deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into pua

Browse Source
This commit is contained in:
Beth Levin 2020-03-03 12:49:51 -08:00
commit f75a89c905
39 changed files with 674 additions and 907 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.openpublishing.redirection.json
View File

@ -15720,6 +15720,11 @@
"source_path": "windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md",
"redirect_url": "https://docs.microsoft.com/configmgr/desktop-analytics/overview",
"redirect_document_id": false
}
},
{
"source_path": "windows/deployment/update/waas-manage-updates-configuration-manager.md",
"redirect_url": "https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service",
"redirect_document_id": false
},
]
}

4
browsers/edge/group-policies/new-tab-page-settings-gp.md
View File

@ -22,8 +22,8 @@ ms.topic: reference
Microsoft Edge loads the default New tab page by default. With the relevant New Tab policies, you can set a URL to load in the New Tab page and prevent users from making changes. You can also load a blank page instead or let the users choose what loads.
>[!NOTE]
>New tab pages do not load while running InPrivate mode.
> [!NOTE]
> New tab pages do not load while running InPrivate mode.
## Relevant group policies

4
browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md
View File

@ -13,8 +13,8 @@ ms.topic: include
By default, all sites open the currently active browser. With this policy, you can automatically open all sites not included in the Enterprise Mode Site List in Microsoft Edge. When you enable this policy, you must also turn on the Internet Explorer\Use the Enterprise Mode IE website list policy and include at least one site in the Enterprise Mode Site List.
>[!NOTE]
>If youve also enabled the Microsoft Edge [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11) policy, all intranet sites continue to open in Internet Explorer 11.
> [!NOTE]
> If youve also enabled the Microsoft Edge [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11) policy, all intranet sites continue to open in Internet Explorer 11.
You can find the group policy settings in the following location of the Group Policy Editor:

4
browsers/edge/managing-group-policy-admx-files.md
View File

@ -19,8 +19,8 @@ ms.date: 10/19/2018
ADMX files, which are registry-based policy settings provide an XML-based structure for defining the display of the Administrative Template policy settings in the Group Policy Object Editor. The ADMX files replace ADM files, which used a different markup language.
>[!NOTE]
>The administrative tools you use—Group Policy Object Editor and Group Policy Management Console—remain mostly unchanged. In the majority of situations, you wont notice the presence of ADMX files during your day-to-day Group Policy administration tasks.
> [!NOTE]
> The administrative tools you use—Group Policy Object Editor and Group Policy Management Console—remain mostly unchanged. In the majority of situations, you wont notice the presence of ADMX files during your day-to-day Group Policy administration tasks.
Unlike ADM files, ADMX files are not stored in individual GPOs by default; however, this behavior supports less common scenarios. For domain-based enterprises, you can create a central store location of ADMX files accessible by anyone with permission to create or edit GPOs. Group Policy tools continue to recognize other earlier ADM files you have in your existing environment. The Group Policy Object Editor automatically reads and displays Administrative Template policy settings from both the ADMX and ADM files.

16
browsers/enterprise-mode/set-up-enterprise-mode-portal.md
View File

@ -35,8 +35,8 @@ You must download the deployment folder (**EMIEWebPortal/**), which includes all
2. Install the Node.js® package manager, [npm](https://www.npmjs.com/).
>[!Note]
>You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source.
> [!NOTE]
> You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source.
3. Open File Explorer and then open the **EMIEWebPortal/** folder.
@ -105,8 +105,8 @@ Create a new Application Pool and the website, by using the IIS Manager.
9. Double-click the **Authentication** icon, right-click on **Windows Authentication**, and then click **Enable**.
>[!Note]
>You must also make sure that **Anonymous Authentication** is marked as **Enabled**.
> [!NOTE]
> You must also make sure that **Anonymous Authentication** is marked as **Enabled**.
10. Return to the **<<i>website_name</i>> Home** pane, and double-click the **Connection Strings** icon.
@ -116,8 +116,8 @@ Create a new Application Pool and the website, by using the IIS Manager.
- **Initial catalog.** The name of your database.
>[!Note]
>Step 3 of this topic provides the steps to create your database.
> [!NOTE]
> Step 3 of this topic provides the steps to create your database.
## Step 3 - Create and prep your database
Create a SQL Server database and run our custom query to create the Enterprise Mode Site List tables.
@ -216,8 +216,8 @@ Register the EMIEScheduler tool and service for production site list changes.
1. Open File Explorer and go to EMIEWebPortal.SchedulerService\EMIEWebPortal.SchedulerService in your deployment directory, and then copy the **App_Data**, **bin**, and **Logs** folders to a separate folder. For example, C:\EMIEService\.
>[!Important]
>If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files.
> [!IMPORTANT]
> If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files.
2. In Visual Studio start the Developer Command Prompt as an administrator, and then change the directory to the location of the InstallUtil.exe file. For example, _C:\Windows\Microsoft.NET\Framework\v4.0.30319_.

4
browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md
View File

@ -1,8 +1,8 @@
Before you can use a site list with Enterprise Mode, you must turn the functionality on and set up the system for centralized control. By allowing
centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 wont look for an updated list again until you restart the browser.
>[!NOTE]
>We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode.
> [!NOTE]
> We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode.
**Group Policy**

14
browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
View File

@ -7,7 +7,8 @@ author: dansimp
ms.prod: ie11
ms.assetid: da659ff5-70d5-4852-995e-4df67c4871dd
ms.reviewer:
audience: itpro manager: dansimp
audience: itpro
manager: dansimp
ms.author: dansimp
title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros)
ms.sitesec: library
@ -62,15 +63,15 @@ Each XML file must include:
The following is an example of what your XML file should look like when youre done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).
```
```xml
<site-list version="205">
<!--- File creation header --->
<!-- File creation header -->
<created-by>
<tool>EnterpriseSitelistManager</tool>
<version>10240</version>
<date-created>20150728.135021</date-created>
</created-by>
<!--- Begin Site List --->
<!-- Begin Site List -->
<site url="www.cpandl.com">
<compat-mode>IE8Enterprise</compat-mode>
<open-in>MSEdge</open-in>
@ -115,8 +116,3 @@ After youve added all of your sites to the tool and saved the file to XML, yo
- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
- [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md)

4
browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
View File

@ -81,8 +81,8 @@ Every add-on has a Class ID (CLSID) that you use to enable and disable specific
2. From the copied information, select and copy just the **Class ID** value.
>[!NOTE]
>You want to copy the curly brackets as well as the CLSID: **{47833539-D0C5-4125-9FA8-0819E2EAAC93}**.
> [!NOTE]
> You want to copy the curly brackets as well as the CLSID: **{47833539-D0C5-4125-9FA8-0819E2EAAC93}**.
3. Open the Group Policy Management Editor and go to: Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management.
<br>**-OR-**<br>

30
browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
View File

@ -37,8 +37,8 @@ current version of Internet Explorer.
Internet Explorer 11 replaces Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10. If you decide you dont want Internet Explorer 11, and youre running Windows 7 SP1 or Windows Server 2008 R2 with SP1, you can uninstall it from the **View installed updates** section of the **Uninstall an update** page of the Control Panel.
>[!Note]
>If a user installs Internet Explorer 11 and then removes it, it wont be re-offered to that computer through Automatic Updates. Instead, the user will have to manually re-install the app.
> [!NOTE]
> If a user installs Internet Explorer 11 and then removes it, it wont be re-offered to that computer through Automatic Updates. Instead, the user will have to manually re-install the app.
## Internet Explorer 11 automatic upgrades
@ -52,14 +52,14 @@ If you use Automatic Updates in your company, but want to stop your users from a
- **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722).
>[!Note]
>The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.md).
> [!NOTE]
> The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.md).
- **Use an update management solution to control update deployment.**
If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Microsoft Endpoint Configuration Manager](https://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit.
>[!Note]
>If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. This scenario is discussed in detail in the Knowledge Base article [here](https://support.microsoft.com/kb/946202).
> [!NOTE]
> If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. This scenario is discussed in detail in the Knowledge Base article [here](https://support.microsoft.com/kb/946202).
Additional information on Internet Explorer 11, including a Readiness Toolkit, technical overview, in-depth feature summary, and Internet Explorer 11 download is available on the [Internet Explorer 11 page of the Microsoft Edge IT Center](https://technet.microsoft.com/microsoft-edge/dn262703.aspx).
@ -81,13 +81,13 @@ Internet Explorer 11 will be released to WSUS as an Update Rollup package. There
4. Click the rule that automatically approves an update that is classified as
Update Rollup, and then click **Edit.**
>[!Note]
>If you dont see a rule like this, you most likely havent configured WSUS to automatically approve Update Rollups for installation. In this situation, you dont have to do anything else.
> [!NOTE]
> If you dont see a rule like this, you most likely havent configured WSUS to automatically approve Update Rollups for installation. In this situation, you dont have to do anything else.
5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section.
>[!Note]
>The properties for this rule will resemble the following:<ul><li>When an update is in Update Rollups</li><li>Approve the update for all computers</li></ul>
> [!NOTE]
> The properties for this rule will resemble the following:<ul><li>When an update is in Update Rollups</li><li>Approve the update for all computers</li></ul>
6. Clear the **Update Rollup** check box, and then click **OK**.
@ -101,12 +101,12 @@ Internet Explorer 11 will be released to WSUS as an Update Rollup package. There
11. Expand *ComputerName*, expand **Updates**, and then click **All Updates**.
12. Choose **Unapproved** in the **Approval**drop down box.
12. Choose **Unapproved** in the **Approval** drop down box.
13. Check to make sure that Microsoft Internet Explorer 11 is listed as an unapproved update.
>[!Note]
>There may be multiple updates, depending on the imported language and operating system updates.
> [!NOTE]
> There may be multiple updates, depending on the imported language and operating system updates.
**Optional**
@ -126,8 +126,8 @@ If you need to reset your Update Rollups packages to auto-approve, do this:
7. Click **OK** to close the **Automatic Approvals** dialog box.
>[!Note]
>Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server wont cause this update to be auto-approved.
> [!NOTE]
> Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server wont cause this update to be auto-approved.
## Additional resources

16
browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
View File

@ -36,8 +36,8 @@ You must download the deployment folder (**EMIEWebPortal/**), which includes all
2. Install the Node.js® package manager, [npm](https://www.npmjs.com/).
>[!Note]
>You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source.
> [!NOTE]
> You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source.
3. Open File Explorer and then open the **EMIEWebPortal/** folder.
@ -49,8 +49,8 @@ You must download the deployment folder (**EMIEWebPortal/**), which includes all
6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, open **Web.config** from **EMIEWebPortal/** folder, and replace MSIT-LOB-COMPAT with your server name hosting your database, replace LOBMerged with your database name, and build the entire solution.
>[!Note]
>Step 3 of this topic provides the steps to create your database.
> [!NOTE]
> Step 3 of this topic provides the steps to create your database.
7. Copy the contents of the **EMIEWebPortal/** folder to a dedicated folder on your file system. For example, _D:\EMIEWebApp_. In a later step, you'll designate this folder as your website in the IIS Manager.
@ -109,8 +109,8 @@ Create a new Application Pool and the website, by using the IIS Manager.
9. Double-click the **Authentication** icon, right-click on **Windows Authentication**, and then click **Enable**.
>[!Note]
>You must also make sure that **Anonymous Authentication** is marked as **Enabled**.
> [!NOTE]
> You must also make sure that **Anonymous Authentication** is marked as **Enabled**.
## Step 3 - Create and prep your database
Create a SQL Server database and run our custom query to create the Enterprise Mode Site List tables.
@ -209,8 +209,8 @@ Register the EMIEScheduler tool and service for production site list changes.
1. Open File Explorer and go to EMIEWebPortal.SchedulerService\EMIEWebPortal.SchedulerService in your deployment directory, and then copy the **App_Data**, **bin**, and **Logs** folders to a separate folder. For example, C:\EMIEService\.
>[!Important]
>If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files.
> [!IMPORTANT]
> If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files.
2. In Visual Studio start the Developer Command Prompt as an administrator, and then change the directory to the location of the InstallUtil.exe file. For example, _C:\Windows\Microsoft.NET\Framework\v4.0.30319_.

8
browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
View File

@ -85,8 +85,8 @@ To see if the site works in the Internet Explorer 5, Internet Explorer 7, Intern
- Run the site in each document mode until you find the mode in which the site works.
>[!NOTE]
>You will need to make sure the User agent string dropdown matches the same browser version as the Document mode dropdown. For example, if you were testing to see if the site works in Internet Explorer 10, you should update the Document mode dropdown to 10 and the User agent string dropdown to Internet Explorer 10.
> [!NOTE]
> You will need to make sure the User agent string dropdown matches the same browser version as the Document mode dropdown. For example, if you were testing to see if the site works in Internet Explorer 10, you should update the Document mode dropdown to 10 and the User agent string dropdown to Internet Explorer 10.
- If you find a mode in which your site works, you will need to add the site domain, sub-domain, or URL to the Enterprise Mode Site List for the document mode in which the site works, or ask the IT administrator to do so. You can add the *x-ua-compatible* meta tag or HTTP header as well.
@ -116,8 +116,8 @@ If IE8 Enterprise Mode doesn't work, IE7 Enterprise Mode will give you the Compa
If the site works, inform the IT administrator that the site needs to be added to the IE7 Enterprise Mode section.\
>[!NOTE]
>Adding the same Web path to the Enterprise Mode and sections of the Enterprise Mode Site List will not work, but we will address this in a future update.
> [!NOTE]
> Adding the same Web path to the Enterprise Mode and sections of the Enterprise Mode Site List will not work, but we will address this in a future update.
### Update the site for modern web standards

9
browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
View File

@ -28,8 +28,8 @@ ms.localizationpriority: medium
Before you can use a site list with Enterprise Mode, you need to turn the functionality on and set up the system for centralized control. By allowing centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 wont look for an updated list again until you restart the browser.
>[!NOTE]
>We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode.
> [!NOTE]
> We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode.
**To turn on Enterprise Mode using Group Policy**
@ -63,9 +63,4 @@ Before you can use a site list with Enterprise Mode, you need to turn the functi
- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md)
- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md)

12
browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
View File

@ -46,14 +46,6 @@ For IE11, the UI has been changed to provide just the controls needed to support
## Where did the search box go?
IE11 uses the **One Box** feature, which lets users type search terms directly into the **Address bar**. Any text entered into the **Address bar** that doesn't appear to be a URL is automatically sent to the currently selected search provider.
>[!NOTE]
>Depending on how you've set up your intranet search, the text entry might resolve to an intranet site. For more information about this, see [Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md).
> [!NOTE]
> Depending on how you've set up your intranet search, the text entry might resolve to an intranet site. For more information about this, see [Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md).

