error code (ex: 0x8007**0070** = 0070). These digits correspond to the last 16 bits of the [HRESULT](https://msdn.microsoft.com/en-us/library/cc231198.aspx) or the [NTSTATUS](https://msdn.microsoft.com/en-us/library/cc231200.aspx) structure.
+3. Based on the type of error code determined in the first step, match the 4 digits derived from the second step to either a [Win32 error code](https://msdn.microsoft.com/en-us/library/cc231199.aspx), or an [NTSTATUS value](https://msdn.microsoft.com/en-us/library/cc704588.aspx).
+
+For example:
+- 0x80070070 = Win32 = 0070 = 0x00000070 = ERROR_DISK_FULL
+- 0xC1900107 = NTSTATUS = 0107 = 0x00000107 = STATUS_SOME_NOT_MAPPED
+
+Some result codes are self-explanatory, whereas others are more generic and require further analysis. In the examples shown above, ERROR_DISK_FULL indicates that the hard drive is full and additional room is needed to complete Windows upgrade. The message STATUS_SOME_NOT_MAPPED is more ambiguous, and means that an action is pending. In this case, the action pending is often the cleanup operation from a previous installation attempt, which can be resolved with a system reboot.
+
+### Extend codes
+
+>Important: Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update.
+
+Extend codes can be matched to the phase and operation when an error occurred. To match an extend code to the phase and operation:
+
+1. Use the first digit to identify the phase (ex: 0x4000D = 4).
+2. Use the last two digits to identify the operation (ex: 0x4000D = 0D).
+3. Match the phase and operation to values in the tables provided below.
+
+The following tables provide the corresponding phase and operation for values of an extend code:
+
+
+| Extend code: phase |
+ | Hex | Phase
+| 0 | SP_EXECUTION_UNKNOWN
+| 1 | SP_EXECUTION_DOWNLEVEL
+| 2 | SP_EXECUTION_SAFE_OS
+| 3 | SP_EXECUTION_FIRST_BOOT
+| 4 | SP_EXECUTION_OOBE_BOOT
+| 5 | SP_EXECUTION_UNINSTALL
+ | | | | | | |
+
+
+| Extend code: operation |
+
+
+| Hex | Operation
+| 0 | SP_EXECUTION_OP_UNKNOWN
+| 1 | SP_EXECUTION_OP_COPY_PAYLOAD
+| 2 | SP_EXECUTION_OP_DOWNLOAD_UPDATES
+| 3 | SP_EXECUTION_OP_INSTALL_UPDATES
+| 4 | SP_EXECUTION_OP_INSTALL_RECOVERY_ENVIRONMENT
+| 5 | SP_EXECUTION_OP_INSTALL_RECOVERY_IMAGE
+| 6 | SP_EXECUTION_OP_REPLICATE_OC
+| 7 | SP_EXECUTION_OP_INSTALL_DRVIERS
+| 8 | SP_EXECUTION_OP_PREPARE_SAFE_OS
+| 9 | SP_EXECUTION_OP_PREPARE_ROLLBACK
+| A | SP_EXECUTION_OP_PREPARE_FIRST_BOOT
+| B | SP_EXECUTION_OP_PREPARE_OOBE_BOOT
+| C | SP_EXECUTION_OP_APPLY_IMAGE
+| D | SP_EXECUTION_OP_MIGRATE_DATA
+| E | SP_EXECUTION_OP_SET_PRODUCT_KEY
+| F | SP_EXECUTION_OP_ADD_UNATTEND
+ | | | | | | | | | | | | | | | | |
+ |
+
+
+| Hex | Operation
+ | | 10 | SP_EXECUTION_OP_ADD_DRIVER
+| 11 | SP_EXECUTION_OP_ENABLE_FEATURE
+| 12 | SP_EXECUTION_OP_DISABLE_FEATURE
+| 13 | SP_EXECUTION_OP_REGISTER_ASYNC_PROCESS
+| 14 | SP_EXECUTION_OP_REGISTER_SYNC_PROCESS
+| 15 | SP_EXECUTION_OP_CREATE_FILE
+| 16 | SP_EXECUTION_OP_CREATE_REGISTRY
+| 17 | SP_EXECUTION_OP_BOOT
+| 18 | SP_EXECUTION_OP_SYSPREP
+| 19 | SP_EXECUTION_OP_OOBE
+| 1A | SP_EXECUTION_OP_BEGIN_FIRST_BOOT
+| 1B | SP_EXECUTION_OP_END_FIRST_BOOT
+| 1C | SP_EXECUTION_OP_BEGIN_OOBE_BOOT
+| 1D | SP_EXECUTION_OP_END_OOBE_BOOT
+| 1E | SP_EXECUTION_OP_PRE_OOBE
+| 1F | SP_EXECUTION_OP_POST_OOBE
+| 20 | SP_EXECUTION_OP_ADD_PROVISIONING_PACKAGE
+ | | | | | | | | | | | | | | | | |
+ |
+
+
+
+For example: An extend code of **0x4000D**, represents a problem during phase 4 (**0x4**) with data migration (**000D**).
+
+## Log files
+
+Several log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. By default, the folders that contain these log files are hidden on the upgrade target computer. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. The most useful log is **setupact.log**. The log files are located in a different folder depending on the Windows Setup phase. Recall that you can determine the phase from the extend code.
+
+The following table describes some log files and how to use them for troubleshooting purposes:
+
+
+
+| Log file | Phase: Location | Description | When to use
+
+| setupact.log | Down-Level:
$Windows.~BT\Sources\Panther | Contains information about setup actions during the downlevel phase.
+ | All down-level failures and starting point for rollback investigations.
This is the most important log for diagnosing setup issues.
+ | OOBE:
$Windows.~BT\Sources\Panther\UnattendGC
+ | Contains information about actions during the OOBE phase. | Investigating rollbacks that failed during OOBE phase and operations – 0x4001C, 0x4001D, 0x4001E, 0x4001F.
+ | Rollback:
$Windows.~BT\Sources\Rollback | Contains information about actions during rollback. | Investigating generic rollbacks - 0xC1900101.
+ | Pre-initialization (prior to downlevel):
Windows | Contains information about initializing setup. | If setup fails to launch.
+ | Post-upgrade (after OOBE):
Windows\Panther | Contains information about setup actions during the installation. | Investigate post-upgrade related issues.
+
+ | | setuperr.log | Same as setupact.log | Contains information about setup errors during the installation. | Review all errors encountered during the installation phase.
+
+ | | miglog.xml | Post-upgrade (after OOBE):
Windows\Panther | Contains information about what was migrated during the installation. | Identify post upgrade data migration issues.
+
+ | | BlueBox.log | Down-Level:
Windows\Logs\Mosetup | Contains information communication between setup.exe and Windows Update. | Use during WSUS and WU down-level failures or for 0xC1900107.
+
+ | Supplemental rollback logs:
+Setupmem.dmp
+setupapi.dev.log
+Event logs (*.evtx)
+
+
+ | $Windows.~BT\Sources\Rollback | Additional logs collected during rollback.
+ |
+Setupmem.dmp: If OS bugchecks during upgrade, setup will attempt to extract a mini-dump.
+Setupapi: Device install issues - 0x30018
+Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.
+
+ | |
+
+### Log entry structure
+
+A setupact.log or setuperr.log entry includes the following elements:
+
+
+- The date and time - 2016-09-08 09:20:05.
+
- The log level - Info, Warning, Error, Fatal Error.
+
- The logging component - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS.
+
+- The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are particularly useful for troubleshooting Windows Setup errors.
+
+ - The message - Operation completed successfully.
+
+
+See the following example:
+
+| Date/Time | Log level | Component | Message |
+|------|------------|------------|------------|
+|2016-09-08 09:23:50,| Warning | MIG | Could not replace object C:\Users\name\Cookies. Target Object cannot be removed.|
+
+
+### Analyze log files
+
+To analyze Windows Setup log files:
+
+
+- Determine the Windows Setup error code.
+
- Based on the [extend code](#extend-codes) portion of the error code, determine the type and location of a [log files](#log-files) to investigate.
+
- Open the log file in a text editor, such as notepad.
+
- Using the result code portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below.
+
- To find the last occurrence of the result code:
+
+ - Scroll to the bottom of the file and click after the last character.
+
- Click **Edit**.
+
- Click **Find**.
+
- Type the result code.
+
- Under **Direction** select **Up**.
+
- Click **Find Next**.
+
+ - When you have located the last occurrence of the result code, scroll up a few lines from this location in the file and review the processes that failed just prior to generating the result code.
+
- Search for the following important text strings:
+
+ - Shell application requested abort
+
- Abandoning apply due to error for object
+
+ - Decode Win32 errors that appear in this section.
+
- Write down the timestamp for the observed errors in this section.
+
- Search other log files for additional information matching these timestamps or errors.
+
+
+For example, assume that the error code for an error is 0x8007042B - 0x2000D. Searching for "8007042B" reveals the following content from the setuperr.log file:
+
+>Some lines in the text below are shortened to enhance readability. The date and time at the start of each line (ex: 2016-10-05 15:27:08) is shortened to minutes and seconds, and the certificate file name which is a long text string is shortened to just "CN."
+
+setuperr.log content:
+
+
+27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
+27:08, Error MIG Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
+27:08, Error Gather failed. Last error: 0x00000000
+27:08, Error SP SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
+27:09, Error SP CMigrateFramework: Gather framework failed. Status: 44
+27:09, Error SP Operation failed: Migrate framework (Full). Error: 0x8007042B[gle=0x000000b7]
+27:09, Error SP Operation execution failed: 13. hr = 0x8007042B[gle=0x000000b7]
+27:09, Error SP CSetupPlatformPrivate::Execute: Execution of operations queue failed, abandoning. Error: 0x8007042B[gle=0x000000b7]
+
+
+The first line indicates there was an error **0x00000570** with the file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]** (shown below):
+
+
+27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
+
+
+The error 0x00000570 is a [Win32 error code](https://msdn.microsoft.com/en-us/library/cc231199.aspx) corresponding to: ERROR_FILE_CORRUPT: The file or directory is corrupted and unreadable.
+
+Therefore, Windows Setup failed because it was not able to migrate the corrupt file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]**. This file is a local system certificate and can be safely deleted. Searching the setupact.log file for additional details, the phrase "Shell application requested abort" is found in a location with the same timestamp as the lines in setuperr.log. This confirms our suspicion that this file is the cause of the upgrade failure:
+
+setupact.log content:
+
+
+27:00, Info Gather started at 10/5/2016 23:27:00
+27:00, Info [0x080489] MIG Setting system object filter context (System)
+27:00, Info [0x0803e5] MIG Not unmapping HKCU\Software\Classes; it is not mapped
+27:00, Info [0x0803e5] MIG Not unmapping HKCU; it is not mapped
+27:00, Info SP ExecuteProgress: Elapsed events:1 of 4, Percent: 12
+27:00, Info [0x0802c6] MIG Processing GATHER for migration unit: \UpgradeFramework (CMXEAgent)
+27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
+27:08, Error MIG Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
+27:08, Info SP ExecuteProgress: Elapsed events:2 of 4, Percent: 25
+27:08, Info SP ExecuteProgress: Elapsed events:3 of 4, Percent: 37
+27:08, Info [0x080489] MIG Setting system object filter context (System)
+27:08, Info [0x0803e5] MIG Not unmapping HKCU\Software\Classes; it is not mapped
+27:08, Info [0x0803e5] MIG Not unmapping HKCU; it is not mapped
+27:08, Info MIG COutOfProcPluginFactory::FreeSurrogateHost: Shutdown in progress.
+27:08, Info MIG COutOfProcPluginFactory::LaunchSurrogateHost::CommandLine: -shortened-
+27:08, Info MIG COutOfProcPluginFactory::LaunchSurrogateHost: Successfully launched host and got control object.
+27:08, Error Gather failed. Last error: 0x00000000
+27:08, Info Gather ended at 10/5/2016 23:27:08 with result 44
+27:08, Info Leaving MigGather method
+27:08, Error SP SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
+
+
+This analysis indicates that the Windows upgrade error can be resolved by deleting the C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN] file. Note: In this example, the full, unshortened file name is C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f.
+
+## Resolution procedures
+
+### 0xC1900101
+
+A frequently observed result code is 0xC1900101. This result code can be thrown at any stage of the upgrade process, with the exception of the downlevel phase. 0xC1900101 is a generic rollback code, and usually indicates that an incompatible driver is present. The incompatible driver can cause blue screens, system hangs, and unexpected reboots. Analysis of supplemental log files is often helpful, such as:
+
+- The minidump file: $Windows.~bt\Sources\Rollback\setupmem.dmp,
+- Event logs: $Windows.~bt\Sources\Rollback\*.evtx
+- The device install log: $Windows.~bt\Sources\Rollback\setupapi\setupapi.dev.log
+
+The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018). To resolve a rollback due to driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/en-us/kb/929135) before initiating the upgrade process.
+
+ See the following general troubleshooting procedures associated with a result code of 0xC1900101:
+
+
+
+
+
+
+
+| Code
+ | | 0xC1900101 - 0x20004
+ |
+
+
+| Cause
+ | Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation
+
This is generally caused by out-of-date drivers.
+ |
+ |
+
+
+
+
+| Mitigation
+ | Uninstall antivirus applications.
+
Remove all unused SATA devices.
+
Remove all unused devices and drivers.
+
Update drivers and BIOS.
+ |
+ |
+
+
+
+
+
+| Code
+ | | 0xC1900101 - 0x2000c
+ |
+
+
+| Cause
+ | Windows Setup encountered an unspecified error during Wim apply in the WinPE phase.
+
This is generally caused by out-of-date drivers.
+ |
+ |
+
+
+
+
+| Mitigation
+ | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
+
Contact your hardware vendor to obtain updated device drivers.
+
Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.
+ |
+ |
+
+
+
+
+
+
+| Code
+ | | 0xC1900101 - 0x20017
+
+ |
+
+
+| Cause
+ | A driver has caused an illegal operation.
+
Windows was not able to migrate the driver, resulting in a rollback of the operating system.
+This is a safeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software.
+ |
+ |
+
+
+
+
+| Mitigation
+ |
+Ensure that all that drivers are updated.
+Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers.
+
For more information, see [Understanding Failures and Log Files](https://technet.microsoft.com/en-us/library/ee851579.aspx).
+
Update or uninstall the problem drivers.
+ |
+ |
+
+
+
+
+
+| Code
+ | | 0xC1900101 - 0x30018
+ |
+
+
+| Cause
+ | | A device driver has stopped responding to setup.exe during the upgrade process.
+ |
+ |
+
+
+
+
+| Mitigation
+ |
+Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
+
Contact your hardware vendor to obtain updated device drivers.
+
Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.
+ |
+ |
+
+
+
+
+
+| Code
+ | | 0xC1900101 - 0x3000D
+ |
+
+
+| Cause
+ | Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation.
+
This can occur due to a problem with a display driver.
+
+ |
+ |
+
+
+
+
+| Mitigation
+ |
+Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
+
Update or uninstall the display driver.
+ |
+ |
+
+
+
+
+
+| Code
+ | | 0xC1900101 - 0x4000D
+ |
+
+
+| Cause
+ | | A rollback occurred due to a driver configuration issue.
+ Installation failed during the second boot phase while attempting the MIGRATE_DATA operation.
+
+ This can occur due to incompatible drivers.
+
+ |
+ |
+
+
+
+
+| Mitigation
+ | |
+ Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.
+ Review the rollback log and determine the stop code.
+
The rollback log is located in the **C:\$Windows.~BT\Sources\Panther** folder. An example analysis is shown below. This example is not representative of all cases:
+ Info SP Crash 0x0000007E detected
+
Info SP Module name :
+
Info SP Bugcheck parameter 1 : 0xFFFFFFFFC0000005
+
Info SP Bugcheck parameter 2 : 0xFFFFF8015BC0036A
+
Info SP Bugcheck parameter 3 : 0xFFFFD000E5D23728
+
Info SP Bugcheck parameter 4 : 0xFFFFD000E5D22F40
+
Info SP Cannot recover the system.
+
Info SP Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.
+
+
+ Typically there is a a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:
+
+1. Make sure you have enough disk space.
+2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.
+3. Try changing video adapters.
+4. Check with your hardware vendor for any BIOS updates.
+5. Disable BIOS memory options such as caching or shadowing.
+
+ |
+ |
+
+
+
+
+
+
+| Code
+ | | 0xC1900101 - 0x40017
+ |
+
+
+| Cause
+ | Windows 10 upgrade failed after the second reboot.
+
This is usually caused by a faulty driver. For example: antivirus filter drivers or encryption drivers.
+ |
+ |
+
+
+
+
+| Mitigation
+ | Clean boot into Windows, and then attempt the upgrade to Windows 10.
+
+For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/en-us/kb/929135).
+
+Ensure you select the option to "Download and install updates (recommended)."
+ |
+ |
+
+
+
+
+### 0x800xxxxx
+
+Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
+
+See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
+
+
+
+
+
+
+| Code
+ | |
+
+8000405 - 0x20007
+
+ |
+
+
+| Cause
+ | |
+
+An unspecified error occurred with a driver during the SafeOS phase.
+
+ |
+ |
+
+
+
+
+| Mitigation
+ | |
+
+This error has more than one possible cause. Attempt [quick fixes](#quick-fixes), and if not successful, [analyze log files](#analyze-log-files) in order to determine the problem and solution.
+
+ |
+ |
+
+
+
+
+
+| Code
+ | |
+
+800704B8 - 0x3001A
+
+ |
+
+
+| Cause
+ | |
+
+An extended error has occurred during the first boot phase.
+
+ |
+ |
+
+
+
+
+| Mitigation
+ | |
+
+Disable or uninstall non-Microsoft antivirus applications, disconnect all unnecessary devices, and perform a [clean boot](https://support.microsoft.com/en-us/kb/929135).
+
+ |
+ |
+
+
+
+
+
+| Code
+ | |
+
+8007042B - 0x4000D
+
+ |
+
+
+| Cause
+ |
+
+The installation failed during the second boot phase while attempting the MIGRATE_DATA operation.
+
This issue can occur due to file system, application, or driver issues.
+
+ |
+ |
+
+
+
+
+| Mitigation
+ | |
+
+[Analyze log files](#analyze-log-files) in order to determine the file, application, or driver that is not able to be migrated. Disconnect, update, remove, or replace the device or object.
+
+ |
+ |
+
+
+
+
+
+| Code
+ | |
+
+8007001F - 0x4000D
+
+ |
+
+
+| Cause
+ | |
+
+General failure, a device attached to the system is not functioning.
+
+ |
+ |
+
+
+
+
+| Mitigation
+ | |
+
+[Analyze log files](#analyze-log-files) in order to determine the device that is not functioning properly. Disconnect, update, or replace the device.
+
+ |
+ |
+
+
+
+
+
+| Code
+ | |
+
+8007042B - 0x4001E
+
+ |
+
+
+| Cause
+ | |
+
+The installation failed during the second boot phase while attempting the PRE_OOBE operation.
+
+ |
+ |
+
+
+
+
+| Mitigation
+ | |
+
+This error has more than one possible cause. Attempt [quick fixes](#quick-fixes), and if not successful, [analyze log files](#analyze-log-files) in order to determine the problem and solution.
+
+ |
+ |
+
+
+
+
+
+### Other result codes
+
+
+
+
+| Error code
+ | Cause
+ | Mitigation
+ |
+
+
+| 0xC1800118 |
+WSUS has downloaded content that it cannot use due to a missing decryption key. |
+See [Steps to resolve error 0xC1800118](https://blogs.technet.microsoft.com/wsus/2016/09/21/resolving-error-0xc1800118/) for information. |
+
+
+
+| 0xC1900200 |
+Setup.exe has detected that the machine does not meet the minimum system requirements. |
+Ensure the system you are trying to upgrade meets the minimum system requirements. See [Windows 10 specifications](https://www.microsoft.com/en-us/windows/windows-10-specifications) for information. |
+
+
+
+
+| 0x80090011 |
+A device driver error occurred during user data migration. |
+Contact your hardware vendor and get all the device drivers updated. It is recommended to have an active internet connection during upgrade process.
+ Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. |
+
+
+| 0xC7700112 |
+Failure to complete writing data to the system drive, possibly due to write access failure on the hard disk. |
+This issue is resolved in the latest version of Upgrade Assistant.
+ Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. |
+
+
+
+| 0x80190001 |
+An unexpected error was encountered while attempting to download files required for upgrade. |
+To resolve this issue, download and run the media creation tool. See [Download windows 10](https://www.microsoft.com/en-us/software-download/windows10).
+ |
+
+
+| 0x80246007 |
+The update was not downloaded successfully. |
+Attempt other methods of upgrading the operating system.
+Download and run the media creation tool. See [Download windows 10](https://www.microsoft.com/en-us/software-download/windows10).
+
Attempt to upgrade using .ISO or USB.
+**Note**: Windows 10 Enterprise isn’t available in the media creation tool. For more information, go to the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx).
+ |
+
+
+| 0xC1900201 |
+The system did not pass the minimum requirements to install the update. |
+Contact the hardware vendor to get the latest updates. |
+
+
+| 0x80240017 |
+The upgrade is unavailable for this edition of Windows. |
+Administrative policies enforced by your organization might be preventing the upgrade. Contact your IT administrator. |
+
+
+
+| 0x80070020 |
+The existing process cannot access the file because it is being used by another process. |
+Use the MSCONFIG tool to perform a clean boot on the machine and then try to perform the update again. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/en-us/kb/929135). |
+
+
+| 0x80070522 |
+The user doesn’t have required privilege or credentials to upgrade. |
+Ensure that you have signed in as a local administrator or have local administrator privileges. |
+
+
+| 0xC1900107 |
+A cleanup operation from a previous installation attempt is still pending and a system reboot is required in order to continue the upgrade.
+ |
+Reboot the device and run setup again. If restarting device does not resolve the issue, then use the Disk Cleanup utility and cleanup the temporary as well as the System files. For more information, see [Disk cleanup in Windows 10](https://support.microsoft.com/en-us/instantanswers/8fef4121-711b-4be1-996f-99e02c7301c2/disk-cleanup-in-windows-10). |
+
+
+| 0xC1900209 |
+The user has chosen to cancel because the system does not pass the compatibility scan to install the update. Setup.exe will report this error when it can upgrade the machine with user data but cannot migrate installed applications. |
+Incompatible software is blocking the upgrade process. Uninstall the application and try the upgrade again. See [Windows 10 Pre-Upgrade Validation using SETUP.EXE](https://blogs.technet.microsoft.com/mniehaus/2015/08/23/windows-10-pre-upgrade-validation-using-setup-exe/) for more information.