26
browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
View File

@ -29,8 +29,8 @@ ms.date: 05/10/2018
The Internet Explorer 11 Blocker Toolkit lets you turn off the automatic delivery of IE11 through the **Automatic Updates** feature of Windows Update.
>[!IMPORTANT]
>The IE11 Blocker Toolkit does not stop users from manually installing IE11 from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?linkid=327753). Also, even if you have installed previous versions of the toolkit before, like for Internet Explorer 10, you still need to install this version to prevent the installation of IE11.
> [!IMPORTANT]
> The IE11 Blocker Toolkit does not stop users from manually installing IE11 from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?linkid=327753). Also, even if you have installed previous versions of the toolkit before, like for Internet Explorer 10, you still need to install this version to prevent the installation of IE11.
## Install the toolkit
@ -69,13 +69,13 @@ If you use Automatic Updates in your company, but want to stop your users from a
- **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722).
>[!NOTE]
> [!NOTE]
>The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11).
- **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](https://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit.
>[!NOTE]
>If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company.
> [!NOTE]
> If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company.
### Prevent automatic installation of Internet Explorer 11 with WSUS
@ -90,13 +90,13 @@ Internet Explorer 11 will be released to WSUS as an Update Rollup package. There
4. Click the rule that automatically approves an update that is classified as Update Rollup, and then click **Edit.**
>[!NOTE]
>If you dont see a rule like this, you most likely havent configured WSUS to automatically approve Update Rollups for installation. In this situation, you dont have to do anything else.
> [!NOTE]
> If you dont see a rule like this, you most likely havent configured WSUS to automatically approve Update Rollups for installation. In this situation, you dont have to do anything else.
5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section.
>[!NOTE]
>The properties for this rule will resemble the following:<ul><li>When an update is in Update Rollups</li><li>Approve the update for all computers</li></ul>
> [!NOTE]
> The properties for this rule will resemble the following:<ul><li>When an update is in Update Rollups</li><li>Approve the update for all computers</li></ul>
6. Clear the **Update Rollup** check box, and then click **OK**.
@ -116,8 +116,8 @@ After the new Internet Explorer 11 package is available for download, you should
6. Check to make sure that Microsoft Internet Explorer 11 is listed as an unapproved update.
>[!NOTE]
>There may be multiple updates, depending on the imported language and operating system updates.
> [!NOTE]
> There may be multiple updates, depending on the imported language and operating system updates.
### Optional - Reset update rollups packages to auto-approve
@ -135,8 +135,8 @@ After the new Internet Explorer 11 package is available for download, you should
7. Click **OK** to close the **Automatic Approvals** dialog box.
>[!NOTE]
>Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server wont cause this update to be auto-approved.
> [!NOTE]
> Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server wont cause this update to be auto-approved.

12
browsers/internet-explorer/ie11-faq/faq-ieak11.md
View File

@ -36,22 +36,22 @@ You can customize and install IEAK 11 on the following supported operating syste
- Windows Server 2008 R2 Service Pack 1 (SP1)
>[!Note]
>IEAK 11 does not support building custom packages for Windows RT.
> [!NOTE]
> IEAK 11 does not support building custom packages for Windows RT.
**What can I customize with IEAK 11?**
The IEAK 11 enables you to customize branding and settings for Internet Explorer 11. For PCs running Windows 7, the custom package also includes the Internet Explorer executable.
>[!Note]
>Internet Explorer 11 is preinstalled on PCs running Windows 8. Therefore, the executable is not included in the customized package.
> [!NOTE]
> Internet Explorer 11 is preinstalled on PCs running Windows 8. Therefore, the executable is not included in the customized package.
**Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?**
Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard.
>[!Note]
>IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. To download IEAK 11, see [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md).
> [!NOTE]
> IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. To download IEAK 11, see [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md).
**Q: Is there a version of the Internet Explorer Administration Kit (IEAK) supporting IE11?**<br>
Yes. The Internet Explorer Administration Kit 11 (IEAK 11) is available for download. IEAK 11 lets you create custom versions of IE11 for use in your organization. For more information, see the following resources:

8
browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
View File

@ -98,14 +98,14 @@ Pressing the **F1** button on the **Automatic Version Synchronization** page of
## Certificate installation does not work on IEAK 11
IEAK 11 doesn't install certificates added using the Add a Root Certificate page of the Internet Explorer Customization Wizard 11. Administrators can manually install certificates using the Certificates Microsoft Management Console snap-in (Certmgr.msc) or using the command-line tool, Certificate Manager (Certmgr.exe).
>[!NOTE]
>This applies only when using the External licensing mode of IEAK 11.
> [!NOTE]
> This applies only when using the External licensing mode of IEAK 11.
## The Additional Settings page appears in the wrong language when using a localized version of IEAK 11
When using IEAK 11 in other languages, the settings on the Additional Settings page appear in the language of the target platform, regardless of the IEAK 11 language.
>[!NOTE]
>This applies only when using the Internal licensing mode of IEAK 11.
> [!NOTE]
> This applies only when using the Internal licensing mode of IEAK 11.
To work around this issue, run the customization wizard following these steps:
1. On the **Language Selection** page, select the language that matches the language of your installed IEAK 11.

4
browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md
View File

@ -32,8 +32,8 @@ IEAK 10 and newer includes the ability to install using one of the following ins
- Internal
- External
>[!NOTE]
>IEAK 11 works in network environments, with or without Microsoft Active Directory service.
> [!NOTE]
> IEAK 11 works in network environments, with or without Microsoft Active Directory service.
### Corporations