+
+ You can also download the [Windows Assessment and Deployment Kit (ADK) for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=526740) and install Application Compatibility Tools.
+ |
+
+
+
+
+| 0x8007002 |
+This error is specific to upgrades using System Center Configuration Manager 2012 R2 SP1 CU3 (5.00.8238.1403) |
+Analyze the SMSTS.log and verify that the upgrade is failing on "Apply Operating system" Phase: Error 80072efe DownloadFileWithRanges() failed. 80072efe. ApplyOperatingSystem (0x0760)
+
+ The error 80072efe means that the connection with the server was terminated abnormally.
+
+ To resolve this issue, try the OS Deployment test on a client in same VLAN as the Configuration Manager server. Check the network configuration for random client-server connection issues happening on the remote VLAN.
+ |
+
+
+
+
+### Other error codes
+
+
+
+| Error Codes | Cause | Mitigation |
+| 0x80070003- 0x20007
+ | This is a failure during SafeOS phase driver installation.
+
+ | [Verify device drivers](https://msdn.microsoft.com/windows/hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](#analyze-log-files) to determine the problem driver.
+ |
+| 0x8007025D - 0x2000C
+ | This error occurs if the ISO file's metadata is corrupt. | "Re-download the ISO/Media and re-attempt the upgrade.
+
+Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/en-us/software-download/windows10).
+
+ |
+| 0x80070490 - 0x20007 | An incompatible device driver is present.
+
+ | [Verify device drivers](https://msdn.microsoft.com/windows/hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](#analyze-log-files) to determine the problem driver.
+
+ |
+| 0xC1900101 - 0x2000c
+ | An unspecified error occurred in the SafeOS phase during WIM apply. This can be caused by an outdated driver or disk corruption.
+ | Run checkdisk to repair the file system. For more information, see the [quick fixes](#quick-fixes) section in this guide.
+ Update drivers on the computer, and select "Download and install updates (recommended)" during the upgrade process. Disconnect devices other than the mouse, keyboard and display. |
+| 0xC1900200 - 0x20008
+
+ | The computer doesn’t meet the minimum requirements to download or upgrade to Windows 10.
+
+ | See [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/windows-10-specifications) and verify the computer meets minimum requirements.
+
+
Review logs for [compatibility information](https://blogs.technet.microsoft.com/askcore/2016/01/21/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues/). |
+| 0x80070004 - 0x3000D
+ | This is a problem with data migration during the first boot phase. There are multiple possible causes.
+
+ | [Analyze log files](#analyze-log-files) to determine the issue. |
+| 0xC1900101 - 0x4001E
+ | Installation failed in the SECOND_BOOT phase with an error during PRE_OOBE operation.
+ | This is a generic error that occurs during the OOBE phase of setup. See the [0xC1900101](#0xc1900101) section of this guide and review general troubleshooting procedures described in that section. |
+| 0x80070005 - 0x4000D
+ | The installation failed in the SECOND_BOOT phase with an error in during MIGRATE_DATA operation. This error indicates that access was denied while attempting to migrate data.
+ | [Analyze log files](#analyze-log-files) to determine the data point that is reporting access denied. |
+| 0x80070004 - 0x50012
+ | Windows Setup failed to open a file.
+ | [Analyze log files](#analyze-log-files) to determine the data point that is reporting access problems. |
+0xC190020e
+
0x80070070 - 0x50011
+
0x80070070 - 0x50012
+
0x80070070 - 0x60000
+ | These errors indicate the computer does not have enough free space available to install the upgrade.
+ | To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there is not enough space, attempt to [free up drive space](https://support.microsoft.com/en-us/help/17421/windows-free-up-drive-space) before proceeding with the upgrade.
+
+ Note: If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will back up the previous version of Windows to a USB external drive. The external drive must be at least 8GB (16GB is recommended). The external drive should be formatted using NTFS. Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations. USB drives are preferred over SD cards because drivers for SD cards are not migrated if the device does not support Connected Standby.
+ |
+
+
+
+
+
+
+## Related topics
+
+[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/en-us/windows/dn798755.aspx)
+
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx)
+
[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
+
[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
diff --git a/windows/deploy/upgrade-analytics-get-started.md b/windows/deploy/upgrade-analytics-get-started.md
index b4d23583ec..1d08d1f5cb 100644
--- a/windows/deploy/upgrade-analytics-get-started.md
+++ b/windows/deploy/upgrade-analytics-get-started.md
@@ -2,33 +2,31 @@
title: Get started with Upgrade Analytics (Windows 10)
description: Explains how to get started with Upgrade Analytics.
ms.prod: w10
-author: MaggiePucciEvans
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
---
# Get started with Upgrade Analytics
-Use Upgrade Analytics to plan and manage your upgrade project end to end. After you’ve established communications between user computers and Microsoft, Upgrade Analytics collects computer, application, and driver data for analysis. We use this data to identify compatibility issues that can block your upgrade and suggest fixes that are known to Microsoft.
+This topic explains how to obtain and set up Upgrade Analytics components. If you haven’t done so already, see [Upgrade Analytics requirements](https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-requirements) for information about requirements for using Upgrade Analytics. Also, check out the [Upgrade Analytics blog](https://blogs.technet.microsoft.com/UpgradeAnalytics) for new announcements and helpful tips for using Upgrade Analytics.
-For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see:
+You can use Upgrade Analytics to plan and manage your upgrade project end to end. After you’ve established communications between user computers and Microsoft, Upgrade Analytics collects computer, application, and driver data for analysis. This data is used to identify compatibility issues that can block your upgrade and to suggest fixes that are known to Microsoft.
+
+To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see the following topics:
- [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
-
- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
-
- [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
-
-This topic explains how to obtain and set up Upgrade Analytics components. If you haven’t done so already, see [Upgrade Analytics requirements](https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-requirements) for information about requirements for using Upgrade Analytics.
-
To configure Upgrade Analytics, you’ll need to:
- Add the Upgrade Analytics solution to a workspace in the Operations Management Suite portal
-
- Establish communications and enable data sharing between your organization and Microsoft
Each task is explained in detail in the following sections.
-
## Add Upgrade Analytics to Operations Management Suite
Upgrade Analytics is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/).
@@ -95,13 +93,13 @@ The compatibility update KB scans your computers and enables application usage t
| **Operating System** | **KBs** |
|----------------------|-----------------------------------------------------------------------------|
| Windows 8.1 | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)
Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see
[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see
NOTE: KB2976978 must be installed before you can download and install KB3150513. |
-| Windows 7 SP1 | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664)
Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see
[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see
NOTE: KB2976978 must be installed before you can download and install KB3150513. |
+| Windows 7 SP1 | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664)
Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see
[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see
NOTE: KB2952664 must be installed before you can download and install KB3150513. |
IMPORTANT: Restart user computers after you install the compatibility update KBs for the first time.
| **Site discovery** | **KB** |
|----------------------|-----------------------------------------------------------------------------|
-| [Review site discovery](upgrade-analytics-review-site-discovery.md) | [KB 3170106](https://support.microsoft.com/en-us/kb/3170106)
Site discovery requires July 2016 security update for Internet Explorer. |
+| [Review site discovery](upgrade-analytics-review-site-discovery.md) | Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. |
### Automate data collection
@@ -109,9 +107,7 @@ IMPORTANT: Restart user computers after you install the compatibility update KBs
To ensure that user computers are receiving the most up to date data from Microsoft, we recommend that you establish the following data sharing and analysis processes.
- Enable automatic updates for the compatibility update and related KBs. These KBs are updated frequently to include the latest application and driver issue information as we discover it during testing.
-
- Schedule the Upgrade Analytics deployment script to automatically run so that you don’t have to manually initiate an inventory scan each time the compatibility update KBs are updated. Computers are re-scanned only when the compatibility KBs are updated, so if your inventory changes significantly between KB releases you won’t see the changes in Upgrade Analytics until you run the script again.
-
- Schedule monthly user computer scans to view monthly active computer and usage information.
## Run the Upgrade Analytics deployment script
@@ -170,6 +166,40 @@ To run the Upgrade Analytics deployment script:
6. After you finish editing the parameters in RunConfig.bat, run the script as an administrator.
+The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
+
+
+
+
+| Exit code | Meaning
+ |
|---|
| 0 | Success
+ | | 1 | Unexpected error occurred while executing the script
+ | | 2 | Error when logging to console. $logMode = 0.
+ | | 3 | Error when logging to console and file. $logMode = 1.
+ | | 4 | Error when logging to file. $logMode = 2.
+ | | 5 | Error when logging to console and file. $logMode = unknown.
+ | | 6 | The commercialID parameter is set to unknown. Modify the script.
+ | | 7 | Function -CheckCommercialId: Unexpected failure.
+ | | 8 | Failure to create registry key path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection.
+ | | 9 | Error when writing CommercialId to registry.
+ | | 10 | Error when writing CommercialDataOptIn to registry.
+ | | 11 | Function -SetupCommercialId: Unexpected failure.
+ | | 12 | Can’t connect to Microsoft – Vortex. Check your network/proxy settings.
+ | | 13 | Can’t connect to Microsoft – setting. Check your network/proxy settings.
+ | | 14 | Can’t connect to Microsoft – compatexchange. Check your network/proxy settings.
+ | | 15 | Error connecting to Microsoft. Check your network/proxy settings.
+ | | 16 | Machine requires reboot.
+ | | 17 | Function -CheckRebootRequired: Unexpected failure.
+ | | 18 | Outdated compatibility update KB package. Update via Windows Update/WSUS.
+ | | 19 | This machine doesn’t have the proper KBs installed. Make sure you have recent compatibility update KB downloaded.
+ | | 20 | Error writing RequestAllAppraiserVersions registry key.
+ | | 21 | Function – SetRequestAllAppraiserVersions: Unexpected failure.
+ | | 22 | Error when running inventory scan.
+ | | 23 | Error finding system variable %WINDIR%.
+ |
+
+
D = Edition downgrade; personal data is maintained, applications and settings are removed.
diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index c43b7b759f..0143dc9421 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -34,11 +34,20 @@
### [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
#### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
#### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md)
+#### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md)
#### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
#### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
-## [VPN profile options](vpn-profile-options.md)
+## [VPN technical guide](vpn-guide.md)
+### [VPN connection types](vpn-connection-type.md)
+### [VPN routing decisions](vpn-routing.md)
+### [VPN authentication options](vpn-authentication.md)
+### [VPN and conditional access](vpn-conditional-access.md)
+### [VPN name resolution](vpn-name-resolution.md)
+### [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+### [VPN security features](vpn-security-features.md)
+### [VPN profile options](vpn-profile-options.md)
## [Windows security baselines](windows-security-baselines.md)
## [Security technologies](security-technologies.md)
### [Access Control Overview](access-control.md)
diff --git a/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
index 69108c1fcc..d03cb6cbe3 100644
--- a/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
@@ -37,7 +37,7 @@ In this topic:
- [Refresh Group Policy on the devices in the membership group](#to-refresh-group-policy-on-a-device)
-- [Check which GPOs apply to a device](#to-see-what-gpos-are-applied-to-a-device)
+- [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device)
## To add domain devices to the GPO membership group
diff --git a/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
index 11b782d3f8..84cdd96dc6 100644
--- a/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
@@ -25,11 +25,11 @@ To complete these procedures, you must be a member of the Domain Administrators
In this topic:
-- [Add the test devices to the GPO membership groups](#to-add-domain-devices-to-the-gpo-membership-group)
+- [Add the test devices to the GPO membership groups](#to-add-test-devices-to-the-gpo-membership-groups)
- [Refresh Group Policy on the devices in each membership group](#to-refresh-group-policy-on-a-device)
-- [Check which GPOs apply to a device](#to-see-what-gpos-are-applied-to-a-device)
+- [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device)
## To add test devices to the GPO membership groups
diff --git a/windows/keep-secure/advanced-security-audit-policy-settings.md b/windows/keep-secure/advanced-security-audit-policy-settings.md
index 14ecaca52f..dd4bf9d8d5 100644
--- a/windows/keep-secure/advanced-security-audit-policy-settings.md
+++ b/windows/keep-secure/advanced-security-audit-policy-settings.md
@@ -27,7 +27,7 @@ You can access these audit policy settings through the Local Security Policy sna
These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
Audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** are available in the following categories:
-**Account Logon**
+## Account Logon
Configuring policy settings in this category can help you document attempts to authenticate account data on a domain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff policy settings and events, which track attempts to access a particular computer, settings and events in this category focus on the account database that is used. This category includes the following subcategories:
@@ -36,7 +36,7 @@ Configuring policy settings in this category can help you document attempts to a
- [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
-**Account Management**
+## Account Management
The security audit policy settings in this category can be used to monitor changes to user and computer accounts and groups. This category includes the following subcategories:
@@ -47,7 +47,7 @@ The security audit policy settings in this category can be used to monitor chang
- [Audit Security Group Management](audit-security-group-management.md)
- [Audit User Account Management](audit-user-account-management.md)
-**Detailed Tracking**
+## Detailed Tracking
Detailed Tracking security policy settings and audit events can be used to monitor the activities of individual applications and users on that computer, and to understand how a computer is being used. This category includes the following subcategories:
@@ -57,7 +57,7 @@ Detailed Tracking security policy settings and audit events can be used to monit
- [Audit Process Termination](audit-process-termination.md)
- [Audit RPC Events](audit-rpc-events.md)
-**DS Access**
+## DS Access
DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (AD DS). These audit events are logged only on domain controllers. This category includes the following subcategories:
@@ -66,7 +66,7 @@ DS Access security audit policy settings provide a detailed audit trail of attem
- [Audit Directory Service Changes](audit-directory-service-changes.md)
- [Audit Directory Service Replication](audit-directory-service-replication.md)
-**Logon/Logoff**
+## Logon/Logoff
Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer interactively or over a network. These events are particularly useful for tracking user activity and identifying potential attacks on network resources. This category includes the following subcategories:
@@ -82,11 +82,11 @@ Logon/Logoff security policy settings and audit events allow you to track attemp
- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
- [Audit Special Logon](audit-special-logon.md)
-**Object Access**
+## Object Access
Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate object Aaccess auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses.
-Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#bkmk-globalobjectaccess).
+Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#global-object-access-auditing).
This category includes the following subcategories:
@@ -105,7 +105,7 @@ This category includes the following subcategories:
- [Audit SAM](audit-sam.md)
- [Audit Central Access Policy Staging](audit-central-access-policy-staging.md)
-**Policy Change**
+## Policy Change
Policy Change audit events allow you to track changes to important security policies on a local system or network. Because policies are typically established by administrators to help secure network resources, monitoring changes or attempts to change these policies can be an important aspect of security management for a network. This category includes the following subcategories:
@@ -116,7 +116,7 @@ Policy Change audit events allow you to track changes to important security poli
- [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
- [Audit Other Policy Change Events](audit-other-policy-change-events.md)
-**Privilege Use**
+## Privilege Use
Permissions on a network are granted for users or computers to complete defined tasks. Privilege Use security policy settings and audit events allow you to track the use of certain permissions on one or more systems. This category includes the following subcategories:
@@ -124,7 +124,7 @@ Permissions on a network are granted for users or computers to complete defined
- [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)
- [Audit Other Privilege Use Events](audit-other-privilege-use-events.md)
-**System**
+## System
System security policy settings and audit events allow you to track system-level changes to a computer that are not included in other categories and that have potential security implications. This category includes the following subcategories:
@@ -134,7 +134,7 @@ System security policy settings and audit events allow you to track system-level
- [Audit Security System Extension](audit-security-system-extension.md)
- [Audit System Integrity](audit-system-integrity.md)
-**Global Object Access**
+## Global Object Access Auditing
Global Object Access Auditing policy settings allow administrators to define computer system access control lists (SACLs) per object type for the file system or for the registry. The specified SACL is then automatically applied to every object of that type.
Auditors will be able to prove that every resource in the system is protected by an audit policy by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect.
diff --git a/windows/keep-secure/app-behavior-with-wip.md b/windows/keep-secure/app-behavior-with-wip.md
new file mode 100644
index 0000000000..55939649d4
--- /dev/null
+++ b/windows/keep-secure/app-behavior-with-wip.md
@@ -0,0 +1,131 @@
+---
+title: Unenlightened and enlightened app behavior while using Windows Information Protection (WIP) (Windows 10)
+description: How unenlightened and enlightened apps might behave, based on Windows Information Protection (WIP) networking policies, app configuration, and potentially whether the app connects to network resources directly by using IP addresses or by using hostnames.
+keywords: WIP, Enterprise Data Protection, EDP, Windows Information Protection, unenlightened apps, enlightened apps
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.pagetype: security
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)
+**Applies to:**
+
+- Windows 10, version 1607
+- Windows 10 Mobile
+
+Windows Information Protection (WIP) classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. Corporate data is encrypted on the managed device and attempts to copy/paste or share this information with non-corporate apps or people will fail. Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default.
+
+To avoid the automatic encryption of data, developers can enlighten apps by adding and compiling code using the Windows Information Protection application programming interfaces. The most likely candidates for enlightenment are apps that:
+
+- Don’t use common controls for saving files.
+- Don’t use common controls for text boxes.
+- Simultaneously work on personal and corporate data (for example, contact apps that display personal and corporate data in a single view or a browser that displays personal and corporate web pages on tabs within a single instance).
+
+We strongly suggest that the only unenlightened apps you add to your allowed apps list are Line-of-Business (LOB) apps.
+
+>[!Note]
+>For more info about creating enlightened apps, see the [Windows Information Protection (WIP)](https://msdn.microsoft.com/en-us/windows/uwp/enterprise/wip-hub) topic in the Windows Dev Center.
+
+## Unenlightened app behavior
+This table includes info about how unenlightened apps might behave, based on your Windows Information Protection (WIP) networking policies, your app configuration, and potentially whether the app connects to network resources directly by using IP addresses or by using hostnames.
+
+
+
+ | App rule setting |
+ Networking policy configuration |
+
+
+ | |
+ Name-based policies, without the /*AppCompat*/ string |
+ Name-based policies, using the /*AppCompat*/ string or proxy-based policies |
+
+
+ | Not required. App connects to enterprise cloud resources directly, using an IP address. |
+
+
+ - App is entirely blocked from both personal and enterprise cloud resources.
+ - No encryption is applied.
+ - App can’t access local Work files.
+
+ |
+
+
+ - App can access both personal and enterprise cloud resources. However, you might encounter apps using policies that restrict access to enterprise cloud resources.
+ - No encryption is applied.
+ - App can’t access local Work files.
+
+ |
+
+
+ | Not required. App connects to enterprise cloud resources, using a hostname. |
+
+
+ - App is blocked from accessing enterprise cloud resources, but can access other network resources.
+ - No encryption is applied.
+ - App can’t access local Work files.
+
+ |
+
+
+ | Allow. App connects to enterprise cloud resources, using an IP address or a hostname. |
+
+
+ - App can access both personal and enterprise cloud resources.
+ - Auto-encryption is applied.
+ - App can access local Work files.
+
+ |
+
+
+ | Exempt. App connects to enterprise cloud resources, using an IP address or a hostname. |
+
+
+ - App can access both personal and enterprise cloud resources.
+ - No encryption is applied.
+ - App can access local Work files.
+
+ |
+
+
+
+## Enlightened app behavior
+This table includes info about how enlightened apps might behave, based on your Windows Information Protection (WIP) networking policies, your app configuration, and potentially whether the app connects to network resources directly by using IP addresses or by using hostnames.
+
+
+
+ | App rule setting |
+ Networking policy configuration for name-based policies, possibly using the /*AppCompat*/ string, or proxy-based policies |
+
+
+ | Not required. App connects to enterprise cloud resources, using an IP address or a hostname. |
+
+
+ - App is blocked from accessing enterprise cloud resources, but can access other network resources.
+ - No encryption is applied.
+ - App can't access local Work files.
+
+ |
+
+
+ | Allow. App connects to enterprise cloud resources, using an IP address or a hostname. |
+
+
+ - App can access both personal and enterprise cloud resources.
+ - App protects work data and leaves personal data unprotected.
+ - App can access local Work files.
+
+ |
+
+
+ | Exempt. App connects to enterprise cloud resources, using an IP address or a hostname. |
+
+
+ - App can access both personal and enterprise cloud resources.
+ - App protects work data and leaves personal data unprotected.
+ - App can access local Work files.
+
+ |
+
+
diff --git a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
index 0beb5a8932..3f72f93ba5 100644
--- a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
+++ b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
@@ -117,7 +117,7 @@ When you need to recover the TPM owner information from AD DS and use it to man
**To obtain TPM owner backup information from AD DS and create a password file**
1. Sign in to a domain controller by using domain administrator credentials.
-2. Copy the sample script file, [Get-TPMOwnerInfo.vbs](#ms-tpm-ownerinformation), to a location on your computer.
+2. Copy the sample script file, [Get-TPMOwnerInfo.vbs](#bkmk-get-tpmownerinfo), to a location on your computer.
3. Open a Command Prompt window, and change the default location to the location of the sample script files you saved in the previous step.
4. At the command prompt, type **cscript Get-TPMOwnerInfo.vbs**.
diff --git a/windows/keep-secure/bitlocker-frequently-asked-questions.md b/windows/keep-secure/bitlocker-frequently-asked-questions.md
index c329ed5d14..6e3ae93c32 100644
--- a/windows/keep-secure/bitlocker-frequently-asked-questions.md
+++ b/windows/keep-secure/bitlocker-frequently-asked-questions.md
@@ -319,7 +319,7 @@ When an administrator selects the **Require BitLocker backup to AD DS** check b
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
-When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#bkmk-adretro) to capture the information after connectivity is restored.
+When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored.
## Security
diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
index 6dc8ea8b8c..ff78e3129d 100644
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@@ -12,6 +12,17 @@ author: brianlic-msft
# Change history for Keep Windows 10 secure
This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+## October 2016
+
+| New or changed topic | Description |
+| --- | --- |
+|[List of enlightened Microsoft apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Added Microsoft Remote Desktop information. |
+|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) and [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the text about where the optioanl icon overlay appears.|
+|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added content about using ActiveX controls.|
+|[Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) |New |
+|[VPN technical guide](vpn-guide.md) | Multiple new topics, replacing previous **VPN profile options** topic |
+|[Windows security baselines](windows-security-baselines.md) | Added Windows 10, version 1607 and Windows Server 2016 baseline |
+
## September 2016
| New or changed topic | Description |
@@ -20,7 +31,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the networking table to clarify details around Enterprise Cloud Resources and Enterprise Proxy Servers. |
|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |Updated the networking table to clarify details around Enterprise Cloud Resources and Enterprise Proxy Servers. |
| [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) | Clarified how convenience PIN works in Windows 10, version 1607, on domain-joined PCs |
-| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | Corrected certreq ezxample and added a new Windows PowerShell example for creating a self-signed certficate |
+| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | Corrected certreq example and added a new Windows PowerShell example for creating a self-signed certificate |
## August 2016
|New or changed topic | Description |
diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index 3b4fddffaf..b5b16faf54 100644
--- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -33,15 +33,54 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
- a. Click **Endpoint Management** on the **Navigation pane**.