209
devices/hololens/hololens-FAQ.md
View File

@ -1,5 +1,5 @@
---
title: Frequently asked questions about HoloLens and holograms
title: Frequently asked questions about HoloLens devices and holograms
description: Do you have a quick question about HoloLens or interacting with holograms? This article provides a quick answer and more resources.
keywords: hololens, faq, known issue, help
ms.prod: hololens
@ -9,130 +9,134 @@ ms.author: v-tea
ms.topic: article
audience: ITPro
ms.localizationpriority: medium
ms.date: 10/30/2019
ms.date: 02/27/2020
ms.reviewer:
ms.custom:
- CI 114606
- CSSTroubleshooting
manager: jarrettr
appliesto:
- HoloLens (1st gen)
- HoloLens 2
---
# HoloLens and holograms: Frequently asked questions
# Frequently asked questions about HoloLens devices and holograms
Here are some answers to questions you might have about using HoloLens, placing holograms, working with spaces, and more.
This article answers some questions that you may have about how to use HoloLens, including how to place holograms, work with spaces, and more.
Any time you're having problems, make sure HoloLens is [charged up](https://support.microsoft.com/help/12627/hololens-charge-your-hololens). Try [restarting it](hololens-restart-recover.md) to see if that fixes things. And please use the Feedback app to send us info about the issue&mdash;you'll find it on the [**Start** menu](holographic-home.md).
Any time that you have problems, make sure that HoloLens is [charged up](https://support.microsoft.com/help/12627/hololens-charge-your-hololens). Try [restarting it](hololens-restart-recover.md) to see whether that fixes things. And please use the Feedback app to send us information about the issue. You'll find the Feedback app on the [**Start** menu](holographic-home.md).
For tips about wearing your HoloLens, see [HoloLens fit and comfort: FAQ](https://support.microsoft.com/help/13405/hololens-fit-and-comfort-faq).
For tips about hwo to wear your HoloLens, see [HoloLens (1st gen) fit and comfort frequently asked questions](hololens1-fit-comfort-faq.md).
This FAQ addresses the following questions and issues:
This article addresses the following questions and issues:
<a id="list"></a>
- [My holograms don't look right or are moving around](#my-holograms-dont-look-right-or-are-moving-around)
- [I see a message that says "Finding your space"](#i-see-a-message-that-says-finding-your-space)
- [I'm not seeing the holograms I expect to see in my space](#im-not-seeing-the-holograms-i-expect-to-see-in-my-space)
- [I can't place holograms where I want](#i-cant-place-holograms-where-i-want)
- [I'm not seeing the holograms that I expect to see in my space](#im-not-seeing-the-holograms-that-i-expect-to-see-in-my-space)
- [I can't place holograms where I want to](#i-cant-place-holograms-where-i-want-to)
- [Holograms disappear or are encased in other holograms or objects](#holograms-disappear-or-are-encased-in-other-holograms-or-objects)
- [I can see holograms that are on the other side of a wall](#i-can-see-holograms-that-are-on-the-other-side-of-a-wall)
- [When I place a hologram on a wall, it seems to float](#when-i-place-a-hologram-on-a-wall-it-seems-to-float)
- [When I place a hologram on a wall, the hologram seems to float](#when-i-place-a-hologram-on-a-wall-the-hologram-seems-to-float)
- [Apps appear too close to me when I'm trying to move them](#apps-appear-too-close-to-me-when-im-trying-to-move-them)
- [I'm getting a low disk space error](#im-getting-a-low-disk-space-error)
- [HoloLens doesn't respond to my gestures](#hololens-doesnt-respond-to-my-gestures)
- [HoloLens doesn't respond to my voice](#hololens-doesnt-respond-to-my-voice)
- [I'm having problems pairing or using a Bluetooth device](#im-having-problems-pairing-or-using-a-bluetooth-device)
- [I'm having problems with the HoloLens clicker](#im-having-problems-with-the-hololens-clicker)
- [HoloLens Settings lists devices as available, but the devices dont work](#hololens-settings-lists-devices-as-available-but-the-devices-dont-work)
- [I'm having problems using the HoloLens clicker](#im-having-problems-using-the-hololens-clicker)
- [I can't connect to Wi-Fi](#i-cant-connect-to-wi-fi)
- [My HoloLens isn't running well, is unresponsive, or won't start](#my-hololens-isnt-running-well-is-unresponsive-or-wont-start)
- [HoloLens Management Questions](#hololens-management-questions)
- [HoloLens Security Questions](#hololens-security-questions)
- [I can't sign in to a HoloLens device because it was previously set up for someone else](#i-cant-sign-in-to-a-hololens-device-because-it-was-previously-set-up-for-someone-else)
- [Questions about managing HoloLens devices](#questions-about-managing-hololens-devices)
- [Questions about securing HoloLens devices](#questions-about-securing-hololens-devices)
- [How do I delete all spaces?](#how-do-i-delete-all-spaces)
- [I cannot find or use the keyboard to type in the HoloLens 2 Emulator](#i-cannot-find-or-use-the-keyboard-to-type-in-the-hololens-2-emulator)
- [I can't log in to a HoloLens because it was previously set up for someone else](#i-cant-log-in-to-a-hololens-because-it-was-previously-set-up-for-someone-else)
## My holograms don't look right or are moving around
If your holograms don't look right (for example, they're jittery or shaky, or you see black patches on top of them), try one of these fixes:
- [Clean your device visor](hololens1-hardware.md#care-and-cleaning) and make sure nothing is blocking the sensors.
- Make sure you're in a well-lit room without a lot of direct sunlight.
- Try walking around and gazing at your surroundings so HoloLens can scan them more completely.
- Make sure that you're in a well-lit room that does not have a lot of direct sunlight.
- Try walking around and gazing at your surroundings so that HoloLens can scan them more completely.
- If you've placed a lot of holograms, try removing some.
If you're still having problems, trying running the Calibration app, which calibrates your HoloLens just for you, to help keep your holograms looking their best. Go to **Settings **>** System **>** Utilities**. Under Calibration, select **Open Calibration**.
If you're still having problems, trying running the Calibration app. This app calibrates your HoloLens just for you to help keep your holograms looking their best. To do this, go to **Settings** > **System** > **Utilities**. Under **Calibration**, select **Open Calibration**.
[Back to list](#list)
## I see a message that says Finding your space
## I see a message that says "Finding your space"
When HoloLens is learning or loading a space, you might see a brief message that says "Finding your space." If this message continues for more than a few seconds, you'll see another message under the Start menu that says "Still looking for your space."
When HoloLens is learning or loading a space, you may see a brief message that says "Finding your space." If this message displays for more than a few seconds, you'll see another message under the Start menu that says "Still looking for your space."
These messages mean that HoloLens is having trouble mapping your space. When this happens, you'll be able to open apps, but you won't be able to place holograms in your environment.
These messages mean that HoloLens is having trouble mapping your space. When this happens, you can open apps, but you can't place holograms in your environment.
If you see these messages often, try the following:
If you see these messages often, try one or more of the following fixes:
- Make sure you're in a well-lit room without a lot of direct sunlight.
- Make sure your device visor is clean. [Learn how](hololens1-hardware.md#care-and-cleaning).
- Make sure you have a strong Wi-Fi signal. If you enter a new environment that has no Wi-Fi or a weak signal, HoloLens won't be able find your space. Check your Wi-Fi connection by going to **Settings **> **Network &amp; Internet** >** Wi-Fi**.
- Make sure that you're in a well-lit room that does not have a lot of direct sunlight.
- Make sure that your device visor is clean. [Learn how to clean your visor](hololens1-hardware.md#care-and-cleaning).
- Make sure that you have a strong Wi-Fi signal. If you enter a new environment that has no Wi-Fi or a weak Wi-Fi signal, HoloLens won't be able find your space. Check your Wi-Fi connection by going to **Settings** > **Network &amp; Internet** > **Wi-Fi**.
- Try moving more slowly.
[Back to list](#list)
## I'm not seeing the holograms I expect to see in my space
## I'm not seeing the holograms that I expect to see in my space
If you don't see holograms you placed, or you're seeing some you don't expect, try the following:
If you don't see the holograms that you placed, or if you're seeing some that you don't expect, try one or more of the following fixes:
- Try turning on some lights. HoloLens works best in a well-lit space.
- Remove holograms you don't need by going to **Settings** > **System** > **Holograms** > **Remove nearby holograms**. Or, if needed, select **Remove all holograms**.
- Turn on some lights. HoloLens works best in a well-lit space.
- Remove holograms that you don't need by going to **Settings** > **System** > **Holograms** > **Remove nearby holograms**. Or, if needed, select **Remove all holograms**.
> [!NOTE]
> If the layout or lighting in your space changes significantly, your device might have trouble identifying your space and showing your holograms.
[Back to list](#list)
## I can't place holograms where I want
## I can't place holograms where I want to
Here are some things to try if you're having trouble placing holograms:
- Stand about 1 to 3 meters from where you're trying to place the hologram.
- Stand between one and three meters from where you're trying to place the hologram.
- Don't place holograms on black or reflective surfaces.
- Make sure you're in a well-lit room without a lot of direct sunlight.
- Make sure that you're in a well-lit room that does not have a lot of direct sunlight.
- Walk around the rooms so HoloLens can rescan your surroundings. To see what's already been scanned, air tap to reveal the mapping mesh graphic.
[Back to list](#list)
## Holograms disappear or are encased in other holograms or objects
If you get too close to a hologram, it will temporarily disappear&mdash;just move away from it. Also, if you've placed a lot of holograms close together, some may disappear. Try removing a few.
If you get too close to a hologram, it will temporarily disappear&mdash;to restore the hologram, just move away from it. Also, if you've placed several holograms close together, some may disappear. Try removing a few.
Holograms can also be blocked or encased by other holograms or by objects such as walls. If this happens, try one of the following:
Holograms can also be blocked or encased by other holograms or by objects such as walls. If this happens, try one of the following fixes:
- If the hologram is encased in another hologram, move it to another location: select **Adjust**, then tap and hold to position it.
- If the hologram is encased in another hologram, move the encased hologram to another location. To do this, select **Adjust**, then tap and hold to position it.
- If the hologram is encased in a wall, select **Adjust**, then walk toward the wall until the hologram appears. Tap and hold, then pull the hologram forward and out of the wall.
- If you can't move the hologram with gestures, use your voice to remove it. Gaze at the hologram, then say "Remove." Then reopen it and place it in a new location.
- If you can't move the hologram by using gestures, use your voice to remove it. Gaze at the hologram, then say "Remove." Then reopen the hologram and place it in a new location.
[Back to list](#list)
## I can see holograms that are on the other side of a wall
If you're very close to a wall, or if HoloLens hasn't scanned the wall yet, you'll be able to see holograms that are in the next room. Stand 1 to 3 meters from the wall and gaze to scan it.
If you're very close to a wall, or if HoloLens hasn't scanned the wall yet, you can see holograms that are in the next room. To scan the wall, stand between one and three meters from the wall and gaze at it.
If HoloLens has problems scanning the wall, it might be because there's a black or reflective object nearby (for example, a black couch or a stainless steel refrigerator). If there is, scan the other side of the wall.
A black or reflective object (for example, a black couch or a stainless steel refrigerator) near the wall may cause problems when HoloLens tries to scan the wall. If there is such an object, scan the other side of the wall.
[Back to list](#list)
## When I place a hologram on a wall, it seems to float
## When I place a hologram on a wall, the hologram seems to float
Holograms placed on walls will appear to be an inch or so away from the wall. If they appear farther away, try the following:
A hologram that you place on a wall typically appears to be an inch or so away from the wall. If it appears to be farther away, try one or more of the following fixes:
- Stand 1 to 3 meters from the wall when you place a hologram and face the wall straight on.
- Air tap the wall to reveal the mapping mesh graphic. Make sure the mesh is lined up with the wall. If it isn't, remove the hologram, rescan the wall, and try again.
- When you place a hologram on a wall, stand between one and three meters from the wall and face the wall straight on.
- Air tap the wall to reveal the mapping mesh graphic. Make sure that the mesh aligns with the wall. If it doesn't, remove the hologram, rescan the wall, and then try again.
- If the issue persists, run the Calibration app. You'll find it in **Settings** > **System** > **Utilities**.
[Back to list](#list)
## Apps appear too close to me when I'm trying to move them
Try walking around and looking at the area where you're placing the app so HoloLens will scan it from different angles. [Cleaning your device visor](hololens1-hardware.md#care-and-cleaning) may also help.
Try walking around and looking at the area where you're placing the app so that HoloLens scans the area from different angles. [Cleaning your device visor](hololens1-hardware.md#care-and-cleaning) may also help.
[Back to list](#list)
@ -140,21 +144,36 @@ Try walking around and looking at the area where you're placing the app so HoloL
Free up some storage space by doing one or more of the following:
- Remove some of the holograms you've placed, or remove some saved data from within apps. [How do I find my data?](holographic-data.md)
- Remove some of the holograms that you've placed, or remove some saved data from within apps. [How do I find my data?](holographic-data.md)
- Delete some pictures and videos in the Photos app.
- Uninstall some apps from your HoloLens. In the All apps list, tap and hold the app you want to uninstall, then select **Uninstall**. (This will also delete any of the app's data stored on the device.)
- Uninstall some apps from your HoloLens. In the **All apps** list, tap and hold the app you want to uninstall, then select **Uninstall**. (Uninstalling the app also deletes any data that the app stores on the device.)
[Back to list](#list)
## HoloLens doesn't respond to my gestures
To make sure HoloLens can see your gestures, keep your hand in the gesture frame, which extends a couple of feet on either side of you. HoloLens can also best see your hand when you hold it about 18 inches in front of your body (though you don't have to be precise about this). When HoloLens can see your hand, the cursor will change from a dot to a ring. Learn more about [using gestures in HoloLens 2](hololens2-basic-usage.md) or [using gestures in HoloLens (1st gen)](hololens1-basic-usage.md).
To make sure that HoloLens can see your gestures, keep your hand in the gesture frame. The gesture frame extends a couple of feet on either side of you. HoloLens can also best see your hand when you hold it about 18 inches in front of your body (though you don't have to be precise about this). When HoloLens can see your hand, the cursor changes from a dot to a ring. Learn more about [using gestures in HoloLens 2](hololens2-basic-usage.md) or [using gestures in HoloLens (1st gen)](hololens1-basic-usage.md).
[Back to list](#list)
## HoloLens doesn't respond to my voice
If Cortana isn't responding to your voice, make sure Cortana is on. In the **All apps** list, select **Cortana** > **Menu** > **Notebook** > **Settings** to make changes. To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md).
HoloLens (1st gen) and HoloLens 2 have built-in speech recognition, and also support Cortana (online speech recognition).
### Built-in voice commands do not work
On HoloLens (1st gen), built-in speech recognition is not configurable. It is always turned on. On HoloLens 2, you can choose whether to turn on both speech recognition and Cortana during device setup.
If your HoloLens 2 is not responding to your voice, make sure Speech recognition is turned on. Go to **Start** > **Settings** > **Privacy** > **Speech** and turn on **Speech recognition**.
### Cortana doesn't work
If Cortana isn't responding to your voice, make sure Cortana is turned on. Go to **Start** > **Settings** > **Privacy** > **Speech** and verify the **Online speech recognition** settings. Then do one of the following to verify that Cortana itself is turned on:
- In **All apps**, select **Cortana** > select **Menu** > **Notebook** > **Settings** to make changes.
- On HoloLens 2, select the **Speech settings** button or say "Speech settings."
To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md).
[Back to list](#list)
@ -162,42 +181,46 @@ If Cortana isn't responding to your voice, make sure Cortana is on. In the **All
If you're having problems [pairing a Bluetooth device](hololens-connect-devices.md), try the following:
- Go to **Settings** > **Devices** and make sure Bluetooth is turned on. If it is, try turning if off and on again.
- Make sure your Bluetooth device is fully charged or has fresh batteries.
- If you still can't connect, [restart your HoloLens](hololens-recovery.md).
If you're having trouble using a Bluetooth device, make sure it's a supported device. Supported devices include:
- English-language QWERTY Bluetooth keyboards, which can be used anywhere you use the holographic keyboard.
- Bluetooth mice.
- The [HoloLens clicker](hololens1-clicker.md).
Other Bluetooth HID and GATT devices can be paired, but they might require a companion app from Microsoft Store to work with HoloLens.
HoloLens doesn't support Bluetooth audio profiles. Bluetooth audio devices, such as speakers and headsets, may appear as available in HoloLens settings, but they aren't supported.
- Go to **Settings** > **Devices**, and make sure that Bluetooth is turned on. If it is, turn it off and on again.
- Make sure that your Bluetooth device is fully charged or has fresh batteries.
- If you still can't connect, [restart the HoloLens](hololens-recovery.md).
[Back to list](#list)
## I'm having problems with the HoloLens clicker
## HoloLens Settings lists devices as available, but the devices dont work
Use the [clicker](hololens1-clicker.md) to select, scroll, move, and resize holograms. Additional clicker gestures may vary from app to app.
HoloLens doesn't support Bluetooth audio profiles. Bluetooth audio devices, such as speakers and headsets, may appear as available in HoloLens settings, but they aren't supported.
If you're having trouble using the clicker, make sure its charged and paired with your HoloLens. If the battery is low, the indicator light will blink amber. To see if its paired, go to **Settings** > **Devices** and see if it shows up there. [Pair the clicker](hololens-connect-devices.md#pair-the-clicker).
If you're having trouble using a Bluetooth device, make sure that it's a supported device. Supported devices include the following:
- English-language QWERTY Bluetooth keyboards (you can use these anywhere that you use the holographic keyboard).
- Bluetooth mice.
- The [HoloLens clicker](hololens1-clicker.md).
You can pair other Bluetooth HID and GATT devices together with your HoloLens. However, you may have to install corresponding companion apps from Microsoft Store to actually use the devices.
[Back to list](#list)
## I'm having problems using the HoloLens clicker
Use the [clicker](hololens1-clicker.md) to select, scroll, move, and resize holograms. Individial apps may support additional clicker gestures.
If you're having trouble using the clicker, make sure that it's charged and paired with your HoloLens. If the battery is low, the indicator light blinks amber. To verify that the clicker is paired, go to **Settings** > **Devices** and see if it shows up there. For more information, see [Pair the clicker](hololens-connect-devices.md#pair-the-clicker).
If the clicker is charged and paired and you're still having problems, reset it by holding down the main button and the pairing button for 15 seconds. Then pair the clicker with your HoloLens again.
If that doesn't help, see [Restart or recover the HoloLens clicker](hololens1-clicker.md#restart-or-recover-the-clicker).
If resetting the clicker doesn't help, see [Restart or recover the HoloLens clicker](hololens1-clicker.md#restart-or-recover-the-clicker).
[Back to list](#list)
## I can't connect to Wi-Fi
Here are some things to try if you can't connect to Wi-Fi on HoloLens:
Here are some things to try if you can't connect your HoloLens to a Wi-Fi network:
- Make sure Wi-Fi is turned on. Bloom to go to Start, then select **Settings** > **Network &amp; Internet** > **Wi-Fi** to check. If Wi-Fi is on, try turning it off and on again.
- Make sure that Wi-Fi is turned on. To check, use the Start gesture, then select **Settings** > **Network &amp; Internet** > **Wi-Fi**. If Wi-Fi is on, try turning it off and then on again.
- Move closer to the router or access point.
- Restart your Wi-Fi router, then [restart HoloLens](hololens-recovery.md). Try connecting again.
- If none of these things work, check to make sure your router is using the latest firmware. You can find this information on the manufacturers website.
- If none of these things work, check to make sure that your router is using the latest firmware. You can find this information on the manufacturer website.
[Back to list](#list)
@ -207,35 +230,51 @@ If your device isn't performing properly, see [Restart, reset, or recover HoloLe
[Back to list](#list)
## I can't sign in to a HoloLens device because it was previously set up for someone else
## I can't log in to a HoloLens because it was previously set up for someone else
If your device was previously set up for someone else, either for a client or for a former employee, and you don't have their password to unlock the device, you can do one of the following:
If your device was previously set up for someone else, either a client or former employee and you don't have their password to unlock the device there are two solutions.
- If your device is MDM managed by Intune then you can remotely [Wipe](https://docs.microsoft.com/intune/remote-actions/devices-wipe) the device and it'll reflash itself. Make sure to leave **Retain enrollment state and user account** unchecked.
- If you have the device with you then you can put the device into **Flashing Mode** and use Advanced Recovery Companion to [recover](https://docs.microsoft.com/hololens/hololens-recovery) the device.
- For a device that is enrolled in Intune mobile device management (MDM), you can use Intune to remotely [wipe](https://docs.microsoft.com/intune/remote-actions/devices-wipe) the device. The device then re-flashes itself.
> [!IMPORTANT]
> When you wipe the device, make sure to leave **Retain enrollment state and user account** unchecked.
- For a non-MDM device, you can [put the device into **Flashing Mode** and use Advanced Recovery Companion](hololens-recovery.md#re-install-the-operating-system) to recover the device.
[Back to list](#list)
## HoloLens Management Questions
## Questions about managing HoloLens devices
1. **Can I use SCCM to manage the HoloLens?**
1. No. An MDM must be used to manage the HoloLens
1. **Can I use Active Directory to manage HoloLens user accounts?**
1. No, Azure AD must be used to manage user accounts.
1. **Is the HoloLens capable of ADCS auto enrollment?**
1. No
1. **Can the HoloLens participate in WNA/IWA?**
1. No
1. **Does the HoloLens support branding?**
1. No. However, one work around is to create a custom app and enable Kiosk mode. The custom app can have branding which can then launch other apps (such as Remote Assist). Another option is to change all of the users profile pictures in AAD to your company logo. (However, this may not be desirable for all scenarios)
1. **What logging capabilities are available on HL1 and HL2?**
1. Logging is limited to traces captured in developer/troubleshooting scenarios or telemetry sent to Microsoft servers.
### Can I use System Center Configuration Manager (SCCM) to manage HoloLens devices?
No. You have to use an MDM system to manage HoloLens devices.
### Can I use Active Directory Domain Services (AD DS) to manage HoloLens user accounts?
No. You have to use Azure Active Directory (AAD) to manage user accounts for HoloLens devices.
### Is HoloLens capable of Automated Data Capture Systems (ADCS) auto-enrollment?
No.
### Can HoloLens participate in WNA or Integrated Windows Authentication?
No.
### Does HoloLens support branding?
No. However, you can work around this issue by using one of the following approaches:
- Create a custom app, and then [enable Kiosk mode](hololens-kiosk.md). The custom app can have branding, and can launch other apps (such as Remote Assist).
- Change all of the user profile pictures in AAD to your company logo. However, this may not be desirable for all scenarios.
### What logging capabilities do HoloLens (1st gen) and HoloLens 2 offer?
Logging is limited to traces that can be captured in development or troubleshooting scenarios, or telemetry that the devices send to Microsoft servers.
[Back to list](#list)
## HoloLens Security Questions
## Questions about securing HoloLens devices
Frequently asked security questions can be found [here](hololens-faq-security.md).
See [frequently asked questions about securing HoloLens devices](hololens-faq-security.md).
[Back to list](#list)