+ a. Select **Endpoint Management** on the **Navigation pane**.
- b. Select **Mobile Device Management/Microsoft Intune**, click **Download package** and save the .zip file.
+ b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
+
+ 
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*.
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
-Onboarding - Use the onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to:
+ a. Select **Policy** > **Configuration Policies** > **Add**.
+ 
+
+ b. Under **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)** > **Create and Deploy a Custom Policy** > **Create Policy**.
+ 
+
+ c. Type a name and description for the policy.
+ 
+
+ d. Under OMA-URI settings, select **Add...**.
+ 
+
+ e. Type the following values then select **OK**:
+
+ 
+
+ - **Setting name**: Type a name for the setting.
+ - **Setting description**: Type a description for the setting.
+ - **Data type**: Select **String**.
+ - **OMA-URI**: *./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding*
+ - **Value**: Copy and paste the contents of the *WindowsDefenderATP.onboarding* file you downloaded.
+
+
+ f. Save the policy.
+
+ 
+
+ g. Deploy the policy.
+
+ 
+
+ h. Select the device group to deploy the policy to:
+
+ 
+
+When the policy is deployed and is propagated, endpoints will be shown in the **Machines view**.
+
+You can use the following onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to:
- Onboarding
- Health Status for onboarded machines
- Configuration for onboarded machines
@@ -49,10 +88,10 @@ Onboarding - Use the onboarding policies to deploy configuration settings on end
Policy | OMA-URI | Type | Value | Description
:---|:---|:---|:---|:---
Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Copy content from onboarding MDM file | Onboarding
-Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | TRUE | Windows Defender ATP service is running
- | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
- | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
- Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1
Default value: 1 | Windows Defender ATP Sample sharing is enabled
+Health Status for onboarded machines: Sense Is Running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | TRUE | Windows Defender ATP service is running
+Health Status for onboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
+Health Status for onboarded machines: Organization ID | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
+Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1
Default value: 1 | Windows Defender ATP Sample sharing is enabled
> [!NOTE]
@@ -83,8 +122,8 @@ Offboarding - Use the offboarding policies to remove configuration settings on e
Policy | OMA-URI | Type | Value | Description
:---|:---|:---|:---|:---
Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Copy content from offboarding MDM file | Offboarding
- Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running
- | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP
+ Health Status for offboarded machines: Sense Is Running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running
+Health Status for offboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP
> [!NOTE]
> The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated.
diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md
index ed6a4793e9..e8153a2270 100644
--- a/windows/keep-secure/create-wip-policy-using-intune.md
+++ b/windows/keep-secure/create-wip-policy-using-intune.md
@@ -160,7 +160,7 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the
| All fields left as “*” |
- All files signed by any publisher. (Not recommended.) |
+ All files signed by any publisher. (Not recommended) |
| Publisher selected |
@@ -455,13 +455,13 @@ After you've decided where your protected apps can access enterprise data on you
- **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.
- - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
+ - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
- - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files or in the **Start** menu, on top of the tiles for your unenlightened protected apps. The options are:
+ - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are:
- - **Yes (recommended).** Allows the Windows Information Protection icon overlay to appear for files or on top of the tiles for your unenlightened protected apps in the **Start** menu.
+ - **Yes.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu.
- - **No, or not configured.** Stops the Windows Information Protection icon overlay from appearing for files or on top of the tiles for your unenlightened protected apps in the **Start** menu.
+ - **No, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option.
2. Click **Save Policy**.
diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md
index 9c13f0506b..dc86da4042 100644
--- a/windows/keep-secure/create-wip-policy-using-sccm.md
+++ b/windows/keep-secure/create-wip-policy-using-sccm.md
@@ -80,7 +80,7 @@ For this example, we’re going to add Microsoft OneNote, a store app, to the **
3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
- Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
+ Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
4. Pick **Store App** from the **Rule template** drop-down list.
@@ -164,7 +164,7 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the
3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
- Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
+ Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
4. Pick **Desktop App** from the **Rule template** drop-down list.
@@ -304,7 +304,7 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules*
3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
- Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
+ Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
4. Pick the **AppLocker policy file** from the **Rule template** drop-down list.
@@ -382,7 +382,7 @@ There are no default locations included with WIP, you must add each of your netw
2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
-
+
| Network location type |
@@ -401,13 +401,8 @@ There are no default locations included with WIP, you must add each of your netw
| Enterprise Proxy Servers |
-<<<<<<< HEAD
- proxy.contoso.com:80;proxy2.contoso.com:137 |
- Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet. This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic. TThis setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network. If you have multiple resources, you must separate them using the ";" delimiter. |
-=======
proxy.contoso.com:80;proxy2.contoso.com:443 |
Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP. This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic. This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network. If you have multiple resources, you must separate them using the ";" delimiter. |
->>>>>>> refs/remotes/origin/master
| Enterprise Internal Proxy Servers |
@@ -435,15 +430,15 @@ There are no default locations included with WIP, you must add each of your netw
The **Add or edit corporate network definition** box closes.
-4. Decide if you want to Windows to look for additional network settings.
+4. Decide if you want to Windows to look for additional network settings and if you want to show the WIP icon on your corporate files while in File Explorer.
- - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
+ - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option.
- - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
+ - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. Not configured is the default option.
- - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps.
+ - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. Not configured is the default option.
5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index 068f9e099f..e904eecfe4 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -40,97 +40,73 @@ Here's a high-level overview on how the LSA is isolated by using virtualization-
## Hardware and software requirements
-The PC must meet the following hardware and software requirements to use Credential Guard:
+To deploy Credential Guard, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements. Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats.
-
-
-
-
-
-
-
-
-
-
-Windows 10 Enterprise |
-The PC must be running Windows 10 Enterprise. |
-
-
-UEFI firmware version 2.3.1 or higher and Secure Boot |
-To verify that the firmware is using UEFI version 2.3.1 or higher and Secure Boot, you can validate it against the [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system-fundamentals-firmware-cs-uefisecureboot-connectedstandby) Windows Hardware Compatibility Program requirement. |
-
-
-Virtualization extensions |
-The following virtualization extensions are required to support virtualization-based security:
-
-- Intel VT-x or AMD-V
-- Second Level Address Translation
- |
-
-
-x64 architecture |
-The features that virtualization-based security uses in the Windows hypervisor can only run on a 64-bit PC. |
-
-
-A VT-d or AMD-Vi IOMMU (Input/output memory management unit) |
-In Windows 10, an IOMMU enhances system resiliency against memory attacks. ¹ |
-
-
-Trusted Platform Module (TPM) version 1.2 or 2.0 |
-TPM 1.2 and 2.0 provides protection for encryption keys used by virtualization-based security to protect Credential Guard secrets where all other keys are stored. See the following table to determine which TPM versions are supported on your OS.
-
-| OS version |
-Required TPM |
-
-| Windows 10 version 1507 |
-TPM 2.0 |
-
-
-| Windows 10 version 1511, Windows Server 2016, or later |
-TPM 2.0 or TPM 1.2 |
-
-
-
-Note If you don't have a TPM installed, Credential Guard will still be enabled, but the virtualization-based security keys used to protect Credential Guard secrets will not bound to the TPM. Instead, the keys will be protected in a UEFI Boot Service variable.
-
- |
-
-
-Secure firmware update process |
-To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) Windows Hardware Compatibility Program requirement. Credential Guard relies on the security of the underlying hardware and firmware. It is critical to keep the firmware updated with the latest security fixes. |
-
-
-The firmware is updated for [Secure MOR implementation](http://msdn.microsoft.com/library/windows/hardware/mt270973.aspx) |
-Credential Guard requires the secure MOR bit to help prevent certain memory attacks. |
-
-
-Physical PC |
-For PCs running Windows 10, version 1511 and Windows 10, version 1507, you cannot run Credential Guard on a virtual machine. |
-
-
-Virtual machine |
-For PCs running Windows 10, version 1607 or Windows Server 2016, you can run Credential Guard on a Generation 2 virtual machine. |
-
-
-
-Hypervisor |
-You must use the Windows hypervisor. |
-
-
-
-
-¹ If you choose the **Secure Boot and DMA protection** option in the Group Policy setting, an IOMMU is required. The **Secure Boot** Group Policy option enables Credential Guard on devices without an IOMMU.
+You can deploy Credential Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh.
+
+The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.
+
+> [!NOTE]
+> For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.
+> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx).
+
+
+## Credential Guard requirements for baseline protections
+
+|Baseline Protections - requirement | Description |
+|---------------------------------------------|----------------------------------------------------|
+| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
+| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
- VT-x (Intel) or
- AMD-V
And:
- Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
+| Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU
**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
+| Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
+| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)
**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
+| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).
**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
+| Firmware: **Secure MOR implementation** | **Requirement**: Secure MOR implementation
**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
+| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT
**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
+
+> [!IMPORTANT]
+> The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Credential Guard can provide.
+
+## Credential Guard requirements for improved security
+
+The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met.
+
+### 2015 Additional Qualification Requirements for Credential Guard (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4)
+
+| Protections for Improved Security - requirement | Description |
+|---------------------------------------------|----------------------------------------------------|
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- BIOS password or stronger authentication must be supported.
- In the BIOS configuration, BIOS authentication must be set.
- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**:
- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
+
+
+
+### 2016 Additional Qualification Requirements for Credential Guard (starting with Windows 10, version 1607, and Windows Server 2016)
+
+> [!IMPORTANT]
+> The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Credential Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them.
+
+| Protections for Improved Security - requirement | Description |
+|---------------------------------------------|----------------------------------------------------|
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
- The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).
**Security benefits**:
- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
- HSTI provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.
**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
- Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**:
- Enterprises can choose to allow proprietary EFI drivers/applications to run.
- Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
+
+
+
+### 2017 Additional Qualification Requirements for Credential Guard (announced as options for future Windows operating systems for 2017)
+
+| Protection for Improved Security - requirement | Description |
+|---------------------------------------------|----------------------------------------------------|
+| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
- Reduces attack surface to VBS from system firmware.
- Blocks additional security attacks against SMM. |
## Manage Credential Guard
-Credential Guard uses virtualization-based security features that must be enabled on each PC before you can use it.
+### Enable Credential Guard
+Credential Guard can be enabled by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool).
-### Turn on Credential Guard by using Group Policy
+#### Turn on Credential Guard by using Group Policy
+
+You can use Group Policy to enable Credential Guard. This will add and enable the virtualization-based security features for you if needed.
-You can use Group Policy to enable Credential Guard because it will add the virtualization-based security features for you.
1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**.
2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option.
3. **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**.
@@ -140,43 +116,46 @@ You can use Group Policy to enable Credential Guard because it will add the virt
5. Close the Group Policy Management Console.
-### Add Credential Guard to an image
+To enforce processing of the group policy, you can run ```gpupdate /force```.
-If you would like to add Credential Guard to an image, you can do this by adding the virtualization-based security features and then turning on Credential Guard.
+#### Turn on Credential Guard by using the registry
-### Add the virtualization-based security features
+If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems.
-First, you must add the virtualization-based security features. You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
+##### Add the virtualization-based security features
+
+Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped.
+
+If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security.
+You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
> [!NOTE]
> If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you.
+
**Add the virtualization-based security features by using Programs and Features**
+
1. Open the Programs and Features control panel.
2. Click **Turn Windows feature on or off**.
3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
-4. Click **OK**.
+4. Select the **Isolated User Mode** check box at the top level of the feature selection.
+5. Click **OK**.
**Add the virtualization-based security features to an offline image by using DISM**
+
1. Open an elevated command prompt.
2. Add the Hyper-V Hypervisor by running the following command:
``` syntax
dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
```
+3. Add the Isolated User Mode feature by running the following command:
+ ``` syntax
+ dism /image: /Enable-Feature /FeatureName:IsolatedUserMode
+ ```
> [!NOTE]
> You can also add these features to an online image by using either DISM or Configuration Manager.
-
-In Windows 10, version 1607 and Windows Server 2016, Isolated User Mode is included with Hyper-V and does not need to be installed separately. If you're running a version of Windows 10 that's earlier than Windows 10, version 1607, you can run the following command to install Isolated User Mode:
-
-``` syntax
-dism /image: /Enable-Feature /FeatureName:IsolatedUserMode
-```
-### Turn on Credential Guard
-
-If you don't use Group Policy, you can enable Credential Guard by using the registry.
-
-**Turn on Credential Guard by using the registry**
+##### Enable virtualization-based security and Credential Guard
1. Open Registry Editor.
2. Enable virtualization-based security:
@@ -192,14 +171,30 @@ If you don't use Group Policy, you can enable Credential Guard by using the regi
> [!NOTE]
> You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
-**Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool**
+
+#### Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v2.0.ps1 -Enable -AutoReboot
```
-
+
+#### Credential Guard deployment in virtual machines
+
+Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The enablement steps are the same from within the virtual machine.
+
+Credential Guard protects secrets from non-priviledged access inside the VM. It does not provide additional protection from the host administrator. From the host, you can disable Credential Guard for a virtual machine:
+
+``` PowerShell
+Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
+```
+
+Requirements for running Credential Guard in Hyper-V virtual machines
+- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
+- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10.
+
+
### Remove Credential Guard
If you have to remove Credential Guard on a PC, you need to do the following:
diff --git a/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md b/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md
index 2a41a2d649..ba8e5d4999 100644
--- a/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md
+++ b/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md
@@ -74,9 +74,9 @@ When finished, the files will be saved to your desktop. You can double-click the
To trust this catalog file within a code integrity policy, the catalog must first be signed. Then, the signing certificate can be added to the code integrity policy, and the catalog file can be distributed to the individual client computers.
-For information about signing catalog files by using a certificate and SignTool.exe, a free tool available in the Windows SDK, see the next section, [Catalog signing with SignTool.exe](#catalog-signing-with-signtool.exe).
+For information about signing catalog files by using a certificate and SignTool.exe, a free tool available in the Windows SDK, see the next section, [Catalog signing with SignTool.exe](#catalog-signing-with-signtoolexe).
-For information about adding the signing certificate to a code integrity policy, see [Add a catalog signing certificate to a code integrity policy](deploy-code-integrity-policies-steps.md#add-a-catalog-signing-certificate-to-a-code-integrity-policy).
+For information about adding the signing certificate to a code integrity policy, see [Add a catalog signing certificate to a code integrity policy](#add-a-catalog-signing-certificate-to-a-code-integrity-policy).
## Catalog signing with SignTool.exe
diff --git a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
index bf63f5df7f..9f7be87cbb 100644
--- a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
+++ b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
@@ -20,65 +20,43 @@ Hardware-based security features, also called virtualization-based security or V
2. **Verify that hardware and firmware requirements are met**. Verify that your client computers possess the necessary hardware and firmware to run these features. A list of requirements for hardware-based security features is available in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard).
-3. **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see the following section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security).
+3. **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see the following section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard).
-4. **Enable additional features as desired**. When the necessary Windows features have been enabled, you can enable additional hardware-based security features as desired. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see [Enable virtualization-based security (VBS)](#enable-virtualization-based-security-vbs), later in this topic.
+4. **Enable additional features as desired**. When the necessary Windows features have been enabled, you can enable additional hardware-based security features as desired. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see [Enable virtualization-based security (VBS)](#enable-virtualization-based-security-vbs-and-device-guard), later in this topic.
For information about enabling Credential Guard, see [Protect derived domain credentials with Credential Guard](credential-guard.md).
-## Windows feature requirements for virtualization-based security
+## Windows feature requirements for virtualization-based security and Device Guard
-In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), you must enable certain operating system features before you can enable VBS:
+In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), you must confirm that certain operating system features are enabled before you can enable VBS:
- With Windows 10, version 1607 or Windows Server 2016:
-Hyper-V Hypervisor (shown in Figure 1).
+Hyper-V Hypervisor, which is enabled automatically. No further action is needed.
- With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
-Hyper-V Hypervisor and Isolated User Mode (not shown).
+Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1).
-> **Note** You can configure these features manually by using Windows PowerShell or Deployment Image Servicing and Management. For specific information about these methods, see [Protect derived domain credentials with Credential Guard](credential-guard.md).
+> **Note** You can configure these features by using Group Policy or Deployment Image Servicing and Management, or manually by using Windows PowerShell or the Windows Features dialog box.
-Figure 1. Enable operating system feature for VBS
+**Figure 1. Enable operating system features for VBS, Windows 10, version 1511**
After you enable the feature or features, you can enable VBS for Device Guard, as described in the following sections.
-## Enable Virtualization Based Security (VBS)
+## Enable Virtualization Based Security (VBS) and Device Guard
-Before you begin this process, verify that the target device meets the hardware and firmware requirements for the features that you want, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). Also, confirm that you have enabled the Windows features discussed in the previous section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security).
+Before you begin this process, verify that the target device meets the hardware and firmware requirements for the features that you want, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). Also, confirm that you have enabled the Windows features discussed in the previous section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard).
-There are multiple ways to configure VBS features for Device Guard. You can use the [readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) rather than the procedures in this topic, or you can use the following procedures, either to configure the appropriate registry keys manually or to use Group Policy.
+There are multiple ways to configure VBS features for Device Guard:
-> **Important**
-> - The settings in the following procedure include **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you simply choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.
In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can still have code integrity policies enabled.
For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
-> - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers.
-
-**To configure VBS manually**
-
-1. Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey.
-
-2. Set the **EnableVirtualizationBasedSecurity DWORD** value to **1**.
-
-3. Set the **RequirePlatformSecurityFeatures DWORD** value as appropriate:
-
- | **With Windows 10, version 1607,
or Windows Server 2016** | **With an earlier version of Windows 10,
or Windows Server 2016 Technical Preview 5 or earlier** |
- | ---------------- | ---------------- |
- | **1** enables the **Secure Boot** option
**3** enables the **Secure Boot and DMA protection** option | **1** enables the **Secure Boot** option
**2** enables the **Secure Boot and DMA protection** option |
-
-4. With a supported operating system earlier than Windows 10, version 1607, or Windows Server 2016, skip this step, and remain in the same registry subkey.
-
- With Windows 10, version 1607, or Windows Server 2016, navigate to **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios**.
-
-5. Set the **HypervisorEnforcedCodeIntegrity DWORD** value to **1**.
-
-6. Restart the client computer.
-
-Unfortunately, it would be time consuming to perform these steps manually on every protected computer in your enterprise. Group Policy offers a much simpler way to deploy these features to your organization. This example creates a test organizational unit (OU) called *DG Enabled PCs*. If you want, you can instead link the policy to an existing OU, and then scope the GPO by using appropriately named computer security groups.
+- You can use the [readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) rather than the procedures in this topic.
+- You can use Group Policy, as described in the procedure that follows.
+- You can configure VBS manually, as described in [Use registry keys to enable VBS and Device Guard](#use-registry-keys-to-enable-vbs-and-device-guard), later in this topic.
> **Note** We recommend that you test-enable these features on a group of test computers before you enable them on users' computers. If untested, there is a possibility that this feature can cause system instability and ultimately cause the client operating system to fail.
-### Use Group Policy to enable VBS
+### Use Group Policy to enable VBS and Device Guard
1. To create a new GPO, right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**.
@@ -104,7 +82,12 @@ Unfortunately, it would be time consuming to perform these steps manually on eve
> **Important** These settings include **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.
In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can have code integrity policies enabled.
For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
-6. For **Virtualization Based Protection of Code Integrity**, select the appropriate option:
+6. For **Virtualization Based Protection of Code Integrity**, select the appropriate option.
+
+ > [!WARNING]
+ > Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
+
+ Select an option as follows:
- With Windows 10, version 1607 or Windows Server 2016, choose an appropriate option:
For an initial deployment or test deployment, we recommend **Enabled without lock**.
When your deployment is stable in your environment, we recommend changing to **Enabled with lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person.
@@ -120,6 +103,116 @@ Unfortunately, it would be time consuming to perform these steps manually on eve
Processed Device Guard policies are logged in event viewer at **Applications and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational**. When the **Turn On Virtualization Based Security** policy is successfully processed, event ID 7000 is logged, which contains the selected settings within the policy.
+>**Note** Events will be logged in this event channel only when Group Policy is used to enable Device Guard features, not through other methods. If other methods such as registry keys are used, Device Guard features will be enabled but the events won’t be logged in this event channel.
+
+### Use registry keys to enable VBS and Device Guard
+
+Set the following registry keys to enable VBS and Device Guard. This provides exactly the same set of configuration options provided by Group Policy.
+
+> [!WARNING]
+> Virtualization-based protection of code integrity (controlled through the registry key **HypervisorEnforcedCodeIntegrity**) may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
+
+
+
+> **Important**
+> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you simply choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.
In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can still have code integrity policies enabled.
For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
+> - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers.
+
+#### For Windows 1607 and above
+
+Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):
+
+``` commands
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
+
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
+
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
+
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
+
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
+```
+
+If you want to customize the preceding recommended settings, use the following settings.
+
+**To enable VBS**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
+```
+
+**To enable VBS and require Secure boot only (value 1)**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
+```
+
+> To enable **VBS with Secure Boot and DMA (value 2)**, in the preceding command, change **/d 1** to **/d 2**.
+
+**To enable VBS without UEFI lock (value 0)**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
+```
+
+> To enable **VBS with UEFI lock (value 1)**, in the preceding command, change **/d 0** to **/d 1**.
+
+**To enable virtualization-based protection of Code Integrity policies**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
+```
+
+**To enable virtualization-based protection of Code Integrity policies without UEFI lock (value 0)**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
+```
+
+> To enable **virtualization-based protection of Code Integrity policies with UEFI lock (value 1)**, in the preceding command, change **/d 0** to **/d 1**.
+
+#### For Windows 1511 and below
+
+Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
+
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
+
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f
+
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f
+```
+
+If you want to customize the preceding recommended settings, use the following settings.
+
+**To enable VBS (it is always locked to UEFI)**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
+```
+
+**To enable VBS and require Secure boot only (value 1)**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
+```
+
+> To enable **VBS with Secure Boot and DMA (value 2)**, in the preceding command, change **/d 1** to **/d 2**.