8
devices/hololens/hololens-network.md
View File

@ -5,7 +5,7 @@ ms.assetid: 0895606e-96c0-491e-8b1c-52e56b00365d
author: mattzmsft
ms.author: mazeller
keywords: HoloLens, wifi, wireless, internet, ip, ip address
ms.date: 08/30/19
ms.date: 02/27/2020
ms.prod: hololens
ms.sitesec: library
ms.localizationpriority: high
@ -55,6 +55,12 @@ You can also confirm you are connected to a Wi-Fi network by checking the Wi-Fi
1. Open the **Start** menu.
1. Look at the top left of the **Start** menu for Wi-Fi status. The state of Wi-Fi and the SSID of the connected network will be shown.
## Troubleshooting your connection to Wi-Fi
If you experience problems connecting to Wi-Fi, see [I can't connect to Wi-Fi](./hololens-faq.md#i-cant-connect-to-wi-fi).
When you sign into an enterprise or organizational account on the device, it may also apply Mobile Device Management (MDM) policy, if the policy is configured by your IT administrator.
## Disabling Wi-Fi on HoloLens (1st gen)
### Using the Settings app on HoloLens

9
devices/hololens/index.md
View File

@ -45,12 +45,13 @@ appliesto:
| Topic | Description |
| --- | --- |
| [What's new in HoloLens](hololens-whats-new.md) | Discover new features in the latest updates via HoloLens release notes. |
| [Install and manage applications on HoloLens](hololens-install-apps.md) | Install and manage important applications on HoloLens at scale. |
| [Install and manage applications on HoloLens](hololens-install-apps.md) | Install and manage important applications on HoloLens at scale. |
| [HoloLens update management](hololens-updates.md) | Use mobile device management (MDM) policies to configure settings for updates. |
| [HoloLens user management](hololens-multiple-users.md) | Multiple users can shared a HoloLens device by using their Azure Active Directory accounts. |
| [HoloLens user management](hololens-multiple-users.md) | Multiple users can share a HoloLens device by using their Azure Active Directory accounts. |
| [HoloLens application access management](hololens-kiosk.md) | Manage application access for different user groups. |
| [Recover and troubleshoot HoloLens issues](https://support.microsoft.com/products/hololens) | Learn how to gather logs from HoloLens, recover a misbehaving device, or reset HoloLens when necessary. |
| [Get support](https://support.microsoft.com/products/hololens) | Connect with Microsoft support resources for HoloLens in enterprise. |
| [Recover and troubleshoot HoloLens issues](https://support.microsoft.com/products/hololens) | Learn how to gather logs from HoloLens, recover a misbehaving device, or reset HoloLens when necessary. |
| [Contact Support](https://support.microsoft.com/supportforbusiness/productselection) | Create a new support request for the business support team. |
| [More support options](https://support.microsoft.com/products/hololens) | Connect with Microsoft support resources for HoloLens in the enterprise. |
## Related resources

26
devices/surface-hub/surface-hub-2s-manage-intune.md
View File

@ -9,7 +9,7 @@ ms.author: greglin
manager: laurawi
audience: Admin
ms.topic: article
ms.date: 06/20/2019
ms.date: 02/28/2020
ms.localizationpriority: Medium
---
@ -24,7 +24,7 @@ Surface Hub 2S allows IT administrators to manage settings and policies using a
1. Sign in as a local administrator on Surface Hub 2S and open the **Settings** app. Select **Surface Hub** > **Device management** and then select **+** to add.
2. After authenticating, the device will automatically register with Intune.
![Register Surface Hub 2S with Intune](images/sh2-set-intune1.png)<br>
![Register Surface Hub 2S with Intune](images/sh2-set-intune1.png)<br>
### Auto registration — Azure Active Directory Affiliated
@ -44,17 +44,31 @@ For additional supported CSPs, see [Surface Hub CSPs in Windows 10](https://docs
## Quality of Service (QoS) settings
To ensure optimal video and audio quality on Surface Hub 2S, add the following QoS settings to the device. The settings are identical for Skype for Business and Teams.
To ensure optimal video and audio quality on Surface Hub 2S, add the following QoS settings to the device.
### Microsoft Teams QoS settings
|**Name**|**Description**|**OMA-URI**|**Type**|**Value**|
|:------ |:------------- |:--------- |:------ |:------- |
|**Audio Ports**| Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/SourcePortMatchCondition | String | 50000-50019 |
|**Audio Ports**| Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/DestinationPortMatchCondition | String | 3478-3479 |
|**Audio DSCP**| Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/DSCPAction | Integer | 46 |
|**Video Ports**| Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/SourcePortMatchCondition | String | 50020-50039 |
|**Video Ports**| Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/DestinationPortMatchCondition | String | 3480 |
|**Video DSCP**| Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/DSCPAction | Integer | 34 |
### Skype for Business QoS settings
| Name | Description | OMA-URI | Type | Value |
| ------------------ | ------------------- | ------------------------------------------------------------------------ | ------- | ------------------------------ |
| Audio Ports | Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/SourcePortMatchCondition | String | 50000-50019 |
| Audio DSCP | Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/DSCPAction | Integer | 46 |
| Audio Media Source | Skype App name | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/AppPathNameMatchCondition | String | Microsoft.PPISkype.Windows.exe |
| Video Ports | Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/SourcePortMatchCondition | String | 50020-50039 |
| Video DSCP | Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/DSCPAction | Integer | 34 |
| Video Media Source | Skype App name | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/AppPathNameMatchCondition | String | Microsoft.PPISkype.Windows.exe |
> [!NOTE]
> These are the default port ranges. Administrators may change the port ranges in the Skype for Business and Teams control panel.
> Both tables show default port ranges. Administrators may change the port ranges in the Skype for Business and Teams control panel.
## Microsoft Teams Mode settings