+
+**To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f
+```
+
+**To enable virtualization-based protection of Code Integrity policies without UEFI lock**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f
+```
### Validate enabled Device Guard hardware-based security features
diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
index 9793cfc53f..f6b1ea7f6e 100644
--- a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
+++ b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
@@ -21,7 +21,7 @@ localizationpriority: high
Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list.
## Enlightened versus unenlightened apps
-Apps can be enlightened (policy-aware) or unenlightened (policy-unaware).
+Apps can be enlightened (also referred to as WIP-aware) or unenlightened (also referred to as WIP-unaware).
- **Enlightened apps** can differentiate between corporate and personal data, correctly determining which to protect, based on your policies.
@@ -34,27 +34,29 @@ Apps can be enlightened (policy-aware) or unenlightened (policy-unaware).
## List of enlightened Microsoft apps
Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
-- Microsoft Edge
+- Microsoft Edge
-- Internet Explorer 11
+- Internet Explorer 11
-- Microsoft People
+- Microsoft People
-- Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
+- Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
-- Microsoft Photos
+- Microsoft Photos
-- Groove Music
+- Groove Music
-- Notepad
+- Notepad
-- Microsoft Paint
+- Microsoft Paint
-- Microsoft Movies & TV
+- Microsoft Movies & TV
-- Microsoft Messaging
+- Microsoft Messaging
+
+- Microsoft Remote Desktop
## Adding enlightened Microsoft apps to the allowed apps list
You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and System Center Configuration Manager.
@@ -75,4 +77,5 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** iexplore.exe
**App Type:** Desktop app |
|Microsoft OneDrive |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** onedrive.exe
**App Type:** Desktop app|
|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** notepad.exe
**App Type:** Desktop app |
-|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** mspaint.exe
**App Type:** Desktop app |
\ No newline at end of file
+|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** mspaint.exe
**App Type:** Desktop app |
+|Microsoft Remote Desktop |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** mstsc.exe
**App Type:** Desktop app |
\ No newline at end of file
diff --git a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
index 9e73c1646e..2c68fb6704 100644
--- a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
@@ -82,7 +82,7 @@ This URL will match that seen in the Firewall or network activity.
Windows Defender Advanced Threat Protection service failed to connect to the server at ```variable```. |
Variable = URL of the Windows Defender ATP processing servers.
The service could not contact the external processing servers at that URL. |
-Check the connection to the URL. See [Configure proxy and Internet connectivity](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#configure-proxy-and-Internet-connectivity). |
+Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet-windows-defender-advanced-threat-protection.md). |
| 6 |
@@ -145,7 +145,7 @@ It may take several hours for the endpoint to appear in the portal.
Windows Defender Advanced Threat Protection cannot start command channel with URL: ```variable```. |
Variable = URL of the Windows Defender ATP processing servers.
The service could not contact the external processing servers at that URL. |
-Check the connection to the URL. See [Configure proxy and Internet connectivity](#configure-proxy-and-Internet-connectivity). |
+Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet-windows-defender-advanced-threat-protection.md). |
| 17 |
diff --git a/windows/keep-secure/images/atp-intune-add-oma.png b/windows/keep-secure/images/atp-intune-add-oma.png
new file mode 100644
index 0000000000..87586e7bd2
Binary files /dev/null and b/windows/keep-secure/images/atp-intune-add-oma.png differ
diff --git a/windows/keep-secure/images/atp-intune-add-policy.png b/windows/keep-secure/images/atp-intune-add-policy.png
new file mode 100644
index 0000000000..570ab0a688
Binary files /dev/null and b/windows/keep-secure/images/atp-intune-add-policy.png differ
diff --git a/windows/keep-secure/images/atp-intune-deploy-policy.png b/windows/keep-secure/images/atp-intune-deploy-policy.png
new file mode 100644
index 0000000000..a4f155428d
Binary files /dev/null and b/windows/keep-secure/images/atp-intune-deploy-policy.png differ
diff --git a/windows/keep-secure/images/atp-intune-manage-deployment.png b/windows/keep-secure/images/atp-intune-manage-deployment.png
new file mode 100644
index 0000000000..450cb83369
Binary files /dev/null and b/windows/keep-secure/images/atp-intune-manage-deployment.png differ
diff --git a/windows/keep-secure/images/atp-intune-new-policy.png b/windows/keep-secure/images/atp-intune-new-policy.png
new file mode 100644
index 0000000000..1e3661e63f
Binary files /dev/null and b/windows/keep-secure/images/atp-intune-new-policy.png differ
diff --git a/windows/keep-secure/images/atp-intune-oma-uri-setting.png b/windows/keep-secure/images/atp-intune-oma-uri-setting.png
new file mode 100644
index 0000000000..f201f402da
Binary files /dev/null and b/windows/keep-secure/images/atp-intune-oma-uri-setting.png differ
diff --git a/windows/keep-secure/images/atp-intune-policy-name.png b/windows/keep-secure/images/atp-intune-policy-name.png
new file mode 100644
index 0000000000..b45b2c5211
Binary files /dev/null and b/windows/keep-secure/images/atp-intune-policy-name.png differ
diff --git a/windows/keep-secure/images/atp-intune-save-policy.png b/windows/keep-secure/images/atp-intune-save-policy.png
new file mode 100644
index 0000000000..b4adb7c064
Binary files /dev/null and b/windows/keep-secure/images/atp-intune-save-policy.png differ
diff --git a/windows/keep-secure/images/atp-onboard-mdm.png b/windows/keep-secure/images/atp-onboard-mdm.png
new file mode 100644
index 0000000000..18b70c8c27
Binary files /dev/null and b/windows/keep-secure/images/atp-onboard-mdm.png differ
diff --git a/windows/keep-secure/images/dg-fig1-enableos.png b/windows/keep-secure/images/dg-fig1-enableos.png
index a114c520de..cefb124344 100644
Binary files a/windows/keep-secure/images/dg-fig1-enableos.png and b/windows/keep-secure/images/dg-fig1-enableos.png differ
diff --git a/windows/keep-secure/images/vpn-app-rules.png b/windows/keep-secure/images/vpn-app-rules.png
new file mode 100644
index 0000000000..edc4a24209
Binary files /dev/null and b/windows/keep-secure/images/vpn-app-rules.png differ
diff --git a/windows/keep-secure/images/vpn-app-trigger.PNG b/windows/keep-secure/images/vpn-app-trigger.PNG
new file mode 100644
index 0000000000..aebd913df5
Binary files /dev/null and b/windows/keep-secure/images/vpn-app-trigger.PNG differ
diff --git a/windows/keep-secure/images/vpn-conditional-access-intune.png b/windows/keep-secure/images/vpn-conditional-access-intune.png
new file mode 100644
index 0000000000..9f4efabc3f
Binary files /dev/null and b/windows/keep-secure/images/vpn-conditional-access-intune.png differ
diff --git a/windows/keep-secure/images/vpn-connection-intune.png b/windows/keep-secure/images/vpn-connection-intune.png
new file mode 100644
index 0000000000..bf551eabb7
Binary files /dev/null and b/windows/keep-secure/images/vpn-connection-intune.png differ
diff --git a/windows/keep-secure/images/vpn-connection.png b/windows/keep-secure/images/vpn-connection.png
new file mode 100644
index 0000000000..c7d7a0d274
Binary files /dev/null and b/windows/keep-secure/images/vpn-connection.png differ
diff --git a/windows/keep-secure/images/vpn-custom-xml-intune.png b/windows/keep-secure/images/vpn-custom-xml-intune.png
new file mode 100644
index 0000000000..94cbb2c5cb
Binary files /dev/null and b/windows/keep-secure/images/vpn-custom-xml-intune.png differ
diff --git a/windows/keep-secure/images/vpn-device-compliance.png b/windows/keep-secure/images/vpn-device-compliance.png
new file mode 100644
index 0000000000..d33ccba508
Binary files /dev/null and b/windows/keep-secure/images/vpn-device-compliance.png differ
diff --git a/windows/keep-secure/images/vpn-eap-xml.png b/windows/keep-secure/images/vpn-eap-xml.png
new file mode 100644
index 0000000000..9a90401c88
Binary files /dev/null and b/windows/keep-secure/images/vpn-eap-xml.png differ
diff --git a/windows/keep-secure/images/vpn-intune-policy.png b/windows/keep-secure/images/vpn-intune-policy.png
new file mode 100644
index 0000000000..4224979bbd
Binary files /dev/null and b/windows/keep-secure/images/vpn-intune-policy.png differ
diff --git a/windows/keep-secure/images/vpn-name-intune.png b/windows/keep-secure/images/vpn-name-intune.png
new file mode 100644
index 0000000000..a7b3bfe3b4
Binary files /dev/null and b/windows/keep-secure/images/vpn-name-intune.png differ
diff --git a/windows/keep-secure/images/vpn-profilexml-intune.png b/windows/keep-secure/images/vpn-profilexml-intune.png
new file mode 100644
index 0000000000..7277b7a598
Binary files /dev/null and b/windows/keep-secure/images/vpn-profilexml-intune.png differ
diff --git a/windows/keep-secure/images/vpn-split-route.png b/windows/keep-secure/images/vpn-split-route.png
new file mode 100644
index 0000000000..12c3fe64d6
Binary files /dev/null and b/windows/keep-secure/images/vpn-split-route.png differ
diff --git a/windows/keep-secure/images/vpn-split.png b/windows/keep-secure/images/vpn-split.png
new file mode 100644
index 0000000000..b4143ab1e5
Binary files /dev/null and b/windows/keep-secure/images/vpn-split.png differ
diff --git a/windows/keep-secure/images/vpn-traffic-rules.png b/windows/keep-secure/images/vpn-traffic-rules.png
new file mode 100644
index 0000000000..fa7b526e80
Binary files /dev/null and b/windows/keep-secure/images/vpn-traffic-rules.png differ
diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
index b9e72308cc..ee6e108018 100644
--- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
+++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
@@ -131,7 +131,7 @@ The following table lists the Group Policy settings that you can configure for H
-| Phone Sign-in |
+Phone Sign-in |
Use Phone Sign-in
Note Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
@@ -289,8 +289,8 @@ The following table lists the MDM policy settings that you can configure for Win
| Device or user |
False |
- True: Phone sign-in is enabled.
-False: Phone sign-in is disabled.
+True: Phone sign-in is enabled.
+False: Phone sign-in is disabled.
|
@@ -312,7 +312,6 @@ You’ll need this software to set Windows Hello for Business policies in your e
@@ -321,11 +320,6 @@ You’ll need this software to set Windows Hello for Business policies in your e
Key-based authentication |
Azure AD subscription |
-- Active Directory Federation Service (AD FS) (Windows Server 2016)
-- A few Windows Server 2016 domain controllers on-site
-- Microsoft System Center 2012 R2 Configuration Manager SP2
- |
-
- Azure AD subscription
- [Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)
- A few Windows Server 2016 domain controllers on-site
@@ -341,12 +335,6 @@ You’ll need this software to set Windows Hello for Business policies in your e
- PKI infrastructure
|
-- ADFS (Windows Server 2016)
-- Active Directory Domain Services (AD DS) Windows Server 2016 schema
-- PKI infrastructure
-- Configuration Manager SP2, Intune, or non-Microsoft MDM solution
- |
-
- Azure AD subscription
- [Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)
- AD CS with NDES
diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md
index bae0757612..3e1ed57822 100644
--- a/windows/keep-secure/index.md
+++ b/windows/keep-secure/index.md
@@ -26,7 +26,7 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
| [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. |
| [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
|[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies. |
-| [VPN profile options](vpn-profile-options.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
+| [VPN technical guide](vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
| [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. |
| [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. |
| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. |
diff --git a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
index 8670def085..cc8625adb9 100644
--- a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
@@ -40,7 +40,7 @@ Membership in the local Administrators group, or equivalent, is the minimum requ
2. On the **Action** menu, click **Initialize TPM** to start the TPM Initialization Wizard.
3. If the TPM has never been initialized or is turned off, the TPM Initialization Wizard displays the **Turn on the TPM security hardware** dialog box. This dialog box provides guidance for initializing or turning on the TPM. Follow the instructions in the wizard.
- >**Note:** If the TPM is already turned on, the TPM Initialization Wizard displays the **Create the TPM owner password** dialog box. Skip the remainder of this procedure and continue with the [To set ownership of the TPM](#bkmk-setownership) procedure.
+ >**Note:** If the TPM is already turned on, the TPM Initialization Wizard displays the **Create the TPM owner password** dialog box. Skip the remainder of this procedure and continue with the **To set ownership of the TPM** procedure.
>**Note:** If the TPM Initialization Wizard detects that you do not have a compatible BIOS, you cannot continue with the TPM Initialization Wizard, and you are alerted to consult the computer manufacturer's documentation for instructions to initialize the TPM.
@@ -57,7 +57,7 @@ To finish initializing the TPM for use, you must set an owner for the TPM. The p
**To set ownership of the TPM**
-1. If you are not continuing immediately from the last procedure, start the TPM Initialization Wizard. If you need to review the steps to do so, see the previous procedure [To start the TPM Initialization Wizard](#bkmk-starttpminitwizard).
+1. If you are not continuing immediately from the last procedure, start the TPM Initialization Wizard. If you need to review the steps to do so, see the previous procedure **To start the TPM Initialization Wizard**.
2. In the **Create the TPM owner password** dialog box, click **Automatically create the password (recommended)**.
3. In the **Save your TPM owner password** dialog box, click **Save the password**.
4. In the **Save As** dialog box, select a location to save the password, and then click **Save**. The password file is saved as *computer\_name.tpm*.
diff --git a/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md
index f2741165ce..d1d0b00b2e 100644
--- a/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md
+++ b/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md
@@ -35,7 +35,7 @@ A malicious user might install malware that looks like the standard logon dialog
### Best practices
-- It is advisable to set **Disable CTRL+ALT+DEL requirement for logon** to **Disabled**. Unless they are using a smart card to log on, users will have to simultaneously press three keys before the logon dialog box appears.
+- It is advisable to set **Disable CTRL+ALT+DEL requirement for logon** to **Not configured**.
### Location
diff --git a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
index fb34c03d1f..59834fcd44 100644
--- a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -81,7 +81,7 @@ Investigate the details of an alert raised on a specific machine to identify oth
You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas:
-- The [Machines view](#Investigate-machines-in-the-Windows-Defender-ATP-Machines-view)
+- The [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- The [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
- The [Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- Any individual alert
diff --git a/windows/keep-secure/isolating-apps-on-your-network.md b/windows/keep-secure/isolating-apps-on-your-network.md
index c8adf77620..9743da28c0 100644
--- a/windows/keep-secure/isolating-apps-on-your-network.md
+++ b/windows/keep-secure/isolating-apps-on-your-network.md
@@ -44,7 +44,7 @@ To isolate Windows Store apps on your network, you need to use Group Policy to d
- [Prerequisites](#prerequisites)
-- [Step 1: Define your network](#step-1-Define-your-network)
+- [Step 1: Define your network](#step-1-define-your-network)
- [Step 2: Create custom firewall rules](#step-2-create-custom-firewall-rules)
diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md
index 947cee9c66..dc2429d6b3 100644
--- a/windows/keep-secure/limitations-with-wip.md
+++ b/windows/keep-secure/limitations-with-wip.md
@@ -71,7 +71,12 @@ This table provides info about the most common problems you might encounter whil
| You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer. |
- A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**. |
- Open File Explorer and change the file ownership to **Personal** before you upload. |
+ A message appears stating that the content is marked as Work and the user isn't given an option to override to Personal. |
+ Open File Explorer and change the file ownership to Personal before you upload. |
+
+
+ | ActiveX controls should be used with caution. |
+ Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP. |
+ We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology. For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking). |
|
diff --git a/windows/keep-secure/local-accounts.md b/windows/keep-secure/local-accounts.md
index 3e94ade971..3e50de5cc8 100644
--- a/windows/keep-secure/local-accounts.md
+++ b/windows/keep-secure/local-accounts.md
@@ -81,7 +81,7 @@ The default Administrator account is initially installed differently for Windows
In summary, for Windows Server operating systems, the Administrator account is used to set up the local server only for tasks that require administrative rights. The default Administrator account is set up by using the default settings that are provided on installation. Initially, the Administrator account is not associated with a password. After installation, when you first set up Windows Server, your first task is to set up the Administrator account properties securely. This includes creating a strong password and securing the **Remote control** and **Remote Desktop Services Profile** settings. You can also disable the Administrator account when it is not required.
-In comparison, for the Windows client operating systems, the Administrator account has access to the local system only. The default Administrator account is initially disabled by default, and this account is not associated with a password. It is a best practice to leave the Administrator account disabled. The default Administrator account is considered only as a setup and disaster recovery account, and it can be used to join the computer to a domain. When administrator access is required, do not sign in as an administrator. You can sign in to your computer with your local (non-administrator) credentials and use **Run as administrator**. For more information, see [Security considerations](#sec-administrator-security).
+In comparison, for the Windows client operating systems, the Administrator account has access to the local system only. The default Administrator account is initially disabled by default, and this account is not associated with a password. It is a best practice to leave the Administrator account disabled. The default Administrator account is considered only as a setup and disaster recovery account, and it can be used to join the computer to a domain. When administrator access is required, do not sign in as an administrator. You can sign in to your computer with your local (non-administrator) credentials and use **Run as administrator**.
**Account group membership**
diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
index 71b7ad88c9..d91d7bbb04 100644
--- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
+++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
@@ -19,7 +19,7 @@ localizationpriority: high
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.
>[!NOTE]
-> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
Hello addresses the following problems with passwords:
- Passwords can be difficult to remember, and users often reuse passwords on multiple sites.
diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md
index d4bd6e4d33..d2737b9630 100644
--- a/windows/keep-secure/microsoft-passport-guide.md
+++ b/windows/keep-secure/microsoft-passport-guide.md
@@ -298,7 +298,6 @@ Table 1. Deployment requirements for Microsoft Passport
Microsoft Passport method |
Azure AD |
Hybrid Active Directory |
-On-premises Active Directory only |
@@ -312,8 +311,6 @@ Table 1. Deployment requirements for Microsoft Passport
A management solution, such as Configuration Manager, Group Policy, or MDM
Active Directory Certificate Services (AD CS) without Network Device Enrollment Service (NDES)
-One or more Windows Server 2016 Technical Preview domain controllers
-AD FS of Windows Server 2016 Technical Preview |
| Certificate-based |
@@ -326,9 +323,6 @@ Table 1. Deployment requirements for Microsoft Passport
AD CS with NDES
Configuration Manager (current branch) or Configuration Manager 2016 Technical Preview for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work
-AD DS Windows Server 2016 Technical Preview schema
-AD FS of Windows Server 2016 Technical Preview
-PKI infrastructure
System Center 2012 R2 Configuration Manager with SP2 or later |
diff --git a/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md
index 0790236e3f..2846134874 100644
--- a/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md
+++ b/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md
@@ -53,5 +53,9 @@ This topic provides a roadmap for planning and getting started on the Device Gua
- [Enforce code integrity policies](deploy-code-integrity-policies-steps.md#enforce-code-integrity-policies)
- [Deploy and manage code integrity policies with Group Policy](deploy-code-integrity-policies-steps.md#deploy-and-manage-code-integrity-policies-with-group-policy)
-8. **Enable desired hardware (VBS) security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies, as described in [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). For information about enabling VBS features, see [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md).
+8. **Enable desired hardware (VBS) security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies, as described in [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
+ > [!WARNING]
+ > Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
+
+ For information about enabling VBS features, see [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md).
diff --git a/windows/keep-secure/remote-credential-guard.md b/windows/keep-secure/remote-credential-guard.md
index 575cb5f7f2..2a813caee1 100644
--- a/windows/keep-secure/remote-credential-guard.md
+++ b/windows/keep-secure/remote-credential-guard.md
@@ -35,7 +35,6 @@ The Remote Desktop client and server must meet the following requirements in ord
- They must be running at least Windows 10, version 1607 or Windows Server 2016.
- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Remote Credential Guard.
-
## Enable Remote Credential Guard
You must enable Remote Credential Guard on the target device by using the registry.
@@ -60,12 +59,13 @@ You can use Remote Credential Guard on the client device by setting a Group Poli
1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**.
2. Double-click **Restrict delegation of credentials to remote servers**.
-3. In the **Use the following restricted mode** box:
- - If you want to require either [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Remote Credential Guard, choose **Require Remote Credential Guard**. In this configuration, Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Remote Credential Guard cannot be used.
+3. Under **Use the following restricted mode**:
+ - If you want to require either [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Remote Credential Guard, choose **Prefer Remote Credential Guard**. In this configuration, Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Remote Credential Guard cannot be used.
> **Note:** Neither Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
- - If you want to allow Remote Credential Guard, choose **Prefer Remote Credential Guard**.
+ - If you want to require Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [Hardware and software requirements](#hardware-and-software-requirements) listed earlier in this topic.
+
4. Click **OK**.
diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
index 13b3f05f42..13754fa34c 100644
--- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
+++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
@@ -20,6 +20,7 @@ This article describes the following:
- [Device Guard requirements for baseline protections](#device-guard-requirements-for-baseline-protections)
- [Device Guard requirements for improved security](#device-guard-requirements-for-improved-security)
- [Device Guard deployment in different scenarios: types of devices](#device-guard-deployment-in-different-scenarios-types-of-devices)
+- [Device Guard deployment in virtual machines](#device-guard-deployment-in-virtual-machines)
- [Reviewing your applications: application signing and catalog files](#reviewing-your-applications-application-signing-and-catalog-files)
- [Code integrity policy formats and signing](#code-integrity-policy-formats-and-signing)
@@ -35,6 +36,9 @@ For example, hardware that includes CPU virtualization extensions and SLAT will
You can deploy Device Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh.
+> [!WARNING]
+> Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
+
The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.
> **Notes**
@@ -96,6 +100,19 @@ Typically, deployment of Device Guard happens best in phases, rather than being
| **Lightly managed devices**: Company-owned, but users are free to install software.
Devices are required to run organization's antivirus solution and client management tools. | Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.
- Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started. |
| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | Device Guard does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | N/A |
+## Device Guard deployment in virtual machines
+
+Device Guard can protect a Hyper-V virtual machine, just as it would a physical machine. The enablement steps are the same from within the virtual machine.
+
+Device Guard protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable Device Guard for a virtual machine:
+
+` Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true`
+
+
+### Requirements for running Device Guard in Hyper-V virtual machines
+ - The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
+ - The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
+
## Reviewing your applications: application signing and catalog files
Typically, code integrity policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a “catalog file” from the applications, sign it, and through the signed catalog file, configure the code integrity policy to recognize the applications as signed.
diff --git a/windows/keep-secure/tpm-recommendations.md b/windows/keep-secure/tpm-recommendations.md
index acf27319d7..277ad8c4ba 100644
--- a/windows/keep-secure/tpm-recommendations.md
+++ b/windows/keep-secure/tpm-recommendations.md
@@ -40,7 +40,8 @@ OEMs implement the TPM as a component in a trusted computing platform, such as a
The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs whereas others do not.