31
devices/surface/surface-dock-firmware-update.md
View File

@ -1,6 +1,6 @@
---
title: Microsoft Surface Dock Firmware Update
description: This article explains how to use Microsoft Surface Dock Firmware Update, newly redesigned to update Surface Dock firmware while running in the background on your Surface device.
description: This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device.
ms.localizationpriority: medium
ms.prod: w10
ms.mktglfcycl: manage
@ -11,6 +11,7 @@ ms.topic: article
ms.reviewer: scottmca
manager: dansimp
ms.audience: itpro
ms.date: 02/07/2020
---
# Microsoft Surface Dock Firmware Update
@ -32,17 +33,19 @@ This section is optional and provides an overview of how to monitor installation
To monitor the update:
1. Open Event Viewer, browse to **Windows Logs > Application**, and then under **Actions** in the right-hand pane click **Filter Current Log**, enter **SurfaceDockFwUpdate** next to **Event sources**, and then click **OK**.
2. Type the following command at an elevated command prompt:
```cmd
Reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services\SurfaceDockFwUpdate\Parameters"
```
```cmd
Reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services\SurfaceDockFwUpdate\Parameters"
```
3. Install the update as described in the [next section](#install-the-surface-dock-firmware-update) of this article.
4. Event 2007 with the following text indicates a successful update: **Firmware update finished. hr=0 DriverTelementry EventCode = 2007**.
- If the update is not successful, then event ID 2007 will be displayed as an **Error** event rather than **Information**. Additionally, the version reported in the Windows Registry will not be current.
- If the update is not successful, then event ID 2007 will be displayed as an **Error** event rather than **Information**. Additionally, the version reported in the Windows Registry will not be current.
5. When the update is complete, updated DWORD values will be displayed in the Windows Registry, corresponding to the current version of the tool. See the [Versions reference](#versions-reference) section in this article for details. For example:
- Component10CurrentFwVersion 0x04ac3970 (78395760)
- Component20CurrentFwVersion 0x04915a70 (76634736)
- Component10CurrentFwVersion 0x04ac3970 (78395760)
- Component20CurrentFwVersion 0x04915a70 (76634736)
>[!TIP]
>If you see "The description for Event ID xxxx from source SurfaceDockFwUpdate cannot be found" in event text, this is expected and can be ignored.
@ -52,8 +55,8 @@ To monitor the update:
This section describes how to install the firmware update.
1. Download and install [Microsoft Surface Dock Firmware Update](https://www.microsoft.com/download/details.aspx?id=46703).
- The update requires a Surface device running Windows 10, version 1803 or later.
- Installing the MSI file might prompt you to restart Surface. However, restarting is not required to perform the update.
- The update requires a Surface device running Windows 10, version 1803 or later.
- Installing the MSI file might prompt you to restart Surface. However, restarting is not required to perform the update.
2. Disconnect your Surface device from the Surface Dock (using the power adapter), wait ~5 seconds, and then reconnect. The Surface Dock Firmware Update will update the dock silently in background. The process can take a few minutes to complete and will continue even if interrupted.
@ -68,10 +71,10 @@ You can use Windows Installer commands (Msiexec.exe) to deploy Surface Dock Firm
msiexec /i "\\share\folder\Surface_Dock_FwUpdate_1.42.139_Win10_17134_19.084.31680_0.msi" /quiet /norestart
```
> [!NOTE]
> A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]". For example: Msiexec.exe /i \<path to msi file\> /l*v %windir%\logs\ SurfaceDockFWI.log"
> [!NOTE]
> A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]". For example: Msiexec.exe /i \<path to msi file\> /l*v %windir%\logs\ SurfaceDockFWI.log"
For more information, refer to [Command line options](https://docs.microsoft.com/windows/win32/msi/command-line-options) documentation.
For more information, refer to [Command line options](https://docs.microsoft.com/windows/win32/msi/command-line-options) documentation.
> [!IMPORTANT]
> If you want to keep your Surface Dock updated using any other method, refer to [Update your Surface Dock](https://support.microsoft.com/help/4023478/surface-update-your-surface-dock) for details.
@ -96,11 +99,11 @@ Successful completion of Surface Dock Firmware Update results in new registry ke
1. Open Regedit and navigate to the following registry path:
- **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services\SurfaceDockFwUpdate\Parameters**
- **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services\SurfaceDockFwUpdate\Parameters**
2. Look for the registry keys: **Component10CurrentFwVersion and Component20CurrentFwVersion**, which refer to the firmware that is currently on the device.
![Surface Dock Firmware Update installation process](images/regeditDock.png)
![Surface Dock Firmware Update installation process](images/regeditDock.png)
3. Verify the new registry key values match the updated registry key values listed in the Versions reference at the end of this document. If the values match, the firmware was updated successfully.

10
windows/client-management/mdm/certificatestore-csp.md
View File

@ -9,7 +9,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: lomayor
ms.date: 06/26/2017
ms.date: 02/28/2020
---
# CertificateStore CSP
@ -144,7 +144,13 @@ Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) f
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-subjectname"></a>**My/SCEP/*UniqueID*/Install/SubjectName**
Required. Specifies the subject name. Value type is chr.
Required. Specifies the subject name.
The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;” ).
For more details, see [CertNameToStrA function](https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
Value type is chr.
Supported operations are Get, Add, Delete, and Replace.

340
windows/client-management/mdm/clientcertificateinstall-csp.md
View File

@ -9,7 +9,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 10/16/2018
ms.date: 02/28/2020
---
# ClientCertificateInstall CSP
@ -29,32 +29,32 @@ The following image shows the ClientCertificateInstall configuration service pro
![clientcertificateinstall csp](images/provisioning-csp-clientcertificateinstall.png)
<a href="" id="device-or-user"></a>**Device or User**
<p style="margin-left: 20px">For device certificates, use <strong>./Device/Vendor/MSFT</strong> path and for user certificates use <strong>./User/Vendor/MSFT</strong> path.
<a href="" id="device-or-user"></a>**Device or User**
For device certificates, use <strong>./Device/Vendor/MSFT</strong> path and for user certificates use <strong>./User/Vendor/MSFT</strong> path.
<a href="" id="clientcertificateinstall"></a>**ClientCertificateInstall**
<p style="margin-left: 20px">The root node for the ClientCertificateInstaller configuration service provider.
<a href="" id="clientcertificateinstall"></a>**ClientCertificateInstall**
The root node for the ClientCertificateInstaller configuration service provider.
<a href="" id="clientcertificateinstall-pfxcertinstall"></a>**ClientCertificateInstall/PFXCertInstall**
<p style="margin-left: 20px">Required for PFX certificate installation. The parent node grouping the PFX certificate related settings.
<a href="" id="clientcertificateinstall-pfxcertinstall"></a>**ClientCertificateInstall/PFXCertInstall**
Required for PFX certificate installation. The parent node grouping the PFX certificate related settings.
<p style="margin-left: 20px">Supported operation is Get.
Supported operation is Get.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid"></a>**ClientCertificateInstall/PFXCertInstall/**<strong>*UniqueID*</strong>
<p style="margin-left: 20px">Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid"></a>**ClientCertificateInstall/PFXCertInstall/**<strong>*UniqueID*</strong>
Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
<p style="margin-left: 20px">The data type format is node.
The data type format is node.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
Supported operations are Get, Add, and Replace.
<p style="margin-left: 20px">Calling Delete on this node should delete the certificates and the keys that were installed by the corresponding PFX blob.
Calling Delete on this node should delete the certificates and the keys that were installed by the corresponding PFX blob.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-keylocation"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/KeyLocation**
<p style="margin-left: 20px">Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-keylocation"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/KeyLocation**
Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
Supported operations are Get, Add, and Replace.
<p style="margin-left: 20px">The data type is an integer corresponding to one of the following values:
The data type is an integer corresponding to one of the following values:
| Value | Description |
|-------|---------------------------------------------------------------------------------------------------------------|
@ -64,225 +64,229 @@ The following image shows the ClientCertificateInstall configuration service pro
| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified |
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-containername"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**
<p style="margin-left: 20px">Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-containername"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**
Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail.
<p style="margin-left: 20px">Date type is string.
Date type is string.
<p style="margin-left: 20px">Supported operations are Get, Add, Delete, and Replace.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertblob"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob**
<p style="margin-left: 20px">CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before this is called. This also sets the Status node to the current Status of the operation.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertblob"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob**
CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before this is called. This also sets the Status node to the current Status of the operation.
<p style="margin-left: 20px">The data type format is binary.
The data type format is binary.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
Supported operations are Get, Add, and Replace.
<p style="margin-left: 20px">If a blob already exists, the Add operation will fail. If Replace is called on this node, the existing certificates are overwritten.
If a blob already exists, the Add operation will fail. If Replace is called on this node, the existing certificates are overwritten.
<p style="margin-left: 20px">If Add is called on this node for a new PFX, the certificate will be added. When a certificate does not exist, Replace operation on this node will fail.
If Add is called on this node for a new PFX, the certificate will be added. When a certificate does not exist, Replace operation on this node will fail.
<p style="margin-left: 20px">In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in <a href="https://go.microsoft.com/fwlink/p/?LinkId=523871" data-raw-source="[CRYPT\_INTEGER\_BLOB](https://go.microsoft.com/fwlink/p/?LinkId=523871)">CRYPT_INTEGER_BLOB</a>.
In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in <a href="https://go.microsoft.com/fwlink/p/?LinkId=523871" data-raw-source="[CRYPT\_INTEGER\_BLOB](https://go.microsoft.com/fwlink/p/?LinkId=523871)">CRYPT_INTEGER_BLOB</a>.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertpassword"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword**
<p style="margin-left: 20px">Password that protects the PFX blob. This is required if the PFX is password protected.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertpassword"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword**
Password that protects the PFX blob. This is required if the PFX is password protected.
<p style="margin-left: 20px">Data Type is a string.
Data Type is a string.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertpasswordencryptiontype"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionType**
<p style="margin-left: 20px">Optional. Used to specify whether the PFX certificate password is encrypted with the MDM certificate by the MDM server.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertpasswordencryptiontype"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionType**
Optional. Used to specify whether the PFX certificate password is encrypted with the MDM certificate by the MDM server.
<p style="margin-left: 20px">The data type is int. Valid values:
The data type is int. Valid values:
- 0 - Password is not encrypted.
- 1 - Password is encrypted with the MDM certificate.
- 2 - Password is encrypted with custom certificate.
<p style="margin-left: 20px">When PFXCertPasswordEncryptionType =2, you must specify the store name in PFXCertPasswordEncryptionStore setting.
When PFXCertPasswordEncryptionType =2, you must specify the store name in PFXCertPasswordEncryptionStore setting.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxkeyexportable"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable**
<p style="margin-left: 20px">Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX is not exportable when it is installed to TPM.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxkeyexportable"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable**
Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX is not exportable when it is installed to TPM.
> **Note**  You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
<p style="margin-left: 20px">The data type bool.
The data type bool.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-thumbprint"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Thumbprint**
<p style="margin-left: 20px">Returns the thumbprint of the installed PFX certificate.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-thumbprint"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Thumbprint**
Returns the thumbprint of the installed PFX certificate.
<p style="margin-left: 20px">The datatype is a string.
The datatype is a string.
<p style="margin-left: 20px">Supported operation is Get.
Supported operation is Get.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-status"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Status**
<p style="margin-left: 20px">Required. Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-status"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Status**
Required. Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore.
<p style="margin-left: 20px">Data type is an integer.
Data type is an integer.
<p style="margin-left: 20px">Supported operation is Get.
Supported operation is Get.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertpasswordencryptionstore"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionStore**
<p style="margin-left: 20px">Added in Windows 10, version 1511. When PFXCertPasswordEncryptionType = 2, it specifies the store name of the certificate used for decrypting the PFXCertPassword.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertpasswordencryptionstore"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionStore**
Added in Windows 10, version 1511. When PFXCertPasswordEncryptionType = 2, it specifies the store name of the certificate used for decrypting the PFXCertPassword.
<p style="margin-left: 20px">Data type is string.
Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep"></a>**ClientCertificateInstall/SCEP**
<p style="margin-left: 20px">Node for SCEP.
<a href="" id="clientcertificateinstall-scep"></a>**ClientCertificateInstall/SCEP**
Node for SCEP.
> **Note**  An alert is sent after the SCEP certificate is installed.
<a href="" id="clientcertificateinstall-scep-uniqueid"></a>**ClientCertificateInstall/SCEP/**<strong>*UniqueID*</strong>
<p style="margin-left: 20px">A unique ID to differentiate different certificate installation requests.
<a href="" id="clientcertificateinstall-scep-uniqueid"></a>**ClientCertificateInstall/SCEP/**<strong>*UniqueID*</strong>
A unique ID to differentiate different certificate installation requests.
<a href="" id="clientcertificateinstall-scep-uniqueid-install"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install**
<p style="margin-left: 20px">A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests.
<a href="" id="clientcertificateinstall-scep-uniqueid-install"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install**
A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests.
<p style="margin-left: 20px">Supported operations are Get, Add, Replace, and Delete.
Supported operations are Get, Add, Replace, and Delete.
> **Note**  Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-serverurl"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL**
<p style="margin-left: 20px">Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Get, Add, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-challenge"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/Challenge**
<p style="margin-left: 20px">Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge is deleted shortly after the Exec command is accepted.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-ekumapping"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping**
<p style="margin-left: 20px">Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus <strong>+</strong>. For example, <em>OID1</em>+<em>OID2</em>+<em>OID3</em>.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-serverurl"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL**
Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons.
Data type is string.
<p style="margin-left: 20px">Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have the second (0x20), fourth (0x80) or both bits set. If the value doesnt have those bits set, the configuration will fail.
<p style="margin-left: 20px">Data type is int.
Supported operations are Get, Add, Delete, and Replace.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-challenge"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/Challenge**
Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge is deleted shortly after the Exec command is accepted.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-subjectname"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName**
<p style="margin-left: 20px">Required. Specifies the subject name.
Data type is string.
<p style="margin-left: 20px">Data type is string.
Supported operations are Add, Get, Delete, and Replace.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-ekumapping"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping**
Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus <strong>+</strong>. For example, <em>OID1</em>+<em>OID2</em>+<em>OID3</em>.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keyprotection"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection**
<p style="margin-left: 20px">Optional. Specifies where to keep the private key.
Data type is string.
Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have the second (0x20), fourth (0x80) or both bits set. If the value doesnt have those bits set, the configuration will fail.
Data type is int.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-subjectname"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName**
Required. Specifies the subject name.
The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;” ).
For more details, see [CertNameToStrA function](https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
Data type is string.
Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keyprotection"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection**
Optional. Specifies where to keep the private key.
> **Note**  Even if the private key is protected by TPM, it is not protected with a TPM PIN.
<p style="margin-left: 20px">The data type is an integer corresponding to one of the following values:
The data type is an integer corresponding to one of the following values:
| Value | Description |
|-------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 | Private key protected by TPM. |
| 2 | Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1. |
| 3 | (Default) Private key saved in software KSP. |
| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specifed, otherwise enrollment will fail. |
| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. |
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keyusage"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage**
<p style="margin-left: 20px">Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesnt have those bits set, configuration will fail.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keyusage"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage**
Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesnt have those bits set, configuration will fail.
<p style="margin-left: 20px"> Supported operations are Add, Get, Delete, and Replace. Value type is integer.
Supported operations are Add, Get, Delete, and Replace. Value type is integer.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-retrydelay"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay**
<p style="margin-left: 20px">Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-retrydelay"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay**
Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes.
<p style="margin-left: 20px">Data type format is an integer.
Data type format is an integer.
<p style="margin-left: 20px">The default value is 5.
The default value is 5.
<p style="margin-left: 20px">The minimum value is 1.
The minimum value is 1.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-retrycount"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryCount**
<p style="margin-left: 20px">Optional. Unique to SCEP. Specifies the device retry times when the SCEP server sends a pending status.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-retrycount"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryCount**
Optional. Unique to SCEP. Specifies the device retry times when the SCEP server sends a pending status.
<p style="margin-left: 20px">Data type is integer.
Data type is integer.
<p style="margin-left: 20px">Default value is 3.
Default value is 3.
<p style="margin-left: 20px">Maximum value is 30. If the value is larger than 30, the device will use 30.
Maximum value is 30. If the value is larger than 30, the device will use 30.
<p style="margin-left: 20px">Minimum value is 0, which indicates no retry.
Minimum value is 0, which indicates no retry.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-templatename"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName**
<p style="margin-left: 20px">Optional. OID of certificate template name.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-templatename"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName**
Optional. OID of certificate template name.
> **Note**  This name is typically ignored by the SCEP server; therefore the MDM server typically doesnt need to provide it.
<p style="margin-left: 20px">Data type is string.
Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keylength"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyLength**
<p style="margin-left: 20px">Required for enrollment. Specify private key length (RSA).
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keylength"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyLength**
Required for enrollment. Specify private key length (RSA).
<p style="margin-left: 20px">Data type is integer.
Data type is integer.
<p style="margin-left: 20px">Valid values are 1024, 2048, and 4096.
Valid values are 1024, 2048, and 4096.
<p style="margin-left: 20px">For Windows Hello for Business (formerly known as Microsoft Passport for Work) , only 2048 is the supported key length.
For Windows Hello for Business (formerly known as Microsoft Passport for Work) , only 2048 is the supported key length.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-hashalgorithm"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm**
<p style="margin-left: 20px">Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated with <strong>+</strong>.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-hashalgorithm"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm**
Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated with <strong>+</strong>.
<p style="margin-left: 20px">For Windows Hello for Business, only SHA256 is the supported algorithm.
For Windows Hello for Business, only SHA256 is the supported algorithm.
<p style="margin-left: 20px">Data type is string.
Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-cathumbprint"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint**
<p style="margin-left: 20px">Required. Specifies Root CA thumbprint. This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it is not a match, the authentication will fail.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-cathumbprint"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint**
Required. Specifies Root CA thumbprint. This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it is not a match, the authentication will fail.
<p style="margin-left: 20px">Data type is string.
Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-subjectalternativenames"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames**
<p style="margin-left: 20px">Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. Refer to the name type definitions in MSDN for more information.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-subjectalternativenames"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames**
Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. Refer to the name type definitions in MSDN for more information.
<p style="margin-left: 20px">Each pair is separated by semicolon. For example, multiple SANs are presented in the format of <em>[name format1]</em>+<em>[actual name1]</em>;<em>[name format 2]</em>+<em>[actual name2]</em>.
Each pair is separated by semicolon. For example, multiple SANs are presented in the format of <em>[name format1]</em>+<em>[actual name1]</em>;<em>[name format 2]</em>+<em>[actual name2]</em>.
<p style="margin-left: 20px">Data type is string.
Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-validperiod"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriod**
<p style="margin-left: 20px">Optional. Specifies the units for the valid certificate period.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-validperiod"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriod**
Optional. Specifies the units for the valid certificate period.
<p style="margin-left: 20px">Data type is string.
Data type is string.
<p style="margin-left: 20px">Valid values are:
Valid values are:
- Days (Default)
- Months
@ -291,61 +295,61 @@ Data type is string.
> **Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-validperiodunits"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits**
<p style="margin-left: 20px">Optional. Specifies the desired number of units used in the validity period. This is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) are defined in the ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-validperiodunits"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits**
Optional. Specifies the desired number of units used in the validity period. This is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) are defined in the ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
<p style="margin-left: 20px">Data type is string.
Data type is string.
>**Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-containername"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName**
<p style="margin-left: 20px">Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node is not specified when Windows Hello for Business KSP is chosen, the enrollment will fail.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-containername"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName**
Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node is not specified when Windows Hello for Business KSP is chosen, the enrollment will fail.
<p style="margin-left: 20px">Data type is string.
Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-customtexttoshowinprompt"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/CustomTextToShowInPrompt**
<p style="margin-left: 20px">Optional. Specifies the custom text to show on the Windows Hello for Business PIN prompt during certificate enrollment. The admin can choose to provide more contextual information in this field for why the user needs to enter the PIN and what the certificate will be used for.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-customtexttoshowinprompt"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/CustomTextToShowInPrompt**
Optional. Specifies the custom text to show on the Windows Hello for Business PIN prompt during certificate enrollment. The admin can choose to provide more contextual information in this field for why the user needs to enter the PIN and what the certificate will be used for.
<p style="margin-left: 20px">Data type is string.
Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-enroll"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll**
<p style="margin-left: 20px">Required. Triggers the device to start the certificate enrollment. The device will not notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-enroll"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll**
Required. Triggers the device to start the certificate enrollment. The device will not notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added.
<p style="margin-left: 20px">The date type format is Null, meaning this node doesnt contain a value.
The date type format is Null, meaning this node doesnt contain a value.
<p style="margin-left: 20px">The only supported operation is Execute.
The only supported operation is Execute.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-aadkeyidentifierlist"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList**
<p style="margin-left: 20px">Optional. Specify the AAD Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-aadkeyidentifierlist"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList**
Optional. Specify the AAD Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
<p style="margin-left: 20px">Data type is string.
Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-certthumbprint"></a>**ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint**
<p style="margin-left: 20px">Optional. Specifies the current certificates thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
<a href="" id="clientcertificateinstall-scep-uniqueid-certthumbprint"></a>**ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint**
Optional. Specifies the current certificates thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
<p style="margin-left: 20px">If the certificate on the device becomes invalid (Cert expired, Cert chain is not valid, private key deleted) then it will return an empty string.
If the certificate on the device becomes invalid (Cert expired, Cert chain is not valid, private key deleted) then it will return an empty string.
<p style="margin-left: 20px">Data type is string.
Data type is string.
<p style="margin-left: 20px">The only supported operation is Get.
The only supported operation is Get.
<a href="" id="clientcertificateinstall-scep-uniqueid-status"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Status**
<p style="margin-left: 20px">Required. Specifies latest status of the certificated during the enrollment request.
<a href="" id="clientcertificateinstall-scep-uniqueid-status"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Status**
Required. Specifies latest status of the certificated during the enrollment request.
<p style="margin-left: 20px">Data type is string. Valid values:
Data type is string. Valid values:
<p style="margin-left: 20px">The only supported operation is Get.
The only supported operation is Get.
| Value | Description |
|-------|---------------------------------------------------------------------------------------------------|
@ -355,17 +359,17 @@ Data type is string.
| 32 | Unknown |
<a href="" id="clientcertificateinstall-scep-uniqueid-errorcode"></a>**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode**
<p style="margin-left: 20px">Optional. An integer value that indicates the HRESULT of the last enrollment error code.
<a href="" id="clientcertificateinstall-scep-uniqueid-errorcode"></a>**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode**
Optional. An integer value that indicates the HRESULT of the last enrollment error code.
<p style="margin-left: 20px">The only supported operation is Get.
The only supported operation is Get.
<a href="" id="clientcertificateinstall-scep-uniqueid-respondentserverurl"></a>**ClientCertificateInstall/SCEP/*UniqueID*/RespondentServerUrl**
<p style="margin-left: 20px">Required. Returns the URL of the SCEP server that responded to the enrollment request.
Required. Returns the URL of the SCEP server that responded to the enrollment request.
<p style="margin-left: 20px">Data type is string.
Data type is string.
<p style="margin-left: 20px">The only supported operation is Get.
The only supported operation is Get.
## Example

6
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -58,6 +58,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
- [What is dmwappushsvc?](#what-is-dmwappushsvc)
- **Change history in MDM documentation**
- [February 2020](#february-2020)
- [January 2020](#january-2020)
- [November 2019](#november-2019)
- [October 2019](#october-2019)
@ -1936,6 +1937,11 @@ How do I turn if off? | The service can be stopped from the "Services" console o
## Change history in MDM documentation
### February 2020
|New or updated topic | Description|
|--- | ---|
|[CertificateStore CSP](certificatestore-csp.md)<br>[ClientCertificateInstall CSP](clientcertificateinstall-csp.md)|Added details about SubjectName value.|
### January 2020
|New or updated topic | Description|
|--- | ---|

11
windows/deployment/update/feature-update-mission-critical.md
View File

@ -1,6 +1,6 @@
---
title: Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices
description: Learn how to deploy feature updates to your mission critical devices
title: Best practices and recommendations for deploying Windows 10 Feature updates to mission-critical devices
description: Learn how to deploy feature updates to your mission-critical devices
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
@ -8,7 +8,6 @@ itproauthor: jaimeo
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.date: 07/10/2018
ms.reviewer:
manager: laurawi
ms.collection: M365-modern-desktop
@ -21,7 +20,7 @@ ms.topic: article
Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often arent the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the Microsoft Endpoint Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates.
For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, please see [Using Windows 10 servicing plans to deploy Windows 10 feature updates](waas-manage-updates-configuration-manager.md#use-windows-10-servicing-plans-to-deploy-windows-10-feature-updates).
For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, see [Manage Windows as a service using Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service).
Devices and shared workstations that are online and available 24 hours a day, 7 days a week, can be serviced via one of two primary methods:
@ -32,9 +31,9 @@ You can use Configuration Manager to deploy feature updates to Windows 10 device
- **Upgrade to the next LTSC release.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade.
- **Additional required tasks.** When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments.
- **Language pack installs.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs.
- **Language pack installations.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs.
If you need to leverage a task sequence to deploy feature updates, please see [Using a task sequence to deploy Windows 10 updates](waas-manage-updates-configuration-manager.md#use-a-task-sequence-to-deploy-windows-10-updates) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks preformed pre-install or pre-commit, please see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You may be able to leverage this functionality with the software updates deployment method.
If you need to use a task sequence to deploy feature updates, see [Manage Windows as a service using Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks preformed pre-install or pre-commit, see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You might find this useful in deploying software updates.
Use the following information:

6
windows/deployment/update/update-compliance-security-update-status.md
View File

@ -30,7 +30,7 @@ Deployment status summarizes detailed status into higher-level states to get a q
|Deployment status |Description |
|---------|---------|
|Failed | The device encountered a failure during the update process. Note that due to latency, devices reporting this status may have since retried the update. |
|Progress stalled | he device started the update process, but no progress has been reported in the last 7 days. |
|Progress stalled | The device started the update process, but no progress has been reported in the last 7 days. |
|Deferred | The device is currently deferring the update process due to Windows Update for Business policies. |
|In progress | The device has begun the updating process for this update. This status appears if the device is in any stage of the update process including and after download, but before completing the update. If no progress has been reported in the last 7 days, devices will move to **Progress stalled**.** |
|Update completed | The device has completed the update process. |
@ -42,7 +42,7 @@ Deployment status summarizes detailed status into higher-level states to get a q
Detailed status provides a detailed stage-level representation of where in the update process the device was last reported to be in relative to this specific update. Note that with the latency of deployment data, devices might have since moved on from the reported detailed status.
|Detaild status |Description |
|Detailed status |Description |
|---------|---------|
|Scheduled in next X days | The device is currently deferring the update with Windows Update for Business policies but will be offered the update within the next X days. |
|Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) |
@ -59,7 +59,7 @@ Detailed status provides a detailed stage-level representation of where in the u
|Commit | The device, after a restart, is committing changes relevant to the update. |
|Finalize succeeded | The device has finished final tasks after a restart to apply the update. |
|Update successful | The device has successfully applied the update. |
|Cancelled | The update was cancelled at some point in the update process. |
|Cancelled | The update was canceled at some point in the update process. |
|Uninstalled | The update was successfully uninstalled from the device. |
|Rollback | The update failed to apply during the update process, causing the device to roll back changes and revert to the previous update. |

328
windows/deployment/update/waas-manage-updates-configuration-manager.md
View File

@ -1,328 +0,0 @@
---
title: Deploy Windows 10 updates via Microsoft Endpoint Configuration Manager
description: Microsoft Endpoint Configuration Manager provides maximum control over quality and feature updates for Windows 10.
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
---
# Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager
**Applies to**
- Windows 10
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
>[!IMPORTANT]
>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
Microsoft Endpoint Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting, and provides a secondary deployment method for LTSB clients. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers.
You can use Configuration Manager to service Windows 10 devices in two ways. The first option is to use Windows 10 Servicing Plans to deploy Windows 10 feature updates automatically based on specific criteria, similar to an Automatic Deployment Rule for software updates. The second option is to use a task sequence to deploy feature updates, along with anything else in the installation.
>[!NOTE]
>This topic focuses on updating and upgrading Windows 10 after it has already been deployed. To use Configuration Manager to upgrade your systems from the Windows 8.1, Windows 8, or Windows 7 operating system, see [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager).
## Windows 10 servicing dashboard
The Windows 10 servicing dashboard gives you a quick-reference view of your active servicing plans, compliance for servicing plan deployment, and other key information about Windows 10 servicing. For details about what each tile on the servicing dashboard represents, see [Manage Windows as a service using Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt627931.aspx).
For the Windows 10 servicing dashboard to display information, you must adhere to the following requirements:
- **Heartbeat discovery**. Enable heartbeat discovery for the site receiving Windows 10 servicing information. Configuration for heartbeat discovery can be found in Administration\Overview\Hierarchy Configuration\Discovery Methods.
- **Windows Server Update Service (WSUS)**. Microsoft Endpoint Configuration Manager must have the Software update point site system role added and configured to receive updates from a WSUS 4.0 server with the hotfix KB3095113 installed.
- **Service connection point**. Add the Service connection point site system role in Online, persistent connection mode.
- **Upgrade classification**. Select **Upgrade** from the list of synchronized software update classifications.
**To configure Upgrade classification**
1. Go to Administration\Overview\Site Configuration\Sites, and then select your site from the list.
2. On the Ribbon, in the **Settings** section, click **Configure Site Components**, and then click **Software Update Point**.
![Example of UI](images/waas-sccm-fig1.png)
3. In the **Software Update Point Component Properties** dialog box, on the **Classifications** tab, click **Upgrades**.
When you have met all these requirements and deployed a servicing plan to a collection, youll receive information on the Windows 10 servicing dashboard.
## Create collections for deployment rings
Regardless of the method by which you deploy Windows 10 feature updates to your environment, you must start the Windows 10 servicing process by creating collections of computers that represent your deployment rings. In this example, you create two collections: **Windows 10 All Current Branch for Business** and **Ring 4 Broad business users**. Youll use the **Windows 10 All Current Branch for Business** collection for reporting and deployments that should go to all CBB clients. Youll use the **Ring 4 Broad business users** collection as a deployment ring for the first CBB users.
>[!NOTE]
>The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples.
**To create collections for deployment rings**
1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections.
2. On the Ribbon, in the **Create** group, click **Create Device Collection**.
3. In the Create Device Collection Wizard, in the **name** box, type **Windows 10 All Current Branch for Business**.
4. Click **Browse** to select the limiting collection, and then click **All Systems**.
5. In **Membership rules**, click **Add Rule**, and then click **Query Rule**.
6. Name the rule **CBB Detection**, and then click **Edit Query Statement**.
7. On the **Criteria** tab, click the **New** icon.
![Example of UI](images/waas-sccm-fig4.png)
8. In the **Criterion Properties** dialog box, leave the type as **Simple Value**, and then click **Select**.
9. In the **Select Attribute** dialog box, from the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **OSBranch**, and then click **OK**.
![Example of UI](images/waas-sccm-fig5.png)
>[!NOTE]
>Configuration Manager discovers clients servicing branch and stores that value in the **OSBranch** attribute, which you will use to create collections based on servicing branch. The values in this attribute can be **0 (Current Branch)**, **1 (Current Branch for Business)**, or **2 (Long-Term Servicing Branch)**.
10. Leave **Operator** set to **is equal to**; in the **Value** box, type **1**. Click **OK**.
![Example of UI](images/waas-sccm-fig6.png)
11. Now that the **OSBranch** attribute is correct, verify the operating system version.
12. On the **Criteria** tab, click the **New** icon again to add criteria.
13. In the **Criterion Properties** dialog box, click **Select**.
14. From the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **Operating System Name and Version**, and then click **OK**.
![Example of UI](images/waas-sccm-fig7.png)
15. In the **Value** box, type **Microsoft Windows NT Workstation 10.0**, and then click **OK**.
![Example of UI](images/waas-sccm-fig8.png)
16. In the **Query Statement Properties** dialog box, you see two values. Click **OK**, and then click **OK** again to continue to the Create Device Collection Wizard.
17. Click **Summary**, and then click **Next**.
18. Close the wizard.
>[!IMPORTANT]
>Windows Insider PCs are discovered the same way as CB or CBB devices. If you have Windows Insider PCs that you use Configuration Manager to manage, then you should create a collection of those PCs and exclude them from this collection. You can create the membership for the Windows Insider collection either manually or by using a query where the operating system build doesnt equal any of the current CB or CBB build numbers. You would have to update each periodically to include new devices or new operating system builds.
After you have updated the membership, this new collection will contain all managed clients on the CBB servicing branch. You will use this collection as a limiting collection for future CBB-based collections and the **Ring 4 Broad broad business users** collection. Complete the following steps to create the **Ring 4 Broad business users** device collection, which youll use as a CBB deployment ring for servicing plans or task sequences.
1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections.
2. On the Ribbon, in the **Create** group, click **Create Device Collection**.
3. In the Create Device Collection Wizard, in the **name** box, type **Ring 4 Broad business users**.
4. Click **Browse** to select the limiting collection, and then click **Windows 10 All Current Branch for Business**.
5. In **Membership rules**, click **Add Rule**, and then click **Direct Rule**.
6. In the **Create Direct Membership Rule Wizard** dialog box, click **Next**.
7. In the **Value** field, type all or part of the name of a device to add, and then click **Next**.
8. Select the computer that will be part of the **Ring 4 Broad business users** deployment ring, and then click **Next**.
9. Click **Next**, and then click **Close**.
10. In the **Create Device Collection Wizard** dialog box, click **Summary**.
11. Click **Next**, and then click **Close**.
## Use Windows 10 servicing plans to deploy Windows 10 feature updates
There are two ways to deploy Windows 10 feature updates with Microsoft Endpoint Configuration Manager. The first is to use servicing plans, which provide an automated method to update devices consistently in their respective deployment rings, similar to Automatic Deployment Rules for software updates.
**To configure Windows feature updates for CBB clients in the Ring 4 Broad business users deployment ring using a servicing plan**
1. In the Configuration Manager console, go to Software Library\Overview\Windows 10 Servicing, and then click **Servicing Plans**.
2. On the Ribbon, in the **Create** group, click **Create Servicing Plan**.
3. Name the plan **Ring 4 Broad business users Servicing Plan**, and then click **Next**.
4. On the **Servicing Plan page**, click **Browse**. Select the **Ring 4 Broad business users** collection, which you created in the [Create collections for deployment rings](#create-collections-for-deployment-rings) section, click **OK**, and then click **Next**.
>[!IMPORTANT]
>Microsoft added a new protection feature to Configuration Manager that prevents accidental installation of high-risk deployments such as operating system upgrades on site systems. If you select a collection (All Systems in this example) that has a site system in it, you may receive the following message.
>
>![This is a high-risk deployment](images/waas-sccm-fig9.png)
>
>For details about how to manage the settings for high-risk deployments in Configuration Manager, see [Settings to manage high-risk deployments for Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt621992.aspx).
5. On the **Deployment Ring** page, select the **Business Ready (Current Branch for Business)** readiness state, leave the delay at **0 days**, and then click **Next**.
Doing so deploys CBB feature updates to the broad business users deployment ring immediately after they are released to CBB.
On the Upgrades page, you specify filters for the feature updates to which this servicing plan is applicable. For example, if you wanted this plan to be only for Windows 10 Enterprise, you could select **Title**, and then type **Enterprise**.
6. For this example, on the **Upgrades** page, click **Next** to leave the criterion blank.
7. On the **Deployment Schedule** page, click **Next** to keep the default values of making the content available immediately and requiring installation by the 7-day deadline.
8. On the **User Experience** page, from the **Deadline behavior** list, select **Software Installation and System restart (if necessary)**. From the **Device restart behavior** list, select **Workstations**, and then click **Next**.
Doing so allows installation and restarts after the 7-day deadline on workstations only.
9. On the **Deployment Package** page, select **Create a new deployment package**. In **Name**, type **CBB Upgrades**, select a share for your package source location, and then click **Next**.
In this example, \\contoso-cm01\Sources\Windows 10 Feature Upgrades is a share on the Configuration Manager server that contains all the Windows 10 feature updates.
![Example of UI](images/waas-sccm-fig10.png)
10. On the **Distribution Points** page, from the **Add** list, select **Distribution Point**.
![Example of UI](images/waas-sccm-fig11.png)
Select the distribution points that serve the clients to which youre deploying this servicing plan, and then click **OK**.
11. Click **Summary**, click **Next** to complete the servicing plan, and then click **Close**.
You have now created a servicing plan for the **Ring 4 Broad business users** deployment ring. By default, this rule is evaluated each time the software update point is synchronized, but you can modify this schedule by viewing the service plans properties on the **Evaluation Schedule** tab.
![Example of UI](images/waas-sccm-fig12.png)
## Use a task sequence to deploy Windows 10 updates
There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example:
- **LTSB feature updates**. With the LTSB servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade.
- **Additional required tasks**. When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you must use task sequences to orchestrate the additional steps. Servicing plans do not have the ability to add steps to their deployments.
Each time Microsoft releases a new Windows 10 build, it releases a new .iso file containing the latest build, as well. Regardless of the scenario that requires a task sequence to deploy the Windows 10 upgrade, the base process is the same. Start by creating an Operating System Upgrade Package in the Configuration Manager console:
1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages.
2. On the Ribbon, in the **Create** group, click **Add Operating System Upgrade Package**.
3. On the **Data Source** page, type the path of the extracted .iso file of the new version of Windows 10 youre deploying, and then click **Next**.
In this example, the Windows 10 Enterprise 1607 installation media is deployed to \\contoso-cm01\Sources\Operating Systems\Windows 10 Enterprise\Windows 10 Enterprise - Version 1607.
4. On the **General** page, in the **Name** field, type the name of the folder (**Windows 10 Enterprise - Version 1607** in this example). Set the **Version** to **1607**, and then click **Next**.
5. On the **Summary** page, click **Next** to create the package.
6. On the **Completion** page, click **Close**.
Now that the operating system upgrade package has been created, the content in that package must be distributed to the correct distribution points so that the clients can access the content. Complete the following steps to distribute the package content to distribution points:
1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages, and then select the **Windows 10 Enterprise Version 1607** software upgrade package.
2. On the Ribbon, in the **Deployment group**, click **Distribute Content**.
3. In the Distribute Content Wizard, on the **General** page, click **Next**.
4. On the **Content Destination** page, click **Add**, and then click **Distribution Point**.
5. In the **Add Distribution Points** dialog box, select the distribution point that will serve the clients receiving this package, and then click **OK**.
6. On the **Content Destination** page, click **Next**.
7. On the **Summary** page, click **Next** to distribute the content to the selected distribution point.
8. On the **Completion** page, click **Close**.
Now that the upgrade package has been created and its contents distributed, create the task sequence that will use it. Complete the following steps to create the task sequence, using the previously created deployment package:
1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences.
2. On the Ribbon, in the **Create** group, click **Create Task Sequence**.
3. In the Create Task Sequence Wizard, on the **Create a new task sequence** page, select **Upgrade an operating system from upgrade package**, and then click **Next**.
4. On the **Task Sequence Information** page, in **Task sequence name**, type **Upgrade Windows 10 Enterprise Version 1607**, and then click **Next**.
5. On the **Upgrade the Windows Operating system** page, click **Browse**, select the deployment package you created in the previous steps, and then click **OK**.
6. Click **Next**.
7. On the **Include Updates** page, select **Available for installation All software updates**, and then click **Next**.
8. On the **Install Applications** page, click **Next**.
9. On the **Summary** page, click **Next** to create the task sequence.
10. On the **Completion** page, click **Close**.
With the task sequence created, youre ready to deploy it. If youre using this method to deploy most of your Windows 10 feature updates, you may want to create deployment rings to stage the deployment of this task sequence, with delays appropriate for the respective deployment ring. In this example, you deploy the task sequence to the **Ring 4 Broad business users collection**.
>[!IMPORTANT]
>This process deploys a Windows 10 operating system feature update to the affected devices. If youre testing, be sure to select the collection to which you deploy this task sequence carefully.
**To deploy your task sequence**
1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences, and then select the **Upgrade Windows 10 Enterprise Version 1607** task sequence.
2. On the Ribbon, in the **Deployment** group, click **Deploy**.
3. In the Deploy Software Wizard, on the **General** page, click **Browse**. Select the target collection, click **OK**, and then click **Next**.
4. On the **Deployment Settings** page, for **purpose**, select **Required**, and then click **Next**.
5. On the **Scheduling** page, select the **Schedule when this deployment will become available** check box (it sets the current time by default). For **Assignment schedule**, click **New**.
6. In the **Assignment Schedule** dialog box, click **Schedule**.
7. In the **Custom Schedule** dialog box, select the desired deadline, and then click **OK**.
8. In the **Assignment Schedule** dialog box, click **OK**, and then click **Next**.
9. On the **User Experience** page, in the **When the scheduled assignment time is reached, allow the following activities to be performed outside of the maintenance window** section, select **Software Installation** and **System restart** (if required to complete the installation), and then click **Next**.
10. Use the defaults for the remaining settings.
11. Click **Summary**, and then click **Next** to deploy the task sequence.
12. Click **Close**.
## Steps to manage updates for Windows 10
| | |
| --- | --- |
| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
| ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
| ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
| ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
| ![done](images/checklistdone.png) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
| ![done](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager (this topic) |
## See also
[Manage Windows as a service using Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service)
## Related topics
- [Update Windows 10 in the enterprise](index.md)
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
- [Manage device restarts after updates](waas-restart.md)

218
windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
View File

@ -1,6 +1,6 @@
---
title: Demonstrate Autopilot deployment
ms.reviewer:
ms.reviewer:
manager: laurawi
description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade
@ -21,20 +21,23 @@ ms.custom: autopilot
**Applies to**
- Windows 10
- Windows 10
To get started with Windows Autopilot, you should try it out with a virtual machine (VM) or you can use a physical device that will be wiped and then have a fresh install of Windows 10.
In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM using Hyper-V. Note: Although there are [multiple platforms](administer.md) available to enable Autopilot, this lab primarily uses Intune.
In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM using Hyper-V.
>Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual.
> [!NOTE]
> Although there are [multiple platforms](administer.md) available to enable Autopilot, this lab primarily uses Intune.
> Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual.
The following video provides an overview of the process:
</br>
<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/KYVptkpsOqs" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>
<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/KYVptkpsOqs" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>
>For a list of terms used in this guide, see the [Glossary](#glossary) section.
> For a list of terms used in this guide, see the [Glossary](#glossary) section.
## Prerequisites
@ -83,9 +86,9 @@ A summary of the sections and procedures in the lab is provided below. Follow ea
## Verify support for Hyper-V
If you don't already have Hyper-V, we must first enable this on a computer running Windows 10 or Windows Server (2012 R2 or later).
If you don't already have Hyper-V, we must first enable this on a computer running Windows 10 or Windows Server (2012 R2 or later).
>If you already have Hyper-V enabled, skip to the [create a demo VM](#create-a-demo-vm) step. If you are using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10).
> If you already have Hyper-V enabled, skip to the [create a demo VM](#create-a-demo-vm) step. If you are using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10).
If you are not sure that your device supports Hyper-V, or you have problems installing Hyper-V, see [appendix A](#appendix-a-verify-support-for-hyper-v) below for details on verifying that Hyper-V can be successfully installed.
@ -103,9 +106,9 @@ This command works on all operating systems that support Hyper-V, but on Windows
Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
```
When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once.
When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once.
>Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
> Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
![hyper-v feature](../images/hyper-v-feature.png)
@ -119,25 +122,25 @@ To read more about Hyper-V, see [Introduction to Hyper-V on Windows 10](https://
## Create a demo VM
Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell.
Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell.
To use Windows Powershell we just need to know two things:
To use Windows PowerShell, we just need to know two things:
1. The location of the Windows 10 ISO file.
- In the example, we assume the location is **c:\iso\win10-eval.iso**.
- In the example, we assume the location is **c:\iso\win10-eval.iso**.
2. The name of the network interface that connects to the Internet.
- In the example, we use a Windows PowerShell command to determine this automatically.
- In the example, we use a Windows PowerShell command to determine this automatically.
After we have set the ISO file location and determined the name of the appropriate network interface, we can install Windows 10.
### Set ISO file location
You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
- When asked to select a platform, choose **64 bit**.
You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
- When asked to select a platform, choose **64 bit**.
After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
1. So that it is easier to type and remember, rename the file to **win10-eval.iso**.
1. So that it is easier to type and remember, rename the file to **win10-eval.iso**.
2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**.
3. If you wish to use a different name and location for the file, you must modify the Windows PowerShell commands below to use your custom name and directory.
@ -149,19 +152,19 @@ The Get-NetAdaper cmdlet is used below to automatically find the network adapter
(Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
```
The output of this command should be the name of the network interface you use to connect to the Internet. Verify that this is the correct interface name. If it is not the correct interface name, you'll need to edit the first command below to use your network interface name.
The output of this command should be the name of the network interface you use to connect to the Internet. Verify that this is the correct interface name. If it is not the correct interface name, you'll need to edit the first command below to use your network interface name.
For example, if the command above displays Ethernet but you wish to use Ethernet2, then the first command below would be New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2**.
### Use Windows PowerShell to create the demo VM
### Use Windows PowerShell to create the demo VM
All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands.
>[!IMPORTANT]
>**VM switch**: a VM switch is how Hyper-V connects VMs to a network. <br><br>If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."<br><br>If you have never created an external VM switch before, then just run the commands below.
> [!IMPORTANT]
> **VM switch**: a VM switch is how Hyper-V connects VMs to a network. <br><br>If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."<br><br>If you have never created an external VM switch before, then just run the commands below.
```powershell
New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
Start-VM -VMName WindowsAutopilot
@ -222,13 +225,13 @@ Ensure the VM booted from the installation ISO, click **Next** then click **Inst
![Windows setup](images/winsetup5.png)
![Windows setup](images/winsetup6.png)
>After the VM restarts, during OOBE, its fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
After the VM restarts, during OOBE, its fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
![Windows setup](images/winsetup7.png)
![Windows setup](images/winsetup7.png)
Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. You will create multiple checkpoints throughout this lab, which can be used later to go through the process again.
![Windows setup](images/winsetup8.png)
![Windows setup](images/winsetup8.png)
To create your first checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
@ -240,7 +243,8 @@ Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see
## Capture the hardware ID
>NOTE: Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but youre not going to use the OA3 Tool to capture the full 4K HH for various reasons (youd have to install the OA3 tool, your device couldnt have a volume license version of Windows, its a more complicated process than using a PS script, etc.). Instead, youll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
> [!NOTE]
> Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but youre not going to use the OA3 Tool to capture the full 4K HH for various reasons (youd have to install the OA3 tool, your device couldnt have a volume license version of Windows, its a more complicated process than using a PS script, etc.). Instead, youll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
Follow these steps to run the PS script:
@ -292,18 +296,19 @@ Mode LastWriteTime Length Name
PS C:\HWID>
</pre>
Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH.
Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH.
**Note**: Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
> [!NOTE]
> Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
![Serial number and hardware hash](images/hwid.png)
You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If youre using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If youre using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
>[!NOTE]
>When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
> [!NOTE]
> When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
## Reset the VM back to Out-Of-Box-Experience (OOBE)
@ -326,7 +331,7 @@ For this lab, you need an AAD Premium subscription. You can tell if you have a
![MDM and Intune](images/mdm-intune2.png)
If the configuration blade shown above does not appear, its likely that you dont have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
If the configuration blade shown above does not appear, its likely that you dont have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
@ -336,8 +341,8 @@ To convert your Intune trial account to a free Premium trial account, navigate t
If you already have company branding configured in Azure Active Directory, you can skip this step.
>[!IMPORTANT]
>Make sure to sign-in with a Global Administrator account.
> [!IMPORTANT]
> Make sure to sign-in with a Global Administrator account.
Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE.
@ -345,8 +350,8 @@ Navigate to [Company branding in Azure Active Directory](https://portal.azure.co
When you are finished, click **Save**.
>[!NOTE]
>Changes to company branding can take up to 30 minutes to apply.
> [!NOTE]
> Changes to company branding can take up to 30 minutes to apply.
## Configure Microsoft Intune auto-enrollment
@ -368,8 +373,8 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
![Intune device import](images/device-import.png)
>[!NOTE]
>If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared.
> [!NOTE]
> If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared.
2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). Its okay if other fields (Windows Product ID) are left blank.
@ -377,7 +382,7 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
You should receive confirmation that the file is formatted correctly before uploading it, as shown above.
3. Click **Import** and wait until the import process completes. This can take up to 15 minutes.
3. Click **Import** and wait until the import process completes. This can take up to 15 minutes.
4. Click **Sync** to sync the device you just registered. Wait a few moments before refreshing to verify your VM or device has been added. See the following example.
@ -385,8 +390,8 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
### Autopilot registration using MSfB
>[!IMPORTANT]
>If you've already registered your VM (or device) using Intune, then skip this step.
> [!IMPORTANT]
> If you've already registered your VM (or device) using Intune, then skip this step.
Optional: see the following video for an overview of the process.
@ -408,8 +413,8 @@ Click the **Add devices** link to upload your CSV file. A message will appear in
## Create and assign a Windows Autopilot deployment profile
>[!IMPORTANT]
>Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only <U>pick one for purposes of this lab</U>:
> [!IMPORTANT]
> Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only <U>pick one for purposes of this lab</U>:
Pick one:
- [Create profiles using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
@ -417,12 +422,12 @@ Pick one:
### Create a Windows Autopilot deployment profile using Intune
>[!NOTE]
>Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first:
> [!NOTE]
> Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first:
![Devices](images/intune-devices.png)
>The example above lists both a physical device and a VM. Your list should only include only one of these.
> The example above lists both a physical device and a VM. Your list should only include only one of these.
To create a Windows Autopilot profile, select **Device enrollment** > **Windows enrollment** > **Deployment profiles**
@ -458,7 +463,7 @@ See the following example:
Click on **OK** and then click on **Create**.
>If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile).
> If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile).
#### Assign the profile
@ -534,8 +539,8 @@ Confirm the profile was successfully assigned to the intended device by checking
![MSfB assign](images/msfb-assign2.png)
>[!IMPORTANT]
>The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
> [!IMPORTANT]
> The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
## See Windows Autopilot in action
@ -545,14 +550,14 @@ If you shut down your VM after the last reset, its time to start it back up a
Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
>[!TIP]
>If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience youre expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
> [!TIP]
> If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience youre expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
- Ensure your device has an internet connection.
- Turn on the device
- Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip).
![OOBE sign-in page](images/autopilot-oobe.jpg)
![OOBE sign-in page](images/autopilot-oobe.jpg)
Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
@ -570,35 +575,38 @@ To use the device (or VM) for other purposes after completion of this lab, you w
You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu.
![Delete device](images/delete-device1.png)
![Delete device](images/delete-device1.png)
Click **X** when challenged to complete the operation:
![Delete device](images/delete-device2.png)
![Delete device](images/delete-device2.png)
This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
![Delete device](images/delete-device3.png)
![Delete device](images/delete-device3.png)
The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune. Note: A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune.
> [!NOTE]
> A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
To remove the device from the Autopilot program, select the device and click Delete.
![Delete device](images/delete-device4.png)
![Delete device](images/delete-device4.png)
A warning message appears reminding you to first remove the device from Intune, which we previously did.
![Delete device](images/delete-device5.png)
![Delete device](images/delete-device5.png)
At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
![Delete device](images/delete-device6.png)
![Delete device](images/delete-device6.png)
Once the device no longer appears, you are free to reuse it for other purposes.
If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button:
![Delete device](images/delete-device7.png)
![Delete device](images/delete-device7.png)
## Appendix A: Verify support for Hyper-V
@ -618,9 +626,9 @@ Hyper-V Requirements: VM Monitor Mode Extensions: Yes
In this example, the computer supports SLAT and Hyper-V.
>If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
> If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example:
You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [Coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example:
<pre style="overflow-y: visible">
C:>coreinfo -v
@ -637,7 +645,8 @@ VMX * Supports Intel hardware-assisted virtualization
EPT * Supports Intel extended page tables (SLAT)
</pre>
Note: A 64-bit operating system is required to run Hyper-V.
> [!NOTE]
> A 64-bit operating system is required to run Hyper-V.
## Appendix B: Adding apps to your profile
@ -645,10 +654,10 @@ Note: A 64-bit operating system is required to run Hyper-V.
#### Prepare the app for Intune
Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool). After downloading the tool, gather the following three bits of information to use the tool:
Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool). After downloading the tool, gather the following three bits of information to use the tool:
1. The source folder for your application
2. The name of the setup executable file
2. The name of the setup executable file
3. The output folder for the new file
For the purposes of this lab, well use the Notepad++ tool as our Win32 app.
@ -657,7 +666,7 @@ Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-ms
Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
![Add app](images/app01.png)
![Add app](images/app01.png)
After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps.
@ -667,50 +676,51 @@ Log into the Azure portal and select **Intune**.
Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
![Add app](images/app02.png)
![Add app](images/app02.png)
Under **App Type**, select **Windows app (Win32)**:
![Add app](images/app03.png)
![Add app](images/app03.png)
On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**:
![Add app](images/app04.png)
![Add app](images/app04.png)
On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
![Add app](images/app05.png)
![Add app](images/app05.png)
On the **Program Configuration** blade, supply the install and uninstall commands:
Install: msiexec /i "npp.7.6.3.installer.x64.msi" /q
Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
NOTE: Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
> [!NOTE]
> Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
![Add app](images/app06.png)
![Add app](images/app06.png)
Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesnt actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesnt actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
Click **OK** to save your input and activate the **Requirements** blade.
On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
![Add app](images/app07.png)
![Add app](images/app07.png)
Next, configure the **Detection rules**. For our purposes, we will select manual format:
![Add app](images/app08.png)
![Add app](images/app08.png)
Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule:
![Add app](images/app09.png)
![Add app](images/app09.png)
Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
**Return codes**: For our purposes, leave the return codes at their default values:
![Add app](images/app10.png)
![Add app](images/app10.png)
Click **OK** to exit.
@ -720,31 +730,32 @@ Click the **Add** button to finalize and save your app package.
Once the indicator message says the addition has completed.
![Add app](images/app11.png)
![Add app](images/app11.png)
You will be able to find your app in your app list:
![Add app](images/app12.png)
![Add app](images/app12.png)
#### Assign the app to your Intune profile
**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
> [!NOTE]
> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu:
![Add app](images/app13.png)
![Add app](images/app13.png)
Select **Add Group** to open the **Add group** pane that is related to the app.
For our purposes, select **Required** from the **Assignment type** dropdown menu:
>**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
> **Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
Select **Included Groups** and assign the groups you previously created that will use this app:
![Add app](images/app14.png)
![Add app](images/app14.png)
![Add app](images/app15.png)
![Add app](images/app15.png)
In the **Select groups** pane, click the **Select** button.
@ -754,7 +765,7 @@ In the **Add group** pane, select **OK**.
In the app **Assignments** pane, select **Save**.
![Add app](images/app16.png)
![Add app](images/app16.png)
At this point, you have completed steps to add a Win32 app to Intune.
@ -768,51 +779,52 @@ Log into the Azure portal and select **Intune**.
Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
![Add app](images/app17.png)
![Add app](images/app17.png)
Under **App Type**, select **Office 365 Suite > Windows 10**:
![Add app](images/app18.png)
![Add app](images/app18.png)
Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel:
![Add app](images/app19.png)
![Add app](images/app19.png)
Click **OK**.
In the **App Suite Information** pane, enter a <i>unique</i> suite name, and a suitable description.
In the **App Suite Information** pane, enter a <i>unique</i> suite name, and a suitable description.
>Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
> Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
![Add app](images/app20.png)
![Add app](images/app20.png)
Click **OK**.
In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**:
![Add app](images/app21.png)
![Add app](images/app21.png)
Click **OK** and then click **Add**.
#### Assign the app to your Intune profile
**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
> [!NOTE]
> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu:
![Add app](images/app22.png)
![Add app](images/app22.png)
Select **Add Group** to open the **Add group** pane that is related to the app.
For our purposes, select **Required** from the **Assignment type** dropdown menu:
>**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
> **Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
Select **Included Groups** and assign the groups you previously created that will use this app:
![Add app](images/app23.png)
![Add app](images/app23.png)
![Add app](images/app24.png)
![Add app](images/app24.png)
In the **Select groups** pane, click the **Select** button.
@ -822,7 +834,7 @@ In the **Add group** pane, select **OK**.
In the app **Assignments** pane, select **Save**.
![Add app](images/app25.png)
![Add app](images/app25.png)
At this point, you have completed steps to add Office to Intune.
@ -830,7 +842,7 @@ For more information on adding Office apps to Intune, see [Assign Office 365 app
If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate:
![Add app](images/app26.png)
![Add app](images/app26.png)
## Glossary