>**Note:** Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
+
## TPM 1.2 vs. 2.0 comparison
From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0, which has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization and NV RAM.
@@ -59,48 +60,31 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
- TPM 2.0 offers a more **consistent experience** across different implementations.
- - TPM 1.2 implementations across both discrete and firmware vary in policy settings. This may result in support issues as lockout policies vary.
- - TPM 2.0 standardized policy requirement helps establish a consistent lockout experience across devices, as such, Windows can offer a better user experience end to end.
+ - TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary.
+ - TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee.
-- While TPM 1.2 parts were discrete silicon components typically soldered on the motherboard, TPM 2.0 is available both as a **discrete (dTPM)** silicon component and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on the system’s main SoC:
+- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a sinple semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
- - On Intel chips, it is the Intel Management Engine (ME) or Converged Security Engine (CSE).
- - For AMD chips, it is the AMD Security Processor
- - For ARM chips, it is a Trustzone Trusted Application (TA).
- - In the case of firmware TPM for desktop Windows systems, the chip vendor provides the firmware TPM implementation along with the other chip firmware to OEMs.
+## Discrete, Integrated or Firmware TPM?
-## Discrete or firmware TPM?
+There are three implementation options for TPMs:
-Windows uses discrete and firmware TPM in the same way. Windows gains no functional advantage or disadvantage from either option.
+- Discrete TPM chip as a separate component in its own semiconductor package
+- Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components
+- Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit
-From a security standpoint, discrete and firmware share the same characteristics;
-
-- Both use hardware based secure execution.
-- Both use firmware for portions of the TPM functionality.
-- Both are equipped with tamper resistance capabilities.
-- Both have unique security limitations/risks.
-
-For more info, see [fTPM: A Firmware-based TPM 2.0 Implementation](http://research.microsoft.com/apps/pubs/?id=258236).
+Windows uses any compatible TPM in the same way. Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions which should suit all needs.
## Is there any importance for TPM for consumer?
-For end consumers, TPM is behind the scenes but still very relevant for Hello, Passport and in the future, many other key features in Windows 10. It offers the best Passport experience, helps encrypt passwords, and builds on our overall Windows 10 experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage.
+For end consumers, TPM is behind the scenes but is still very relevant. TPM is used for Windows Hello, Windows Hello for Business and in the future, will be a components of many other key security features in Windows. TPM secures the PIN, helps encrypt passwords, and builds on our overall Windows 10 experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage.
## TPM 2.0 Compliance for Windows 10
### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
-- As of July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7, https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
+- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7, https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
-## Two implementation options:
-
-- Discrete TPM chip as a separate discrete component
-- Firmware TPM solution using Intel PTT (platform trust technology) or AMD
-
-### Windows 10 Mobile
-
-- All devices shipping with Windows 10 Mobile must implement TPM 2.0 and ship with the TPM 2.0 enabled.
-
### IoT Core
- TPM is optional on IoT Core.
@@ -226,7 +210,7 @@ The following table defines which Windows features require TPM support. Some fea
## Chipset options for TPM 2.0
-There are a variety of TPM manufacturers for both discrete and firmware.
+There is a vibrant ecosystem of TPM manufacturers.
### Discrete TPM
@@ -250,6 +234,33 @@ There are a variety of TPM manufacturers for both discrete and firmware.
+### Integrated TPM
+
+
+
+
+
+
+
+
+
+| Intel |
+
+- Atom (CloverTrail)
+
- Baytrail
+- Braswell
+- 4th generation Core (Haswell)
+- 5th generation Core (Broadwell)
+- 6th generation Core (Skylake)
+- 7th generation Core (Kaby Lake)
+ |
+
+
+
+
### Firmware TPM
@@ -272,17 +283,6 @@ There are a variety of TPM manufacturers for both discrete and firmware.
-| Intel |
-
-- Atom (CloverTrail)
-
- Baytrail
-- 4th generation(Haswell)
-- 5th generation(Broadwell)
-- Braswell
-- Skylake
- |
-
-
| Qualcomm |
- MSM8994
diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index cbb00275b2..e3c1d51f68 100644
--- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -74,6 +74,8 @@ Event ID | Error Type | Resolution steps
## Troubleshoot onboarding issues using Microsoft Intune
You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
+If you have configured policies in Intune and they are not propagated on endpoints, you might need to configure automatic MDM enrollment. For more information, see the [Configure automatic MDM enrollment](https://go.microsoft.com/fwlink/?linkid=829597) section.
+
Use the following tables to understand the possible causes of issues while onboarding:
- Microsoft Intune error codes and OMA-URIs table
@@ -114,7 +116,7 @@ Channel name: Admin
ID | Severity | Event description | Troubleshooting steps
:---|:---|:---|:---
-1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Windows Defender ELAM driver needs to be enabled see, [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled) for instructions.
+1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760).
## Troubleshoot onboarding issues on the endpoint
If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines view an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent:
diff --git a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
index 150079eaff..fd485e8645 100644
--- a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
@@ -29,6 +29,9 @@ Configure your browser to allow cookies.
### No data is shown on the portal
If no data is displayed on the Dashboard portal even if no errors were encountered in the portal logs or in the browser console, you'll need to whitelist the threat intelligence, data access, and detonation endpoints that also use this protocol.
+> [!NOTE]
+> You must use the HTTPS protocol when adding the following endpoints.
+
Depending on your region, add the following endpoints to the whitelist:
U.S. region:
@@ -37,9 +40,6 @@ U.S. region:
- daasmon-eus-prd.cloudapp.net
- dataaccess-cus-prd.cloudapp.net
- dataaccess-eus-prd.cloudapp.net
-- onboardingservice-prd.trafficmanager.net
-- sevillefeedback-prd.trafficmanager.net
-- sevillesettings-prd.trafficmanager.net
- threatintel-cus-prd.cloudapp.net
- threatintel-eus-prd.cloudapp.net
- winatpauthorization.windows.com
@@ -51,9 +51,6 @@ EU region:
- dataaccess-neu-prd.cloudapp.net
- dataaccess-weu-prd.cloudapp.net
-- onboardingservice-prd.trafficmanager.net
-- sevillefeedback-prd.trafficmanager.net
-- sevillesettings-prd.trafficmanager.net
- threatintel-neu-prd.cloudapp.net
- threatintel-weu-prd.cloudapp.net
- winatpauthorization.windows.com
diff --git a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
index 5973f94f6f..d927f73825 100644
--- a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
@@ -30,8 +30,8 @@ The TPM Services Group Policy settings are located at:
| [Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb) | X| X| X| X| X| X|
| [Configure the level of TPM owner authorization information available to the operating system](#bkmk-tpmgp-oauthos)| | X| X| X|||
| [Standard User Lockout Duration](#bkmk-tpmgp-suld)| X| X| X| X|||
-| [Standard User Individual Lockout Threshold](#bkmk-tpmgp-suilt)| X| X| X| X|||
-| [Standard User Total Lockout Threshold](#bkmk-tpmgpsutlt)| X| X| X| X||||
+| [Standard User Individual Lockout Threshold](#bkmk-individual)| X| X| X| X|||
+| [Standard User Total Lockout Threshold](#bkmk-total)| X| X| X| X||||
### Turn on TPM backup to Active Directory Domain Services
diff --git a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
index 3aabc0a07e..2aa91da1a1 100644
--- a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
@@ -193,5 +193,5 @@ The registry keys are found in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Wind
| ValidateAdminCodeSignatures | [User Account Control: Only elevate executables that are signed and validated](#user-account-control-only-elevate-executables-that-are-signed-and-validated) | 0 (Default) = Disabled
1 = Enabled |
| EnableSecureUIAPaths | [User Account Control: Only elevate UIAccess applications that are installed in secure locations](#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | 0 = Disabled
1 (Default) = Enabled |
| EnableLUA | [User Account Control: Run all administrators in Admin Approval Mode](#user-account-control-run-all-administrators-in-admin-approval-mode) | 0 = Disabled
1 (Default) = Enabled |
-| PromptOnSecureDesktop | [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control:-switch-to-the-secure-desktop-when-prompting-for-elevation) | 0 = Disabled
1 (Default) = Enabled |
+| PromptOnSecureDesktop | [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation) | 0 = Disabled
1 (Default) = Enabled |
| EnableVirtualization | [User Account Control: Virtualize file and registry write failures to per-user locations](#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | 0 = Disabled
1 (Default) = Enabled |
diff --git a/windows/keep-secure/vpn-authentication.md b/windows/keep-secure/vpn-authentication.md
new file mode 100644
index 0000000000..e248b304f6
--- /dev/null
+++ b/windows/keep-secure/vpn-authentication.md
@@ -0,0 +1,61 @@
+---
+title: VPN authentication options (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, networking
+author: jdeckerMS
+localizationpriority: high
+---
+
+# VPN authentication options
+
+**Applies to**
+- Windows 10
+- Windows 10 Mobile
+
+In addition to older and less-secure password-based authentication methods (which should be avoided), the built-in VPN solution uses Extensible Authentication Protocol (EAP) to provide secure authentication using both user name and password, and certificate-based methods. You can only configure EAP-based authentication if you select a built-in VPN type (IKEv2, L2TP, PPTP or Automatic).
+
+Windows supports a number of EAP authentication methods.
+
+
+| Method | Details |
|---|
+
+| EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2) | - User name and password authentication
- Winlogon credentials - can specify authentication with computer sign-in credentials
|
+| EAP-Transport Layer Security (EAP-TLS) | - Supports the following types of certificate authentication
- Certificate with keys in the software Key Storage Provider (KSP)
- Certificate with keys in Trusted Platform Module (TPM) KSP
- Smart card certficates
- Windows Hello for Business certificate
- Certificate filtering
- Certificate filtering can be enabled to search for a particular certificate to use to authenticate with
- Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based
- Server validation - with TLS, server validation can be toggled on or off
- Server name - specify the server to validate
- Server certificate - trusted root certificate to validate the server
- Notification - specify if the user should get a notification asking whether to trust the server or not
|
+| Protected Extensible Authentication Protocol (PEAP) | - Server validation - with PEAP, server validation can be toggled on or off
- Server name - specify the server to validate
- Server certificate - trusted root certificate to validate the server
- Notification - specify if the user should get a notification asking whether to trust the server or not
- Inner method - the outer method creates a secure tunnel inside while the inner method is used to complete the authentication
- Fast Reconnect: reduces the delay between an authentication request by a client and the response by the Network Policy Server (NPS) or other Remote Authentication Dial-in User Service (RADIUS) server. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials.
- Cryptobinding: By deriving and exchanging values from the PEAP phase 1 key material (Tunnel Key) and from the PEAP phase 2 inner EAP method key material (Inner Session Key), it is possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against "Man in the Middle" attacks.
|
+| Tunneled Transport Layer Security (TTLS) | - Inner method
- Non-EAP
- Password Authentication Protocol (PAP)
- CHAP
- MSCHAP
- MSCHAPv2
- EAP
- Server validation: in TTLS, the server must be validated. The following can be configured:
- Server name
- Trusted root certificate for server certificate
- Whether there should be a server validation notification
|
+
+
+
+For a UWP VPN plug-in, the app vendor controls the authentication method to be used. The following credential types can be used:
+
+- Smart card
+- Certificate
+- Windows Hello for Business
+- User name and password
+- One-time password
+- Custom credential type
+
+## Configure authentication
+
+See [EAP configuration](https://msdn.microsoft.com/library/windows/hardware/mt168513.aspx) for EAP XML configuration.
+
+>[!NOTE]
+>To configure Windows Hello for Business authentication, follow the steps in [EAP configuration](https://msdn.microsoft.com/library/windows/hardware/mt168513.aspx) to create a smart card certificate. [Learn more about Windows Hello for Business.](https://technet.microsoft.com/itpro/windows/keep-secure/manage-identity-verification-using-microsoft-passport)
+
+The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP).
+
+
+
+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN connection types](vpn-connection-type.md)
+- [VPN routing decisions](vpn-routing.md)
+- [VPN and conditional access](vpn-conditional-access.md)
+- [VPN name resolution](vpn-name-resolution.md)
+- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+- [VPN security features](vpn-security-features.md)
+- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
diff --git a/windows/keep-secure/vpn-auto-trigger-profile.md b/windows/keep-secure/vpn-auto-trigger-profile.md
new file mode 100644
index 0000000000..3b63ffa494
--- /dev/null
+++ b/windows/keep-secure/vpn-auto-trigger-profile.md
@@ -0,0 +1,88 @@
+---
+title: VPN auto-triggered profile options (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, networking
+author: jdeckerMS
+localizationpriority: high
+---
+
+# VPN auto-triggered profile options
+
+**Applies to**
+- Windows 10
+- Windows 10 Mobile
+
+In Windows 10, a number of features were added to auto-trigger VPN so users won’t have to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules:
+
+- App trigger
+- Name-based trigger
+- Always On
+
+## App trigger
+
+VPN profiles in Windows 10 can be configured to connect automatically on the launch of a specified set of applications. You can configure desktop or Universal Windows Platform (UWP) apps to trigger a VPN connection. You can also configure per-app VPN and specify traffic rules for each app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details.
+
+The app identifier for a desktop app is a file path. The app identifier for a UWP app is a package family name.
+
+[Find a package family name (PFN) for per-app VPN configuration](https://docs.microsoft.com/intune/deploy-use/find-a-pfn-for-per-app-vpn)
+
+
+## Name-based trigger
+
+You can configure a domain name-based rule so that a specific domain name triggers the VPN connection.
+
+Name-based auto-trigger can be configured using the VPNv2/*ProfileName*/DomainNameInformationList/dniRowId/AutoTrigger setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
+
+There are four types of name-based triggers:
+
+- Short name: for example, if **HRweb** is configured as a trigger and the stack sees a DNS resolution request for **HRweb**, the VPN will be triggered.
+- Fully-qualified domain name (FQDN): for example, if **HRweb.corp.contoso.com** is configured as a trigger and the stack sees a DNS resolution request for **HRweb.corp.contoso.com**, the VPN will be triggered.
+- Suffix: for example, if **.corp.contoso.com** is configured as a trigger and the stack sees a DNS resolution request with a matching suffix (such as **HRweb.corp.contoso.com**), the VPN will be triggered. For any short name resolution, VPN will be triggered and the DNS server will be queried for the *ShortName*.**corp.contoso.com**.
+- All: if used, all DNS resolution should trigger VPN.
+
+
+## Always On
+
+Always On is a feature in Windows 10 which enables the active VPN profile to connect automatically on the following triggers:
+
+- User sign-in
+- Network change
+- Device screen on
+
+When the trigger occurs, VPN tries to connect. If an error occurs or any user input is needed, the user is shown a toast notification for additional interaction.
+
+
+When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**.
+
+## Trusted network detection
+
+This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffices. The VPN stack will look at the DNS suffix on the physical interface and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered.
+
+Trusted network detection can be configured using the VPNv2/*ProfileName*/TrustedNetworkDetection setting in the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
+
+
+## Configure app-triggered VPN
+
+See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration.
+
+The following image shows associating an app to a VPN connection in a VPN Profile configuration policy using Microsoft Intune.
+
+
+
+After you add an associated app, if you select the **Only these apps can use this VPN connection (per-app VPN)** checkbox, the app becomes available in **Corporate Boundaries**, where you can configure rules for the app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details.
+
+
+
+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN connection types](vpn-connection-type.md)
+- [VPN routing decisions](vpn-routing.md)
+- [VPN authentication options](vpn-authentication.md)
+- [VPN and conditional access](vpn-conditional-access.md)
+- [VPN name resolution](vpn-name-resolution.md)
+- [VPN security features](vpn-security-features.md)
+- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
diff --git a/windows/keep-secure/vpn-conditional-access.md b/windows/keep-secure/vpn-conditional-access.md
new file mode 100644
index 0000000000..4a4f96248d
--- /dev/null
+++ b/windows/keep-secure/vpn-conditional-access.md
@@ -0,0 +1,127 @@
+---
+title: VPN and conditional access (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, networking
+author: jdeckerMS
+localizationpriority: high
+---
+
+# VPN and conditional access
+
+**Applies to**
+- Windows 10
+- Windows 10 Mobile
+
+The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application.
+
+>[!NOTE]
+>Conditional Access is an Azure AD Premium feature.
+
+Conditional Access Platform components used for Device Compliance include the following cloud-based services:
+- [Conditional Access Framework](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn/)
+
+- [Azure AD Connect Health](https://azure.microsoft.com/documentation/articles/active-directory-Azure ADconnect-health/)
+
+- [Windows Health Attestation Service](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices#device-health-attestation) (optional)
+
+- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA.
+
+- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used.
+
+ Additional details regarding the Azure AD issued short-lived certificate:
+ - The default lifetime is 60 minutes and is configurable
+ - When that certificate expires, the client will again check with Azure AD so that continued health can be validated before a new certificate is issued allowing continuation of the connection
+
+- [Microsoft Intune device compliance policies](https://docs.microsoft.com/intune/deploy-use/introduction-to-device-compliance-policies-in-microsoft-intune) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
+
+ - Antivirus status
+ - Auto-update status and update compliance
+ - Password policy compliance
+ - Encryption compliance
+ - Device health attestation state (validated against attestation service after query)
+
+
+The following client-side components are also required:
+- [HealthAttestation Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn934876.aspx)
+- [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) DeviceCompliance node settings
+- Trusted Platform Module (TPM)
+
+## VPN device compliance
+
+Server-side infrastructure requirements to support VPN device compliance include:
+
+- The VPN server should be configured for certificate authentication.
+- The VPN server should trust the tenant-specific Azure AD CA
+- Either of the below should be true for Kerberos/NTLM SSO:
+ - Domain servers trust Azure AD CA
+ - A domain-trusted certificate is deployed to the client device and is configured to be used for single sign-on (SSO)
+
+After the server side is set up, VPN admins can add the policy settings for conditional access to the VPN profile using the VPNv2 DeviceCompliance node.
+
+Two client-side configuration service providers are leveraged for VPN device compliance.
+
+- VPNv2 CSP DeviceCompliance settings
+ - **Enabled**: enables the Device Compliance flow from the client. If marked as **true**, the VPN client will attempt to communicate with Azure AD to get a certificate to use for authentication. The VPN should be set up to use certificate authentication and the VPN server must trust the server returned by Azure AD.
+ - **Sso**: nodes under SSO can be used to choose a certificate different from the VPN authentication certificate for Kerberos authentication in the case of device compliance.
+ - **Sso/Enabled**: if this field is set to **true**, the VPN client will look for a separate certificate for Kerberos authentication.
+ - **Sso/IssuerHash**: hashes for the VPN client to look for the correct certificate for Kerberos authentication.
+ - **Sso/Eku**: comma-separated list of Enhanced Key Usage (EKU) extensions for the VPN client to look for the correct certificate for Kerberos authentication.
+- HealthAttestation CSP (not a requirement) - functions performed by the HealthAttestation CSP include:
+ - Collects TPM data used to verify health states
+ - Forwards the data to the Health Attestation Service (HAS)
+ - Provisions the Health Attestation Certificate received from the HAS
+ - Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
+
+## Client connection flow
+
+
+The VPN client side connection flow works as follows:
+
+
+
+When a Device Compliance-enabled VPN connection profile is triggered (either manually or automatically):
+
+1. The VPN client calls into Windows 10’s AAD Token Broker, identifying itself as a VPN client.
+2. The Azure AD Token Broker authenticates to Azure AD and provides it with information about the device trying to connect. The Azure AD Server checks if the device is in compliance with the policies.
+3. If compliant, Azure AD requests a short-lived certificate
+4. Azure AD pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection processing.
+5. The VPN client uses the Azure AD-issued certificate to authenticate with the VPN server.
+
+
+
+## Configure conditional access
+
+See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration.
+
+The following image shows conditional access options in a VPN Profile configuration policy using Microsoft Intune.
+
+
+
+>[!NOTE]
+>In Intune, the certificate selected in **Select a client certificate for client authentication** does not set any VPNv2 CSP nodes. It is simply a way to tie the VPN profile’s successful provisioning to the existence of a certificate. If you are enabling conditional access and using the Azure AD short-lived certificate for both VPN server authentication and domain resource authentication, do not select a certificate since the short-lived certificate is not a certificate that would be on the user’s device yet.
+
+## Learn more about Conditional Access and Azure AD Health
+
+- [Azure Active Directory conditional access](https://azure.microsoft.com/documentation/articles/active-directory-conditional-access/)
+- [Getting started with Azure Active Directory Conditional Access](https://azure.microsoft.com/documentation/articles/active-directory-conditional-access-azuread-connected-apps/)
+- [Control the health of Windows 10-based devices](https://technet.microsoft.com/itpro/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)
+- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 1)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn/)
+- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/14/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2/)
+- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/15/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3/)
+- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/16/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4/)
+
+
+
+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN connection types](vpn-connection-type.md)
+- [VPN routing decisions](vpn-routing.md)
+- [VPN authentication options](vpn-authentication.md)
+- [VPN name resolution](vpn-name-resolution.md)
+- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+- [VPN security features](vpn-security-features.md)
+- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
diff --git a/windows/keep-secure/vpn-connection-type.md b/windows/keep-secure/vpn-connection-type.md
new file mode 100644
index 0000000000..bbf5c689d1
--- /dev/null
+++ b/windows/keep-secure/vpn-connection-type.md
@@ -0,0 +1,84 @@
+---
+title: VPN connection types (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, networking
+author: jdeckerMS
+localizationpriority: high
+---
+
+# VPN connection types
+
+**Applies to**
+- Windows 10
+- Windows 10 Mobile
+
+Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called *tunneling protocols*, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization’s private network.
+
+There are many options for VPN clients. In Windows 10, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured.
+
+
+
+## Built-in VPN client
+
+- Tunneling protocols
+
+ - [Internet Key Exchange version 2 (IKEv2)](https://technet.microsoft.com/library/ff687731.aspx)
+
+ Configure the IPsec/IKE tunnel cryptographic properties using the **Cryptography Suite** setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
+
+ - [L2TP](https://technet.microsoft.com/library/ff687761.aspx)
+
+ L2TP with pre-shared key (PSK) authentication can be configured using the **L2tpPsk** setting in the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
+
+ - [PPTP](https://technet.microsoft.com/library/ff687676.aspx)
+
+ - [SSTP](https://technet.microsoft.com/library/ff687819.aspx)
+
+ SSTP is supported for Windows desktop editions only. SSTP cannot be configured using mobile device management (MDM), but it is one of the protocols attempted in the **Automatic** option.
+
+- Automatic
+
+ The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt from most secure to least secure.
+
+ Configure **Automatic** for the **NativeProtocolType** setting in the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
+
+
+
+## Universal Windows Platform VPN plug-in
+
+The Universal Windows Platform (UWP) VPN plug-ins were introduced in Windows 10, although there were originally separate versions available for the Windows 8.1 Mobile and Windows 8.1 PC platforms. Using the UWP platform, third-party VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers.
+
+There are a number of Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, Sonicwall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution.
+
+## Configure connection type
+
+See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration.
+
+The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune.
+
+
+
+In Intune, you can also include custom XML for third-party plug-in profiles.
+
+
+
+
+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN routing decisions](vpn-routing.md)
+- [VPN authentication options](vpn-authentication.md)
+- [VPN and conditional access](vpn-conditional-access.md)
+- [VPN name resolution](vpn-name-resolution.md)
+- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+- [VPN security features](vpn-security-features.md)
+- [VPN profile options](vpn-profile-options.md)
+
+
+
+
+
+
diff --git a/windows/keep-secure/vpn-guide.md b/windows/keep-secure/vpn-guide.md
new file mode 100644
index 0000000000..d77847b083
--- /dev/null
+++ b/windows/keep-secure/vpn-guide.md
@@ -0,0 +1,45 @@
+---
+title: Windows 10 VPN technical guide (Windows 10)
+description: Use this guide to configure VPN deployment for Windows 10.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Windows 10 VPN technical guide
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/dn914776.aspx) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10.
+
+
+
+>[!NOTE]
+>This guide does not explain server deployment.
+
+## In this guide
+
+| Topic | Description |
+| --- | --- |
+| [VPN connection types](vpn-connection-type.md) | Select a VPN client and tunneling protocol |
+| [VPN routing decisions](vpn-routing.md) | Choose between split tunnel and force tunnel configuration |
+| [VPN authentication options](vpn-authentication.md) | Select a method for Extensible Authentication Protocol (EAP) authentication. |
+| [VPN and conditional access](vpn-conditional-access.md) | Use Azure Active Directory policy evaluation to set access policies for VPN connections. |
+| [VPN name resolution](vpn-name-resolution.md) | Decide how name resolution should work |
+| [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) | Set a VPN profile to connect automatically by app or by name, to be "always on", and to not trigger VPN on trusted networks |
+| [VPN security features](vpn-security-features.md) | Set a LockDown VPN profile, configure traffic filtering, and connect VPN profile to Windows Information Protection (WIP) |
+| [VPN profile options](vpn-profile-options.md) | Combine settings into single VPN profile using XML |
+
+
+## Learn more
+
+- [VPN connections in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/vpn-connections-in-microsoft-intune)
+
+
+
diff --git a/windows/keep-secure/vpn-name-resolution.md b/windows/keep-secure/vpn-name-resolution.md
new file mode 100644
index 0000000000..d9a7d32a58
--- /dev/null
+++ b/windows/keep-secure/vpn-name-resolution.md
@@ -0,0 +1,82 @@
+---
+title: VPN name resolution (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, networking
+author: jdeckerMS
+localizationpriority: high
+---
+
+# VPN name resolution
+
+**Applies to**
+- Windows 10
+- Windows 10 Mobile
+
+When the VPN client connects to the VPN server, the VPN client receives the client IP address. The client may also receive the IP address of the Domain Name System (DNS) server and the IP address of the Windows Internet Name Service (WINS) server.
+
+The name resolution setting in the VPN profile configures how name resolution should work on the system when VPN is connected. The networking stack first looks at the Name Resolution Policy table (NRPT) for any matches and tries a resolution in the case of a match. If no match is found, the DNS suffix on the most preferred interface based on the interface metric is appended to the name (in the case of a short name) and a DNS query is sent out on the preferred interface. If the query times out, the DNS suffix search list is used in order and DNS queries are sent on all interfaces.
+
+## Name Resolution Policy table (NRPT)
+
+The NRPT is a table of namespaces that determines the DNS client’s havior when issuing name resolution queries and processing responses. It is the first place that the stack will look after the DNSCache.
+
+There are 3 types of name matches that can set up for NRPT:
+
+- Fully qualified domain name (FQDN) that can used for direct matching to a name
+
+- Suffix match results in either a comparison of suffixes (for FQDN resolution) or the appending of the suffix (in case of a short name)
+
+- Any resolution should attempt to first resolve with the proxy server/DNS server with this entry
+
+NRPT is set using the **VPNv2/*ProfileName*/DomainNameInformationList** node of the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx). This node also configures Web proxy server or domain name servers.
+
+[Learn more about NRPT](https://technet.microsoft.com/library/ee649207%28v=ws.10%29.aspx)
+
+
+## DNS suffix
+
+This setting is used to configure the primary DNS suffix for the VPN interface and the suffix search list after the VPN connection is established.
+
+Primary DNS suffix is set using the **VPNv2/*ProfileName*/DnsSuffix** node.
+
+
+
+[Learn more about primaryDNS suffix](https://technet.microsoft.com/library/cc959611.aspx)
+
+## Persistent
+
+You can also configure *persistent* name resolution rules. Name resolution for specified items will only performed over VPN.
+
+Persistent name resolution is set using the **VPNv2/*ProfileName*/DomainNameInformationList//*dniRowId*/Persistent** node.
+
+
+
+## Configure name resolution
+
+See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration.
+
+The following image shows name resolution options in a VPN Profile configuration policy using Microsoft Intune.
+
+
+
+The fields in **Add or edit DNS rule** in the Intune profile correspond to the XML settings shown in the following table.
+
+| Field | XML |
+| --- | --- |
+| **Name** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DomainName** |
+| **Servers (comma separated)** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DnsServers** |
+| **Proxy server** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/WebServers** |
+
+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN connection types](vpn-connection-type.md)
+- [VPN routing decisions](vpn-routing.md)
+- [VPN authentication options](vpn-authentication.md)
+- [VPN and conditional access](vpn-conditional-access.md)
+- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+- [VPN security features](vpn-security-features.md)
+- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
diff --git a/windows/keep-secure/vpn-profile-options.md b/windows/keep-secure/vpn-profile-options.md
index 90c8e2aa2d..77af3754f6 100644
--- a/windows/keep-secure/vpn-profile-options.md
+++ b/windows/keep-secure/vpn-profile-options.md
@@ -16,48 +16,288 @@ localizationpriority: high
- Windows 10
- Windows 10 Mobile
-Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect.
+Most of the VPN settings in Windows 10 can be configured in VPN profiles using Microsoft Intune or System Center Configuration Manager. All VPN settings in Windows 10 can be configued using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
-## Always On
+>[!NOTE]
+>If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers) first.
-Always On is a new feature in Windows 10 which enables the active VPN profile to connect automatically on the following triggers:
-- User sign-on
-- Network change
+The following table lists the VPN settings and whether the setting can be configured in Intune and Configuration Manager, or can only be configured using **ProfileXML**.
-When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* > **Let apps automatically use this VPN connection**.
+| Profile setting | Can be configured in Intune and Configuration Manager |
+| --- | --- |
+| Connection type | yes |
+| Routing: split-tunnel routes | yes, except exclusion routes |
+| Routing: forced-tunnel | yes |
+| Authentication (EAP) | yes, if connection type is built-in |
+| Conditional access | yes |
+| Proxy settings | yes, by PAC/WPAD file or server and port |
+| Name resolution: NRPT | yes |
+| Name resolution: DNS suffix | no |
+| Name resolution: persistent | no |
+| Auto-trigger: app trigger | yes |
+| Auto-trigger: name trigger | yes |
+| Auto-trigger: Always On | no |
+| Auto-trigger: trusted network detection | no |
+| LockDown | no |
+| Windows Information Protection (WIP) | no |
+| Traffic filters | yes |
-## App-triggered VPN
+The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This is particularly useful for deploying profiles with features that are not yet supported by MDMs. You can get additional examples in the [ProfileXML XSD](https://msdn.microsoft.com/library/windows/hardware/mt755930.aspx) topic.
-VPN profiles in Windows 10 can be configured to connect automatically on the launch of a specified set of applications. This feature was included in Windows 8.1 as "On demand VPN". The applications can be defined using the following:
-- Package family name for Universal Windows Platform (UWP) apps
-- File path for Classic Windows applications
-## Traffic filters
+## Sample Native VPN profile
-Traffic Filters give enterprises the ability to decide what traffic is allowed into the corporate network based on policy . With the ever-increasing landscape of remote threats on the corporate network and lesser IT controls on machines, it becomes essential to control the traffic that is allowed through. While server-side layers of firewalls and proxies help, by adding traffic filters the first layer of filtering can be moved onto the client with more advanced filtering on the server side. There are two types of Traffic Filter rules:
+The following is a sample Native VPN profile. This blob would fall under the ProfileXML node.
-- **App-based rules**. With app-based rules, a list of applications can be marked such that only traffic originating from these apps is allowed to go over the VPN interface.
-- **Traffic-based rules**. Traffic-based rules are 5-tuple policies (ports, addresses, protocol) that can be specified such that only traffic matching these rules is allowed to go over the VPN interface.
+```
+
+ TestVpnProfile
+
+ testServer.VPN.com
+ IKEv2
+
+
+
+ Eap
+ Eap
+
+
+
+
+ 25
+ 0
+ 0
+ 0
+
+
+
+ 25
+
+
+ true
+
+ d2 d3 8e ba 60 ca a1 c1 20 55 a2 e1 c8 3b 15 ad 45 01 10 c2
+ d1 76 97 cc 20 6e d2 6e 1a 51 f5 bb 96 e9 35 6d 6d 61 0b 74
+
+ true
+ false
+
+ 13
+
+
+
+ true
+
+
+
+ true
+
+ d2 d3 8e ba 60 ca a1 c1 20 55 a2 e1 c8 3b 15 ad 45 01 10 c2
+ d1 76 97 cc 20 6e d2 6e 1a 51 f5 bb 96 e9 35 6d 6d 61 0b 74
+
+ false
+ true
+ false
+
+
+
+
+ AAD Conditional Access
+ 1.3.6.1.4.1.311.87
+
+
+
+
+ AAD Conditional Access
+
+
+
+
+
+
+ false
+ true
+
+ true
+ false
+
+
+
+
+
+
+
+
+
+
+ SplitTunnel
+ true
+
+
+ 192.168.0.0
+ 24
+
+
+ 10.10.0.0
+ 16
+
+
+
+
+
+ Microsoft.MicrosoftEdge_8wekyb3d8bbwe
+
+
+
+
+ C:\windows\system32\ping.exe
+
+
+
+
+
+
+ %ProgramFiles%\Internet Explorer\iexplore.exe
+
+ 6
+ 10,20-50,100-200
+ 20-50,100-200,300
+ 30.30.0.0/16,10.10.10.10-20.20.20.20
+ ForceTunnel
+
+
+
+ Microsoft.MicrosoftEdge_8wekyb3d8bbwe
+
+ 3.3.3.3/32,1.1.1.1-2.2.2.2
+
+
+
+
+ hrsite.corporate.contoso.com
+ 1.2.3.4,5.6.7.8
+ 5.5.5.5
+ true
+
+
+ .corp.contoso.com
+ 10.10.10.10,20.20.20.20
+ 100.100.100.100
+
+
+
+ corp.contoso.com
+ true
+
+
+ false
+ corp.contoso.com
+ contoso.com
+
+
+ HelloServer
+
+ Helloworld.Com
+
+
+
+
+ true
+
+ true
+ This is my Eku
+ This is my issuer hash
+
+
+
+```
-There can be many sets of rules which are linked by **OR**. Within each set, there can be app-based rules and traffic-based rules; all the properties within the set will be linked by **AND**. This gives the IT admins a lot of power to craft the perfect policy befitting their use case.
+## Sample plug-in VPN profile
-## LockDown VPN
+The following is a sample plug-in VPN profile. This blob would fall under the ProfileXML node.
-A VPN profile configured with LockDown secures the device to only allow network traffic over the VPN interface. It has the following features:
-- The system attempts to keep the VPN connected at all times.
-- The user cannot disconnect the VPN connection.
-- The user cannot delete or modify the VPN profile.
-- The VPN LockDown profile uses forced tunnel connection.
-- If the VPN connection is not available, outbound network traffic is blocked.
-- Only one VPN LockDown profile is allowed on a device.
-> **Note:** For inbox VPN, Lockdown VPN is only available for the Internet Key Exchange version 2 (IKEv2) tunnel type.
-
-## Learn about VPN and the Conditional Access Framework in Azure Active Directory
+```
+
+ TestVpnProfile
+
+ testserver1.contoso.com;testserver2.contoso..com
+ JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy
+ <pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema>
+
+
+ 192.168.0.0
+ 24
+
+
+ 10.10.0.0
+ 16
+
+
+
+ Microsoft.MicrosoftEdge_8wekyb3d8bbwe
+
+
+
+
+ %ProgramFiles%\Internet Explorer\iexplore.exe
+
+
+
+
+ %ProgramFiles%\Internet Explorer\iexplore.exe
+
+ 6
+ 10,20-50,100-200
+ 20-50,100-200,300
+ 30.30.0.0/16,10.10.10.10-20.20.20.20
+
+
+
+
+ Microsoft.MicrosoftEdge_8wekyb3d8bbwe
+
+ 3.3.3.3/32,1.1.1.1-2.2.2.2
+
+
+
+ Microsoft.MicrosoftEdge_8wekyb3d8bbwe
+
+ O:SYG:SYD:(A;;CC;;;AU)
+
+
+
+ corp.contoso.com
+ 1.2.3.4,5.6.7.8
+ 5.5.5.5
+ false
+
+
+ corp.contoso.com
+ 10.10.10.10,20.20.20.20
+ 100.100.100.100
+
+
+ true
+ false
+ corp.contoso.com
+ contoso.com,test.corp.contoso.com
+
+
+ HelloServer
+
+ Helloworld.Com
+
+
-- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 1)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn/)
-- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/14/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2/)
-- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/15/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3/)
-- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/16/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4/)
+```
+
+## Apply ProfileXML using Intune
+
+After you configure the settings that you want using ProfileXML, you can apply it using Intune and a **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy.
+
+The OMS-URI setting to apply ProfileXML is **./user/vendor/MSFT/*VPN profile name*/ProfileXML**.
+
+
## Learn more
@@ -65,3 +305,13 @@ A VPN profile configured with LockDown secures the device to only allow network
- [VPNv2 configuration service provider (CSP) reference](https://go.microsoft.com/fwlink/p/?LinkId=617588)
- [How to Create VPN Profiles in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=618028)
+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN connection types](vpn-connection-type.md)
+- [VPN routing decisions](vpn-routing.md)
+- [VPN authentication options](vpn-authentication.md)
+- [VPN and conditional access](vpn-conditional-access.md)
+- [VPN name resolution](vpn-name-resolution.md)
+- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+- [VPN security features](vpn-security-features.md)
diff --git a/windows/keep-secure/vpn-routing.md b/windows/keep-secure/vpn-routing.md
new file mode 100644
index 0000000000..5065c6aaa5
--- /dev/null
+++ b/windows/keep-secure/vpn-routing.md
@@ -0,0 +1,68 @@
+---
+title: VPN routing decisions (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, networking
+author: jdeckerMS
+localizationpriority: high
+---
+
+# VPN routing decisions
+
+**Applies to**
+- Windows 10
+- Windows 10 Mobile
+
+Network routes are required for the stack to understand which interface to use for outbound traffic. One of the most important decision points for VPN configuration is whether you want to send all the data through VPN (*force tunnel*) or only some data through the VPN (*split tunnel*). This decision impacts the configuration and the capacity planning, as well as security expectations from the connection.
+
+## Split tunnel configuration
+
+In a split tunnel configuration, routes can be specified to go over VPN and all other traffic will go over the physical interface.
+
+Routes can be configured using the VPNv2/*ProfileName*/RouteList setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
+
+For each route item in the list the following can be specified:
+
+- **Address**: VPNv2/*ProfileName*/RouteList/*routeRowId*/Address
+- **Prefix size**: VPNv2/*ProfileName*/RouteList/*routeRowId*/Prefix
+- **Exclusion route**: VPNv2/*ProfileName*/RouteList/*routeRowId*/ExclusionRoute
+
+ Windows VPN platform now supports the ability to specify exclusion routes that specifically should not go over the physical interface.
+
+Routes can also be added at connect time through the server for UWP VPN apps.
+
+## Force tunnel configuration
+
+In a force tunnel configuration, all traffic will go over VPN. This is the default configuration and takes effect if no routes are specified.
+
+The only implication of this setting is the manipulation of routing entries. In the case of a force Tunnel VPN V4 and V6 default routes (for example. 0.0.0.0/0) are added to the routing table with a lower Metric than ones for other interfaces. This sends traffic through the VPN as long as there isn’t a specific route on the Physical Interface itself.
+
+For built-in VPN, this decision is controlled using the MDM setting **VPNv2/ProfileName/NativeProfile/RoutingPolicyType**.
+
+For a UWP VPN plug-in, this property is directly controlled by the app. If the VPN plug-in passes only 2 include routes (default route for both v4 and v6), the Windows VPN Platform marks the VPN as force tunnel.
+
+## Configure routing
+
+See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration.
+
+When you configure a VPN profile in Microsoft Intune, you select a checkbox to enable split tunnel configuration.
+
+
+
+Next, in **Corporate Boundaries**, you add the routes that should use the VPN connection.
+
+
+
+
+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN connection types](vpn-connection-type.md)
+- [VPN authentication options](vpn-authentication.md)
+- [VPN and conditional access](vpn-conditional-access.md)
+- [VPN name resolution](vpn-name-resolution.md)
+- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+- [VPN security features](vpn-security-features.md)
+- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
diff --git a/windows/keep-secure/vpn-security-features.md b/windows/keep-secure/vpn-security-features.md
new file mode 100644
index 0000000000..93238fc9ca
--- /dev/null
+++ b/windows/keep-secure/vpn-security-features.md
@@ -0,0 +1,87 @@
+---
+title: VPN security features (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, networking
+author: jdeckerMS
+localizationpriority: high
+---
+
+# VPN security features
+
+**Applies to**
+- Windows 10
+- Windows 10 Mobile
+
+
+## LockDown VPN
+
+A VPN profile configured with LockDown secures the device to only allow network traffic over the VPN interface. It has the following features:
+
+- The system attempts to keep the VPN connected at all times.
+- The user cannot disconnect the VPN connection.
+- The user cannot delete or modify the VPN profile.
+- The VPN LockDown profile uses forced tunnel connection.
+- If the VPN connection is not available, outbound network traffic is blocked.
+- Only one VPN LockDown profile is allowed on a device.
+
+>[!NOTE]
+>For built-in VPN, Lockdown VPN is only available for the Internet Key Exchange version 2 (IKEv2) connection type.
+
+Deploy this feature with caution as the resultant connection will not be able to send or receive any network traffic without the VPN being connected.
+
+
+
+## Windows Information Protection (WIP) integration with VPN
+
+Windows Information Protection provides capabilities allowing the separation and protection of enterprise data against disclosure across both company and personally owned devices without requiring additional changes to the environments or the apps themselves. Additionally, when used with Rights Management Services (RMS), WIP can help to protect enterprise data locally.
+
+The **EdpModeId** node in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) allows a Windows 10 VPN client to integrate with WIP, extending its functionality to remote devices. Use case scenarios for WIP include:
+
+- Core functionality: File encryption and file access blocking
+- UX policy enforcement: Restricting copy/paste, drag/drop, and sharing operations
+- WIP network policy enforcement: Protecting intranet resources over the corporate network and VPN
+- Network policy enforcement: Protecting SMB and Internet cloud resources over the corporate network and VPN
+
+The value of the **EdpModeId** is an Enterprise ID. The networking stack will look for this ID in the app token to determine whether VPN should be triggered for that particular app.
+
+Additionally, when connecting with WIP, the admin does not have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced configuration is needed) because the WIP policies and App lists automatically take effect.
+
+[Learn more about Windows Information Protection](protect-enterprise-data-using-wip.md)
+
+
+## Traffic filters
+
+Traffic Filters give enterprises the ability to decide what traffic is allowed into the corporate network based on policy. Network admins to effectively add interface specific firewall rules on the VPN Interface.There are two types of Traffic Filter rules:
+
+- App-based rules. With app-based rules, a list of applications can be marked such that only traffic originating from these apps is allowed to go over the VPN interface.
+- Traffic-based rules. Traffic-based rules are 5-tuple policies (ports, addresses, protocol) that can be specified such that only traffic matching these rules is allowed to go over the VPN interface.
+
+There can be many sets of rules which are linked by OR. Within each set, there can be app-based rules and traffic-based rules; all the properties within the set will be linked by AND. In addition, these rules can be applied at a per-app level or a per-device level.
+
+For example, an admin could define rules that specify:
+
+- The Contoso HR App must be allowed to go through the VPN and only access port 4545.
+- The Contoso finance apps is allowed to go over the VPN and only access the Remote IP ranges of 10.10.0.40 - 10.10.0.201 on port 5889.
+- All other apps on the device should be able to access only ports 80 or 443.
+
+## Configure traffic filters
+
+See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration.
+
+The following image shows the interface to configure traffic rules in a VPN Profile configuration policy using Microsoft Intune.
+
+
+
+## Related topics
+
+- [VPN technical guide](vpn-guide.md)
+- [VPN connection types](vpn-connection-type.md)
+- [VPN routing decisions](vpn-routing.md)
+- [VPN authentication options](vpn-authentication.md)
+- [VPN and conditional access](vpn-conditional-access.md)
+- [VPN name resolution](vpn-name-resolution.md)
+- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
+- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md
index 5ad7eddc7a..f2db32eb9d 100644
--- a/windows/keep-secure/windows-10-security-guide.md
+++ b/windows/keep-secure/windows-10-security-guide.md
@@ -21,7 +21,7 @@ This guide provides a detailed description of the most important security improv
#### Introduction
Windows 10 is designed to protect against known and emerging security threats across the spectrum of attack vectors. Three broad categories of security work went into Windows 10:
-- [**Identity and access control**](#identity) features have been greatly expanded to both simplify and enhance the security of user authentication. These features include Windows Hello and Microsoft Passport, which better protect user identities through easy-to-deploy and easy-to-use multifactor authentication (MFA). Another new feature is Credential Guard, which uses virtualization-based security (VBS) to help protect the Windows authentication subsystems and users’ credentials.
+- [**Identity and access control**](#identity-and-access-control) features have been greatly expanded to both simplify and enhance the security of user authentication. These features include Windows Hello and Microsoft Passport, which better protect user identities through easy-to-deploy and easy-to-use multifactor authentication (MFA). Another new feature is Credential Guard, which uses virtualization-based security (VBS) to help protect the Windows authentication subsystems and users’ credentials.
- [**Information protection**](#information) that guards information at rest, in use, and in transit. In addition to BitLocker and BitLocker To Go for protection of data at rest, Windows 10 includes file-level encryption with Enterprise Data Protection that performs data separation and containment and, when combined with Rights Management services, can keep data encrypted when it leaves the corporate network. Windows 10 can also help keep data secure by using virtual private networks (VPNs) and Internet Protocol Security.
- [**Malware resistance**](#malware) includes architectural changes that can isolate critical system and security components from threats. Several new features in Windows 10 help reduce the threat of malware, including VBS, Device Guard, Microsoft Edge, and an entirely new version of Windows Defender. In addition, the many antimalware features from the Windows 8.1 operating system— including AppContainers for application sandboxing and numerous boot-protection features, such as Trusted Boot—have been carried forward and improved in Windows 10.
@@ -436,7 +436,7 @@ The functionality a TPM provides includes:
Microsoft combined this small list of TPM benefits with Windows 10 and other hardware security technologies to provide practical security and privacy benefits.
-Among other functions, Windows 10 uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and the many other keys that the TPM is used to generate. Windows 10 also uses the TPM to securely record and protect integrity-related measurements of select hardware and Windows boot components for the [Measured Boot](#measure-boot) feature described later in this document. In this scenario, Measured Boot measures each component, from firmware up through the drivers, and then stores those measurements in the PC’s TPM. From there, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 PC.
+Among other functions, Windows 10 uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and the many other keys that the TPM is used to generate. Windows 10 also uses the TPM to securely record and protect integrity-related measurements of select hardware and Windows boot components for the [Measured Boot](#measured-boot) feature described later in this document. In this scenario, Measured Boot measures each component, from firmware up through the drivers, and then stores those measurements in the PC’s TPM. From there, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 PC.
Windows 10 supports TPM implementations that comply with either the 1.2 or 2.0 standards. Several improvements have been made in the TPM 2.0 standard, the most notable of which is cryptographic agility. TPM 1.2 is restricted to a fixed set of encryption and hash algorithms. At the time the TPM 1.2 standard was created in the early 2000s, these algorithms were considered cryptographically strong. Since that time, advances in cryptographic algorithms and cryptanalysis attacks have increased expectations for stronger cryptography. TPM 2.0 supports additional algorithms that offer stronger cryptographic protection as well as the ability to plug in algorithms that may be preferred in certain geographies or industries. It also opens the possibility for inclusion of future algorithms without changing the TPM component itself.
@@ -576,7 +576,7 @@ The core functionality and protection of Device Guard starts at the hardware lev
Device Guard leverages VBS to isolate its Hypervisor Code Integrity (HVCI) service, which enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s IOMMU functionality to force all software running in kernel mode to safely allocate memory. This means that after memory has been allocated, its state must be changed from writable to read only or execute only. By forcing memory into these states, it helps ensure that attacks are unable to inject malicious code into kernel mode processes and drivers through techniques such as buffer overruns or heap spraying. In the end, the VBS environment protects the Device Guard HVCI service from tampering even if the operating system’s kernel has been fully compromised, and HVCI protects kernel mode processes and drivers so that a compromise of this magnitude can't happen in the first place.
-Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard protects credentials by running the Windows authentication service known as LSA, and then storing the user’s derived credentials (for example, NTLM hashes; Kerberos tickets) within the same VBS environment that Device Guard uses to protect its HVCI service. By isolating the LSA service and the user’s derived credentials from both user mode and kernel mode, an attacker that has compromised the operating system core will still be unable to tamper with authentication or access derived credential data. Credential Guard prevents pass-the-hash and ticket types of attacks, which are central to the success of nearly every major network breach you’ve read about, which makes Credential Guard one of the most impactful and important features to deploy within your environment. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#dgwithcg) section.
+Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard protects credentials by running the Windows authentication service known as LSA, and then storing the user’s derived credentials (for example, NTLM hashes; Kerberos tickets) within the same VBS environment that Device Guard uses to protect its HVCI service. By isolating the LSA service and the user’s derived credentials from both user mode and kernel mode, an attacker that has compromised the operating system core will still be unable to tamper with authentication or access derived credential data. Credential Guard prevents pass-the-hash and ticket types of attacks, which are central to the success of nearly every major network breach you’ve read about, which makes Credential Guard one of the most impactful and important features to deploy within your environment. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#device-guard-with-credential-guard) section.
#### Device Guard with AppLocker
diff --git a/windows/keep-secure/windows-defender-advanced-threat-protection.md b/windows/keep-secure/windows-defender-advanced-threat-protection.md
index 4d3345f8a1..7a77dece05 100644
--- a/windows/keep-secure/windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/windows-defender-advanced-threat-protection.md
@@ -20,6 +20,7 @@ localizationpriority: high
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
>For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).
Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.
diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
index 9b54a7e5a7..e82ec6f3d5 100644
--- a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
+++ b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
@@ -36,7 +36,7 @@ This guide is intended for IT pros, system administrators, and IT managers, and
| Section | Description |
| - | - |
-| [Set profile global defaults](#set-profile-global-defaults) | Enable and control firewall behavior|
+| [Set profile global defaults](#bkmk-profileglobaldefaults) | Enable and control firewall behavior|
| [Deploy basic firewall rules](#deploy-basic-firewall-rules)| How to create, modify, and delete firewall rules|
| [Manage Remotely](#manage-remotely) | Remote management by using `-CimSession`|
| [Deploy basic IPsec rule settings](#deploy-basic-ipsec-rule-settings) | IPsec rules and associated parameters|
diff --git a/windows/keep-secure/windows-security-baselines.md b/windows/keep-secure/windows-security-baselines.md
index ee48d1325c..f62ee298ba 100644
--- a/windows/keep-secure/windows-security-baselines.md
+++ b/windows/keep-secure/windows-security-baselines.md
@@ -11,6 +11,12 @@ author: brianlic-msft
# Windows security baselines
+**Applies to**
+
+- Windows 10
+- Windows Server 2016
+- Windows Server 2012 R2
+
Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number of controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Microsoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs.
@@ -51,12 +57,13 @@ To help faster deployments and increase the ease of managing Windows, Microsoft
### Windows 10 security baselines
+ - [Windows 10, version 1607 and Windows Server 2016 security baseline](https://go.microsoft.com/fwlink/?linkid=831663)
- [Windows 10, Version 1511 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799381)
- [Windows 10, Version 1507 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799380)
-
### Windows Server security baselines
+ - [Windows 10, version 1607 and Windows Server 2016 security baseline](https://go.microsoft.com/fwlink/?linkid=831663)
- [Windows Server 2012 R2 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799382)
## How can I monitor security baseline deployments?
diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md
index 1eee1f803e..71157f3110 100644
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@@ -17,7 +17,9 @@
#### [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
### [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
### [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+### [Manage device restarts after updates](waas-restart.md)
## [Manage corporate devices](manage-corporate-devices.md)
+### [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md)
### [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
### [New policies for Windows 10](new-policies-for-windows-10.md)
@@ -86,6 +88,7 @@
##### [About App-V Reporting](appv-reporting.md)
##### [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](appv-install-the-reporting-server-on-a-standalone-computer.md)
#### [App-V Deployment Checklist](appv-deployment-checklist.md)
+#### [Deploying Microsoft Office 2016 by Using App-V](appv-deploying-microsoft-office-2016-with-appv.md)
#### [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
#### [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
### [Operations for App-V](appv-operations.md)
diff --git a/windows/manage/acquire-apps-windows-store-for-business.md b/windows/manage/acquire-apps-windows-store-for-business.md
index f9a6004ba5..156d071c04 100644
--- a/windows/manage/acquire-apps-windows-store-for-business.md
+++ b/windows/manage/acquire-apps-windows-store-for-business.md
@@ -33,7 +33,7 @@ There are a couple of things we need to know when you pay for apps. You can add
You can add payment info on **Account information**. If you don’t have one saved with your account, you’ll be prompted to provide one when you buy an app.
## Acquire apps
-To acquire an app
+**To acquire an app**
1. Log in to http://businessstore.microsoft.com
2. Click Shop, or use Search to find an app.
3. Click the app you want to purchase.
@@ -42,7 +42,7 @@ To acquire an app
6. If you don’t have a payment method saved in Account settings, Store for Business will prompt you for one.
7. Add your credit card or debit card info, and click **Next**. Your card info is saved as a payment option on **Account information**.
-You’ll also need to have your business address saved on **Account information**. The address is used to generate tax rates. For more information on taxes for apps, see organization tax information.
+You’ll also need to have your business address saved on **Account information**. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#organization-tax-information).
Store for Business adds the app to your inventory. From **Inventory**, you can:
- Distribute the app: add to private store, or assign licenses
diff --git a/windows/manage/app-inventory-management-windows-store-for-business.md b/windows/manage/app-inventory-management-windows-store-for-business.md
index ec263eede3..e228b7bbba 100644
--- a/windows/manage/app-inventory-management-windows-store-for-business.md
+++ b/windows/manage/app-inventory-management-windows-store-for-business.md
@@ -209,6 +209,19 @@ For each app in your inventory, you can view and manage license details. This gi
Store for Business updates the list of assigned licenses.
+### Purchase additional licenses
+You can purchase additional licenses for apps in your Inventory.
+
+**To purchase additional app licenses**
+
+1. Sign in to [Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=691845)
+2. Click **Manage**, and then choose **Inventory**.
+3. From **Inventory**, click an app.
+4. On the app page, click **View app details**.
+5. From this page, click **Buy more** for additional licenses, or click **Manage** to work with your current licenses.
+
+You'll have a summary of current license availability.
+
### Download offline-licensed app
Offline licensing is a new feature in Windows 10 and allows apps to be deployed to devices that are not connected to the Internet. This means organizations can deploy apps when users or devices do not have connectivity to the Store.
diff --git a/windows/manage/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/manage/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
index 467da82dda..fac7e4b9ae 100644
--- a/windows/manage/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
+++ b/windows/manage/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
@@ -16,7 +16,7 @@ ms.prod: w10
You can create user-entitled connection groups that contain both user-published and globally published packages, using either of the following methods:
-- [How to use Windows PowerShell cmdlets to create user-entitled connection groups](#how-to-use-powershell-cmdlets-to-create-user-entitled-connection-groups)
+- [How to use Windows PowerShell cmdlets to create user-entitled connection groups](#how-to-use-windows-powershell-cmdlets-to-create-user-entitled-connection-groups)
- [How to use the App-V Server to create user-entitled connection groups](#how-to-use-the-app-v-server-to-create-user-entitled-connection-groups)
diff --git a/windows/manage/appv-deploying-appv.md b/windows/manage/appv-deploying-appv.md
index d9b76d330e..8ab2d78d3d 100644
--- a/windows/manage/appv-deploying-appv.md
+++ b/windows/manage/appv-deploying-appv.md
@@ -30,7 +30,8 @@ App-V supports a number of different deployment options. Review this topic for i
This section provides a deployment checklist that can be used to assist with installing App-V.
-- [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
+- [Deploying Microsoft Office 2016 by Using App-V](appv-deploying-microsoft-office-2016-with-appv.md)
+[Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
[Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
These sections describe how to use App-V to deliver Microsoft Office as a virtualized application to computers in your organization.
diff --git a/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md b/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md
index c492e3a97e..35d5d237ef 100644
--- a/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md
+++ b/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md
@@ -243,7 +243,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc
**Note**
The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file.
- The above XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. For more information, see [Customizable attributes and elements of the XML file](#customizable-attributes-and-elements-of-the-XML-file), later in this topic.
+ The above XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. For more information, see [Customizable attributes and elements of the XML file](#customizable-attributes-and-elements-of-the-xml-file), later in this topic.
After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2013 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
diff --git a/windows/manage/appv-deploying-microsoft-office-2016-with-appv.md b/windows/manage/appv-deploying-microsoft-office-2016-with-appv.md
new file mode 100644
index 0000000000..c6138158ae
--- /dev/null
+++ b/windows/manage/appv-deploying-microsoft-office-2016-with-appv.md
@@ -0,0 +1,444 @@
+---
+title: Deploying Microsoft Office 2016 by Using App-V (Windows 10)
+description: Deploying Microsoft Office 2016 by Using App-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# Deploying Microsoft Office 2016 by Using App-V
+
+**Applies to**
+- Windows 10, version 1607
+
+Use the information in this article to use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2013, see [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md). For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md).
+
+This topic contains the following sections:
+
+- [What to know before you start](#what-to-know-before-you-start)
+
+- [Creating an Office 2016 package for App-V with the Office Deployment Tool](#creating-an-office-2016-package-for-app-v-with-the-office-deployment-tool)
+
+- [Publishing the Office package for App-V](#publishing-the-office-package-for-app-v)
+
+- [Customizing and managing Office App-V packages](#customizing-and-managing-office-app-v-packages)
+
+## What to know before you start
+
+Before you deploy Office 2016 by using App-V, review the following planning information.
+
+### Supported Office versions and Office coexistence
+
+Use the following table to get information about supported versions of Office and about running coexisting versions of Office.
+
+| **Information to review** | **Description** |
+|-------------------------------------|------------------------|
+| [Supported versions of Microsoft Office](appv-planning-for-using-appv-with-office.md#bkmk-office-vers-supp-appv) | - Supported versions of Office
- Supported deployment types (for example, desktop, personal Virtual Desktop Infrastructure (VDI), pooled VDI)
- Office licensing options |
+| [Planning for using App-V with coexisting versions of Office](appv-planning-for-using-appv-with-office.md#bkmk-plan-coexisting) | Considerations for installing different versions of Office on the same computer |
+
+### Packaging, publishing, and deployment requirements
+
+Before you deploy Office by using App-V, review the following requirements.
+
+
+
+| **Task** | **Requirement** |
+|-----------|-------------------|
+| Packaging | - All of the Office applications that you want to deploy to users must be in a single package.
- In App-V 5.0 and later, you must use the Office Deployment Tool to create packages. You cannot use the Sequencer.
- If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office). |
+| Publishing | - You can publish only one Office package to each client computer.
- You must publish the Office package globally. You cannot publish to the user. |
+| Deploying any of the following products to a shared computer, for example, by using Remote Desktop Services:
- Office 365 ProPlus
- Visio Pro for Office 365
- Project Pro for Office 365 | You must enable [shared computer activation](https://technet.microsoft.com/library/dn782860.aspx). |
+
+### Excluding Office applications from a package
+
+The following table describes the recommended methods for excluding specific Office applications from a package.
+
+| **Task** | **Details** |
+|-------------|---------------|
+| Use the **ExcludeApp** setting when you create the package by using the Office Deployment Tool. | Enables you to exclude specific Office applications from the package when the Office Deployment Tool creates the package. For example, you can use this setting to create a package that contains only Microsoft Word.
For more information, see [ExcludeApp element](https://technet.microsoft.com/library/jj219426.aspx#BKMK_ExcludeAppElement). |
+| Modify the DeploymentConfig.xml file | Modify the DeploymentConfig.xml file after the package has been created. This file contains the default package settings for all users on a computer that is running the App-V Client.
For more information, see [Disabling Office 2016 applications](#disabling-office-2016-applications). |
+
+## Creating an Office 2016 package for App-V with the Office Deployment Tool
+
+Complete the following steps to create an Office 2016 package for App-V.
+
+>**Important** In App-V 5.0 and later, you must use the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages.
+
+### Review prerequisites for using the Office Deployment Tool
+
+The computer on which you are installing the Office Deployment Tool must have:
+
+
+
+| **Prerequisite** | **Description** |
+|----------------------|--------------------|
+| Prerequisite software | .Net Framework 4 |
+| Supported operating systems | - 64-bit version of Windows 10
- 64-bit version of Windows 8 or 8.1
- 64-bit version of Windows 7 |
+
+>**Note** In this topic, the term “Office 2016 App-V package” refers to subscription licensing.
+
+### Create Office 2016 App-V Packages Using Office Deployment Tool
+
+You create Office 2016 App-V packages by using the Office Deployment Tool. The following instructions explain how to create an Office 2016 App-V package with Subscription Licensing.
+
+Create Office 2016 App-V packages on 64-bit Windows computers. Once created, the Office 2016 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10 computers.
+
+### Download the Office Deployment Tool
+
+Office 2016 App-V Packages are created using the Office Deployment Tool, which generates an Office 2016 App-V Package. The package cannot be created or modified through the App-V sequencer. To begin package creation:
+
+1. Download the [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117).
+
+ > **Important** You must use the Office 2016 Deployment Tool to create Office 2016 App-V Packages.
+
+2. Run the .exe file and extract its features into the desired location. To make this process easier, you can create a shared network folder where the features will be saved.
+
+ Example: \\\\Server\\Office2016
+
+3. Check that a setup.exe and a configuration.xml file exist and are in the location you specified.
+
+### Download Office 2016 applications
+
+After you download the Office Deployment Tool, you can use it to get the latest Office 2016 applications. After getting the Office applications, you create the Office 2016 App-V package.
+
+The XML file that is included in the Office Deployment Tool specifies the product details, such as the languages and Office applications included.
+
+**Step 1: Customize the sample XML configuration file:** Use the sample XML configuration file that you downloaded with the Office Deployment Tool to customize the Office applications:
+
+1. Open the sample XML file in Notepad or your favorite text editor.
+
+2. With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2016 applications. The following is a basic example of the configuration.xml file:
+
+ ```
+
+
+
+
+
+
+
+
+
+
+ ```
+
+ >**Note** The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To “uncomment” these lines, remove the “<! - -“ from the beginning of the line, and the “-- >” from the end of the line.
+
+ The above XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office2016, which is the location where Office applications will be saved. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2016 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file:
+
+| **Input** | **Description** | **Example** |
+|--------------|----------------------------|----------------|
+| Add element | Specifies the products and languages to include in the package. | N/A |
+| OfficeClientEdition (attribute of Add element) | Specifies the edition of Office 2016 product to use: 32-bit or 64-bit. The operation fails if **OfficeClientEdition** is not set to a valid value. | **OfficeClientEdition**="32"
**OfficeClientEdition**="64" |
+| Product element | Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications.
For more information about the product IDs, see [Product IDs that are supported by the Office Deployment Tool for Click-to-Run](https://support.microsoft.com/kb/2842297). | `Product ID ="O365ProPlusRetail"`
`Product ID ="VisioProRetail"`
`Product ID ="ProjectProRetail"` |
+| Language element | Specifies the language supported in the applications | `Language ID="en-us"` |
+| Version (attribute of Add element) | Optional. Specifies a build to use for the package
Defaults to latest advertised build (as defined in v32.CAB at the Office source). | `16.1.2.3` |
+| SourcePath (attribute of Add element) | Specifies the location in which the applications will be saved to. | `Sourcepath = "\\Server\Office2016"` |
+| Channel (part of Add element) | Optional. Defines which channel to use for updating Office after it is installed.
The default is **Deferred** for Office 365 ProPlus and **Current** for Visio Pro for Office 365 and Project Online Desktop Client.
For more information about update channels, see [Overview of update channels for Office 365 ProPlus](https://technet.microsoft.com/library/mt455210.aspx). | `Channel="Current"`
`Channel="Deferred"`
`Channel="FirstReleaseDeferred"`
`Channel="FirstReleaseCurrent"` |
+
+After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2016 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
+
+**Step 2: Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2016 applications that will later be converted into an App-V package. Below is an example command with description of details:
+
+`\\server\Office2016\setup.exe /download \\server\Office2016\Customconfig.xml`
+
+In the example:
+
+| Element | Description |
+|-------------------------------|--------------------------------------|
+| **\\\\server\\Office2016** | is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml. |
+| **Setup.exe** | is the Office Deployment Tool. |
+| **/download** | downloads the Office 2016 applications that you specify in the customConfig.xml file. |
+| **\\\\server\\Office2016\\Customconfig.xml** | passes the XML configuration file required to complete the download process, in this example, customconfig.xml. After using the download command, Office applications should be found in the location specified in the configuration xml file, in this example \\\\Server\\Office2016. |
+
+### Convert the Office applications into an App-V package
+
+After you download the Office 2016 applications through the Office Deployment Tool, use the Office Deployment Tool to convert them into an Office 2016 App-V package. Complete the steps that correspond to your licensing model.
+
+**Summary of what you’ll need to do:**
+
+- Create the Office 2016 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8 or 8.1, and Windows 10 computers.
+
+- Create an Office App-V package for either Subscription Licensing package by using the Office Deployment Tool, and then modify the CustomConfig.xml configuration file.
+
+ The following table summarizes the values you need to enter in the CustomConfig.xml file. The steps in the sections that follow the table will specify the exact entries you need to make.
+
+>**Note** You can use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported.
+
+| **Product ID** | **Subscription Licensing** |
+|--------------------------------------------------|-------------------------------------------------------------|
+| **Office 2016** | O365ProPlusRetail |
+| **Office 2016 with Visio 2016** | O365ProPlusRetail
VisioProRetail |
+| **Office 2016 with Visio 2016 and Project 2016** | O365ProPlusRetail
VisioProRetail
ProjectProRetail |
+
+#### How to convert the Office applications into an App-V package
+1. In Notepad, reopen the CustomConfig.xml file, and make the following changes to the file:
+
+ - **SourcePath**: Point to the Office applications downloaded earlier.
+
+ - **ProductID**: Specify the type of licensing, as shown in the following example:
+
+ - Subscription Licensing:
+ ```
+
+
+
+
+
+
+
+
+
+
+ ```
+ In this example, the following changes were made to create a package with Subscription licensing:
+
+ **SourcePath** is the path, which was changed to point to the Office applications that were downloaded earlier.
+ **Product ID** for Office was changed to `O365ProPlusRetail`.
+ **Product ID** for Visio was changed to `VisioProRetail`.
+
+ - **ExcludeApp** (optional): Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access.
+
+ - **PACKAGEGUID** (optional): By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.
+
+ An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.
+
+ >**Note** Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
+
+2. Use the /packager command to convert the Office applications to an Office 2016 App-V package.
+
+ For example:
+
+ ``` syntax
+ \\server\Office2016\setup.exe /packager \\server\Office2016\Customconfig.xml \\server\share\Office2016AppV
+ ```
+
+ In the example:
+
+
+
+
+
+
+
+
+ \\server\Office2016
|
+ is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml. |
+
+
+ Setup.exe
|
+ is the Office Deployment Tool. |
+
+
+ /packager
|
+ creates the Office 2016 App-V package with the type of licensing specified in the customConfig.xml file. |
+
+
+ \\server\Office2016\Customconfig.xml
|
+ passes the configuration XML file (in this case customConfig) that has been prepared for the packaging stage. |
+
+
+ \\server\share\Office2016AppV
|
+ specifies the location of the newly created Office App-V package. |
+
+
+
+
+ After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved:
+
+ - **App-V Packages** – contains an Office 2016 App-V package and two deployment configuration files.
+ - **WorkingDir**
+
+ **Note** To troubleshoot any issues, see the log files in the %temp% directory (default).
+
+3. Verify that the Office 2016 App-V package works correctly:
+
+ 1. Publish the Office 2016 App-V package, which you created globally, to a test computer, and verify that the Office 2016 shortcuts appear.
+
+ 2. Start a few Office 2016 applications, such as Excel or Word, to ensure that your package is working as expected.
+
+## Publishing the Office package for App-V
+
+Use the following information to publish an Office package.
+
+### Methods for publishing Office App-V packages
+
+Deploy the App-V package for Office 2016 by using the same methods you use for any other package:
+
+- System Center Configuration Manager
+
+- App-V Server
+
+- Stand-alone through Windows PowerShell commands
+
+### Publishing prerequisites and requirements
+
+| **Prerequisite or requirement** | **Details** |
+|---------------------------------------|--------------------|
+| Enable Windows PowerShell scripting on the App-V clients | To publish Office 2016 packages, you must run a script.
Package scripts are disabled by default on App-V clients. To enable scripting, run the following Windows PowerShell command:
`Set-AppvClientConfiguration -EnablePackageScripts 1` |
+| Publish the Office 2016 package globally | Extension points in the Office App-V package require installation at the computer level.
When you publish at the computer level, no prerequisite actions or redistributables are needed, and the Office 2016 package globally enables its applications to work like natively installed Office, eliminating the need for administrators to customize packages. |
+
+### How to publish an Office package
+
+Run the following command to publish an Office package globally:
+
+- `Add-AppvClientPackage | Publish-AppvClientPackage -global`
+
+- From the Web Management Console on the App-V Server, you can add permissions to a group of computers instead of to a user group to enable packages to be published globally to the computers in the corresponding group.
+
+## Customizing and managing Office App-V packages
+
+To manage your Office App-V packages, use the same operations as you would for any other package, with a few exceptions as outlined in the following sections.
+
+- [Enabling Office plug-ins by using connection groups](#enabling-office-plug-ins-by-using-connection-groups)
+
+- [Disabling Office 2016 applications](#disabling-office-2016-applications)
+
+- [Disabling Office 2016 shortcuts](#disabling-office-2016-shortcuts)
+
+- [Managing Office 2016 package upgrades](#managing-office-2016-package-upgrades)
+
+- [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office)
+
+### Enabling Office plug-ins by using connection groups
+
+Use the steps in this section to enable Office plug-ins with your Office package. To use Office plug-ins, you must use the App-V Sequencer to create a separate package that contains just the plug-ins. You cannot use the Office Deployment Tool to create the plug-ins package. You then create a connection group that contains the Office package and the plug-ins package, as described in the following steps.
+
+#### To enable plug-ins for Office App-V packages
+
+1. Add a Connection Group through App-V Server, System Center Configuration Manager, or a Windows PowerShell cmdlet.
+
+2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins.
+
+3. Create an App-V package that includes the desired plug-ins.
+
+4. Add a Connection Group through App-V server, System Center Configuration Manager, or a Windows PowerShell cmdlet.
+
+5. Add the Office 2016 App-V package and the plug-ins package you sequenced to the Connection Group you created.
+
+ > **Important** The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2016 App-V package first, and then add the plug-in App-V package.
+
+6. Ensure that both packages are published to the target computer and that the plug-in package is published globally to match the global settings of the published Office 2016 App-V package.
+
+7. Verify that the Deployment Configuration File of the plug-in package has the same settings that the Office 2016 App-V package has.
+
+ Since the Office 2016 App-V package is integrated with the operating system, the plug-in package settings should match. You can search the Deployment Configuration File for “COM Mode” and ensure that your plug-ins package has that value set as “Integrated” and that both "InProcessEnabled" and "OutOfProcessEnabled" match the settings of the Office 2016 App-V package you published.
+
+8. Open the Deployment Configuration File and set the value for **Objects Enabled** to **false**.
+
+9. If you made any changes to the Deployment Configuration file after sequencing, ensure that the plug-in package is published with the file.
+
+10. Ensure that the Connection Group you created is enabled onto your desired computer. The Connection Group created will likely “pend” if the Office 2016 App-V package is in use when the Connection Group is enabled. If that happens, you have to reboot to successfully enable the Connection Group.
+
+11. After you successfully publish both packages and enable the Connection Group, start the target Office 2016 application and verify that the plug-in you published and added to the connection group works as expected.
+
+### Disabling Office 2016 applications
+
+You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2016 App-V package has been published, you will save the changes, add the Office 2016 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications.
+
+>**Note** To exclude specific Office applications (for example, Access) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting.
+
+#### To disable an Office 2016 application
+
+1. Open a Deployment Configuration File with a text editor such as **Notepad** and search for “Applications."
+
+2. Search for the Office application you want to disable, for example, Access 2016.
+
+3. Change the value of "Enabled" from "true" to "false."
+
+4. Save the Deployment Configuration File.
+
+5. Add the Office 2016 App-V Package with the new Deployment Configuration File.
+
+ ``` syntax
+
+
+ Lync 2016
+
+
+
+
+
+
+ Access 2016
+
+
+
+
+ ```
+
+6. Re-add the Office 2016 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications.
+
+### Disabling Office 2016 shortcuts
+
+You may want to disable shortcuts for certain Office applications instead of unpublishing or removing the package. The following example shows how to disable shortcuts for Microsoft Access.
+
+#### To disable shortcuts for Office 2016 applications
+
+1. Open a Deployment Configuration File in Notepad and search for “Shortcuts”.
+
+2. To disable certain shortcuts, delete or comment out the specific shortcuts you don’t want. You must keep the subsystem present and enabled. For example, in the example below, delete the Microsoft Access shortcuts, while keeping the subsystems <shortcut> </shortcut> intact to disable the Microsoft Access shortcut.
+
+ ``` syntax
+ Shortcuts
+
+ -->
+
+
+
+
+ [{Common Programs}]\Microsoft Office 2016\Access 2016.lnk
+ [{AppvPackageRoot}])office16\MSACCESS.EXE
+ [{Windows}]\Installer\{90150000-000F-0000-0000-000000FF1CE)\accicons.exe.Ø.ico
+
+
+ Microsoft.Office.MSACCESS.EXE.16
+ true
+ Build a professional app quickly to manage data.
+ l
+ [{AppVPackageRoot}]\officel6\MSACCESS.EXE
+
+ ```
+
+3. Save the Deployment Configuration File.
+
+4. Republish Office 2016 App-V Package with new Deployment Configuration File.
+
+Many additional settings can be changed through modifying the Deployment Configuration for App-V packages, for example, file type associations, Virtual File System, and more. For additional information on how to use Deployment Configuration Files to change App-V package settings, refer to the additional resources section at the end of this document.
+
+### Managing Office 2016 package upgrades
+
+To upgrade an Office 2016 package, use the Office Deployment Tool. To upgrade a previously deployed Office 2016 package, perform the following steps.
+
+#### How to upgrade a previously deployed Office 2016 package
+
+1. Create a new Office 2016 package through the Office Deployment Tool that uses the most recent Office 2016 application software. The most recent Office 2016 bits can always be obtained through the download stage of creating an Office 2016 App-V Package. The newly created Office 2016 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage.
+
+ > **Note** Office App-V packages have two Version IDs:
+ > - An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.
+ > - A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package.
+
+2. Globally publish the newly created Office 2016 App-V Packages onto computers where you would like to apply the new updates. Since the new package has the same lineage of the older Office 2016 App-V Package, publishing the new package with the updates will only apply the new changes to the old package, and thus will be fast.
+
+3. Upgrades will be applied in the same manner of any globally published App-V Packages. Because applications will probably be in use, upgrades might be delayed until the computer is rebooted.
+
+### Deploying Visio 2016 and Project 2016 with Office
+
+The following table describes the requirements and options for deploying Visio 2016 and Project 2016 with Office.
+
+| **Task** | **Details** |
+|---------------------|---------------|
+| How do I package and publish Visio 2016 and Project 2016 with Office? | You must include Visio 2016 and Project 2016 in the same package with Office.
If you are not deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the packaging, publishing, and deployment requirements described in this topic. |
+| How can I deploy Visio 2016 and Project 2016 to specific users? | Use one of the following methods:
**To create two different packages and deploy each one to a different group of users**:
Create and deploy the following packages:
- A package that contains only Office - deploy to computers whose users need only Office.
- A package that contains Office, Visio, and Project - deploy to computers whose users need all three applications.
**To create only one package for the whole organization, or create a package intended for users who share computers**:
Follow these steps:
1. Create a package that contains Office, Visio, and Project.
2. Deploy the package to all users.
3. Use [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) to prevent specific users from using Visio and Project. |
+
+## Related topics
+
+- [Deploying App-V for Windows 10](appv-deploying-appv.md)
+- [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
+- [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
+- [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117)
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
\ No newline at end of file
diff --git a/windows/manage/appv-deploying-the-appv-sequencer-and-client.md b/windows/manage/appv-deploying-the-appv-sequencer-and-client.md
index ca8397a1fe..21632ad793 100644
--- a/windows/manage/appv-deploying-the-appv-sequencer-and-client.md
+++ b/windows/manage/appv-deploying-the-appv-sequencer-and-client.md
@@ -80,7 +80,7 @@ Set-AppvClientConfiguration -SharedContentStoreMode 1
The Sequencer is a tool that is used to convert standard applications into virtual packages for deployment to computers that run the App-V client. The Sequencer helps provide a simple and predictable conversion process with minimal changes to prior sequencing workflows. In addition, the Sequencer allows users to more easily configure applications to enable connections of virtualized applications.
-For a list of changes in the App-V Sequencer, see [What's new in App-V](appv-about-appv.md#bkmk-seqimprove).
+For a list of changes in the App-V Sequencer, see [What's new in App-V](appv-about-appv.md).
To deploy the sequencer, see [How to Install the Sequencer](appv-install-the-sequencer.md).
diff --git a/windows/manage/appv-for-windows.md b/windows/manage/appv-for-windows.md
index aa08aead59..3938202a14 100644
--- a/windows/manage/appv-for-windows.md
+++ b/windows/manage/appv-for-windows.md
@@ -35,6 +35,7 @@ The topics in this section provide information and step-by-step procedures to he
- [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md)
- [Deploying the App-V Server](appv-deploying-the-appv-server.md)
- [App-V Deployment Checklist](appv-deployment-checklist.md)
+- [Deploying Microsoft Office 2016 by Using App-V](appv-deploying-microsoft-office-2016-with-appv.md)
- [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
- [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
diff --git a/windows/manage/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/manage/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
index 2c29e70fd9..e9021103ab 100644
--- a/windows/manage/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
+++ b/windows/manage/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
@@ -75,9 +75,9 @@ Review the following requirements for using the Windows PowerShell cmdlets:
To configure these cmdlets to require an elevated command prompt, use one of the following methods:
Run the Set-AppvClientConfiguration cmdlet with the -RequirePublishAsAdmin parameter.
-For more information, see:
[How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md#bkmk-admin-only-posh-topic-cg)
[How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#bkmk-admins-pub-pkgs). For more information, see:
[How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md)
[How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#bkmk-admins-pub-pkgs).
Enable the “Require publish as administrator” Group Policy setting for App-V Clients.
-For more information, see [How to Publish a Package by Using the Management Console](appv-publish-a-packages-with-the-management-console.md#bkmk-admin-pub-pkg-only-posh) For more information, see [How to Publish a Package by Using the Management Console](appv-publish-a-packages-with-the-management-console.md)
|
diff --git a/windows/manage/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/manage/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
index 3d52191607..a17b12ea73 100644
--- a/windows/manage/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/manage/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
@@ -20,15 +20,15 @@ A connection group XML file defines the connection group for the App-V client. F
This topic explains the following procedures:
-- [To add and publish the App-V packages in the connection group](#bkmk-add-pub-pkgs-in-cg)
+- [To add and publish the App-V packages in the connection group](#to-add-and-publish-the-app-v-packages-in-the-connection-group)
-- [To add and enable the connection group on the App-V client](#bkmk-add-enable-cg-on-clt)
+- [To add and enable the connection group on the App-V client](#to-add-and-enable-the-connection-group-on-the-app-v-client)
-- [To enable or disable a connection group for a specific user](#bkmk-enable-cg-for-user-poshtopic)
+- [To enable or disable a connection group for a specific user](#to-enable-or-disable-a-connection-group-for-a-specific-user)
-- [To allow only administrators to enable connection groups](#bkmk-admin-only-posh-topic-cg)
+- [To allow only administrators to enable connection groups](#to-allow-only-administrators-to-enable-connection-groups)
-**To add and publish the App-V packages in the connection group**
+## To add and publish the App-V packages in the connection group
1. To add and publish the App-V packages to the computer running the App-V client, type the following command:
@@ -36,7 +36,7 @@ This topic explains the following procedures:
2. Repeat **step 1** of this procedure for each package in the connection group.
-**To add and enable the connection group on the App-V client**
+## To add and enable the connection group on the App-V client
1. Add the connection group by typing the following command:
@@ -48,7 +48,7 @@ This topic explains the following procedures:
When any virtual applications that are in the member packages are run on the target computer, they will run inside the connection group’s virtual environment and will be available to all the virtual applications in the other packages in the connection group.
-**To enable or disable a connection group for a specific user**
+## To enable or disable a connection group for a specific user
1. Review the parameter description and requirements:
@@ -89,9 +89,7 @@ This topic explains the following procedures:
-
-
-**To allow only administrators to enable connection groups**
+## To allow only administrators to enable connection groups
1. Review the description and requirement for using this cmdlet:
diff --git a/windows/manage/appv-modify-an-existing-virtual-application-package.md b/windows/manage/appv-modify-an-existing-virtual-application-package.md
index 5c84ac6d8d..38224bb8bb 100644
--- a/windows/manage/appv-modify-an-existing-virtual-application-package.md
+++ b/windows/manage/appv-modify-an-existing-virtual-application-package.md
@@ -16,11 +16,11 @@ ms.prod: w10
This topic explains how to:
-- [Update an application in an existing virtual application package](#bkmk-update-app-in-pkg)
+- [Update an application in an existing virtual application package](#update-an-application-in-an-existing-virtual-application-package)
-- [Modify the properties associated with an existing virtual application package](#bkmk-chg-props-in-pkg)
+- [Modify the properties associated with an existing virtual application package](#modify-the-properties-associated-with-an-existing-virtual-application-package)
-- [Add a new application to an existing virtual application package](#bkmk-add-app-to-pkg)
+- [Add a new application to an existing virtual application package](#add-a-new-application-to-an-existing-virtual-application-package)
**Before you update a package:**
@@ -32,7 +32,7 @@ This topic explains how to:
- If you click **Modify an Existing Virtual Application Package** in the Sequencer in order to edit a package, but then make no changes and close the package, the streaming behavior of the package is changed. The primary feature block is removed from the StreamMap.xml file, and any files that were listed in the publishing feature block are removed. Users who receive the edited package experience that package as if it were stream-faulted, regardless of how the original package was configured.
-**Update an application in an existing virtual application package**
+## Update an application in an existing virtual application package
1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
@@ -47,25 +47,17 @@ This topic explains how to:
**Important**
If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files are added to the package.
-
-
6. On the **Select Installer** page, click **Browse** and specify the update installation file for the application. If the update does not have an associated installer file, and if you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
7. On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application update so the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and then locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**. Click **Next**.
- **Note**
- The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
-
-
+ >**Note** The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
8. On the **Installation Report** page, you can review information about the updated virtual application. In **Additional Information**, double-click the event to obtain more detailed information. To proceed, click **Next**.
9. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all of the applications to run. After all applications have run, close each of the applications, and then click **Next**.
- **Note**
- You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop**, and then select either **Stop all applications** or **Stop this application only**.
-
-
+ >**Note** You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop**, and then select either **Stop all applications** or **Stop this application only**.
10. On the **Create Package** page, to modify the package without saving it, select the check box for **Continue to modify package without saving using the package editor**. When you select this option, the package opens in the App-V Sequencer console, where you can modify the package before it is saved. Click **Next**.
@@ -73,7 +65,8 @@ This topic explains how to:
11. On the **Completion** page, click **Close** to close the wizard. The package is now available in the sequencer.
-**Modify the properties associated with an existing virtual application package**
+
+## Modify the properties associated with an existing virtual application package
1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
@@ -109,14 +102,11 @@ This topic explains how to:
- Add or edit shortcuts and file type associations.
- **Note**
- To edit shortcuts or file type associations, you must first open the package for upgrade to add a new application, and then proceed to the final editing page.
-
-
+ >**Note** To edit shortcuts or file type associations, you must first open the package for upgrade to add a new application, and then proceed to the final editing page.
6. When you finish changing the package properties, click **File** > **Save** to save the package.
-**Add a new application to an existing virtual application package**
+## Add a new application to an existing virtual application package
1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
@@ -128,19 +118,13 @@ This topic explains how to:
5. On the **Prepare Computer** page, review the issues that could cause the package creation to fail or cause the revised package to contain unnecessary data. Resolve all potential issues before you continue. After making any corrections and resolving all potential issues, click **Refresh** > **Next**.
- **Important**
- If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files can be added to the package.
-
-
+ >**Important** If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files can be added to the package.
6. On the **Select Installer** page, click **Browse** and specify the installation file for the application. If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
7. On the **Installation** page, when the sequencer and application installer are ready, install the application so that the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and locate and run the additional installation files. When you finish the installation, select **I am finished installing** > **Next**. In the **Browse for Folder** dialog box, specify the primary directory where the application will be installed. Ensure that this is a new location so that you don’t overwrite the existing version of the virtual application package.
- **Note**
- The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
-
-
+ >**Note** The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
8. On the **Configure Software** page, optionally run the programs contained in the package. This step completes any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at the same time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs you want to run, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. It can take several minutes for all programs to run. Click **Next**.
@@ -152,10 +136,7 @@ This topic explains how to:
11. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**.
- **Note**
- You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and then select either **Stop all applications** or **Stop this application only**.
-
-
+ >**Note** You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and then select either **Stop all applications** or **Stop this application only**.
12. On the **Create Package** page, to modify the package without saving it, select the **Continue to modify package without saving using the package editor** check box. Selecting this option opens the package in the App-V Sequencer console, where you can modify the package before saving it. Click **Next**.
diff --git a/windows/manage/appv-planning-for-sequencer-and-client-deployment.md b/windows/manage/appv-planning-for-sequencer-and-client-deployment.md
index bd7f629151..07c1f7c438 100644
--- a/windows/manage/appv-planning-for-sequencer-and-client-deployment.md
+++ b/windows/manage/appv-planning-for-sequencer-and-client-deployment.md
@@ -21,7 +21,7 @@ Before you can use App-V, you must install the App-V Sequencer, enable the App-V
App-V uses a process called sequencing to create virtualized applications and application packages. Sequencing requires the use of a computer that runs the App-V Sequencer.
> [!NOTE]
-> For information about the new functionality of App-V sequencer, see [What's new in App-V](appv-about-appv.md#bkmk-seqimprove).
+> For information about the new functionality of App-V sequencer, see [What's new in App-V](appv-about-appv.md).
The computer that runs the App-V sequencer must meet the minimum system requirements. For a list of these requirements, see [App-V Supported Configurations](appv-supported-configurations.md).
diff --git a/windows/manage/appv-planning-for-using-appv-with-office.md b/windows/manage/appv-planning-for-using-appv-with-office.md
index 46907201bd..bd79da1f4f 100644
--- a/windows/manage/appv-planning-for-using-appv-with-office.md
+++ b/windows/manage/appv-planning-for-using-appv-with-office.md
@@ -26,15 +26,14 @@ Use the following information to plan how to deploy Office by using Microsoft Ap
## App-V support for Language Packs
-You can use the App-V Sequencer to create plug-in packages for Language Packs, Language Interface Packs, Proofing Tools and ScreenTip Languages. You can then include the plug-in packages in a Connection Group, along with the Office 2013 package that you create by using the Office Deployment Toolkit. The Office applications and the plug-in Language Packs interact seamlessly in the same connection group, just like any other packages that are grouped together in a connection group.
+You can use the App-V Sequencer to create plug-in packages for Language Packs, Language Interface Packs, Proofing Tools and ScreenTip Languages. You can then include the plug-in packages in a Connection Group, along with the Office package that you create by using the Office Deployment Toolkit. The Office applications and the plug-in Language Packs interact seamlessly in the same connection group, just like any other packages that are grouped together in a connection group.
**Note**
Microsoft Visio and Microsoft Project do not provide support for the Thai Language Pack.
-
-
## Supported versions of Microsoft Office
+
The following table lists the versions of Microsoft Office that App-V supports, methods of Office package creation, supported licensing, and supported deployments.
@@ -55,7 +54,7 @@ The following table lists the versions of Microsoft Office that App-V supports,
|
+
+As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and System Center Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Windows Store for Business.
+
+## Deployment and Provisioning
+
+With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully-configured, fully-managed devices, you can:
+
+
+
+- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services like [Microsoft Intune](https://docs.microsoft.com/intune/understand-explore/introduction-to-microsoft-intune).
+
+- Create self-contained provisioning packages built with the [Windows Imaging and Configuration Designer (ICD)](https://msdn.microsoft.com/library/windows/hardware/dn916113(v=vs.85).aspx).
+
+- Use traditional imaging techniques such as deploying custom images using [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction).
+
+You have multiple options for [upgrading to Windows 10](https://technet.microsoft.com/itpro/windows/deploy/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This can mean significantly lower deployment costs, as well as improved productivity as end users can be immediately productive – everything is right where they left it. Of course, you can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7.
+
+## Identity and Authentication
+
+You can use Windows 10 and services like [Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-whatis/) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **“bring your own device” (BYOD)** or to **“choose your own device” (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
+
+You can envision user and device management as falling into these two categories:
+
+- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
+
+ - For corporate devices, they can set up corporate access with [Azure AD Join](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-overview/). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://blogs.technet.microsoft.com/ad/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/), all from the cloud.