40
windows/deployment/windows-autopilot/troubleshooting.md
View File

@ -42,6 +42,46 @@ For troubleshooting, key activities to perform are:
- Azure AD join issues. Was the device able to join Azure Active Directory?
- MDM enrollment issues. Was the device able to enroll in Microsoft Intune (or an equivalent MDM service)?
## Troubleshooting Autopilot Device Import
### Clicking Import after selecting CSV does nothing, '400' error appears in network trace with error body **"Cannot convert the literal '[DEVICEHASH]' to the expected type 'Edm.Binary'"**
This error points to the device hash being incorrectly formatted. This could be caused by anything that corrupts the collected hash, but one possibility is that the hash itself, even if completely valid, fails to be decoded.
The device hash is Base64. At the device level, it's encoded as unpadded Base64, but Autopilot expects padded Base64. In most cases, it seems the payload lines up to not require padding, so the process works, but sometimes it doesn't line up cleanly and padding is necessary. This is when you get the error above. Powershell's Base64 decoder also expects padded Base64, so we can use that to validate that the hash is properly padded.
The "A" characters at the end of the hash are effectively empty data - Each character in Base64 is 6 bits, A in Base64 is 6 bits equal to 0. Deleting or adding "A"s at the end doesn't change the actual payload data.
To fix this, we'll need to modify the hash, then test the new value, until powershell succeeds in decoding the hash. The result is mostly illegible, this is fine - we're just looking for it to not throw the error "Invalid length for a Base-64 char array or string".
To test the base64, you can use the following:
```powershell
[System.Text.Encoding]::ascii.getstring( [System.Convert]::FromBase64String("DEVICE HASH"))
```
So, as an example (this is not a device hash, but it's misaligned unpadded Base64 so it's good for testing):
```powershell
[System.Text.Encoding]::ascii.getstring( [System.Convert]::FromBase64String("Q29udG9zbwAAA"))
```
Now for the padding rules. The padding character is "=". The padding character can only be at the end of the hash, and there can only be a maximum of 2 padding characters. Here's the basic logic.
- Does decoding the hash fail?
- Yes: Are the last two characters "="?
- Yes: Replace both "=" with a single "A" character, then try again
- No: Add another "=" character at the end, then try again
- No: That hash is valid
Looping the logic above on the previous example hash, we get the following permutations:
- Q29udG9zbwAAA
- Q29udG9zbwAAA=
- Q29udG9zbwAAA==
- Q29udG9zbwAAAA
- Q29udG9zbwAAAA=
- **Q29udG9zbwAAAA==** (This one has valid padding)
Replace the collected hash with this new padded hash then try to import again.
## Troubleshooting Autopilot OOBE issues
If the expected Autopilot behavior does not occur during the out-of-box experience (OOBE), it is useful to see whether the device received an Autopilot profile and what settings that profile contained. Depending on the Windows 10 release, there are different mechanisms available to do that.

1
windows/privacy/manage-windows-1903-endpoints.md
View File

@ -161,7 +161,6 @@ The following methodology was used to derive these network endpoints:
|||HTTPS|ris.api.iris.microsoft.com|
|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)|
|||HTTPS|*.prod.do.dsp.mp.microsoft.com|
|||HTTP|cs9.wac.phicdn.net|
|||HTTP|emdl.ws.microsoft.com|
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com|
|||HTTP|*.windowsupdate.com|

10
windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
View File

@ -37,7 +37,6 @@ sections:
<tr><td><div id='374msg'></div><b>MSRT might fail to install and be re-offered from Windows Update or WSUS </b><br>The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.<br><br><a href = '#374msgdesc'>See details ></a></td><td><br><a href ='' target='_blank'></a></td><td>Resolved<br><a href = '' target='_blank'></a></td><td>January 23, 2020 <br>02:08 PM PT</td></tr>
<tr><td><div id='351msg'></div><b>Intermittent issues when printing</b><br>The print spooler service may intermittently have issues completing a print job and results print job failure.<br><br><a href = '#351msgdesc'>See details ></a></td><td>September 24, 2019<br><a href ='https://support.microsoft.com/help/4516048' target='_blank'>KB4516048</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4519976' target='_blank'>KB4519976</a></td><td>October 08, 2019 <br>10:00 AM PT</td></tr>
<tr><td><div id='329msg'></div><b>You may receive an error when opening or using the Toshiba Qosmio AV Center</b><br>Toshiba Qosmio AV Center may error when opening and you may also receive an error in Event Log related to cryptnet.dll.<br><br><a href = '#329msgdesc'>See details ></a></td><td>August 13, 2019<br><a href ='https://support.microsoft.com/help/4512506' target='_blank'>KB4512506</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4516048' target='_blank'>KB4516048</a></td><td>September 24, 2019 <br>10:00 AM PT</td></tr>
<tr><td><div id='307msg'></div><b>Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV</b><br>Windows updates that are SHA-2 signed are not available with Symantec or Norton antivirus program installed<br><br><a href = '#307msgdesc'>See details ></a></td><td>August 13, 2019<br><a href ='https://support.microsoft.com/help/4512506' target='_blank'>KB4512506</a></td><td>Resolved External<br></td><td>August 27, 2019 <br>02:29 PM PT</td></tr>
</table>
"
@ -84,12 +83,3 @@ sections:
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='329msgdesc'></div><b>You may receive an error when opening or using the Toshiba Qosmio AV Center</b><div>After installing <a href='https://support.microsoft.com/help/4512506' target='_blank'>KB4512506</a>, you may receive an error when opening or using the Toshiba <strong>Qosmio AV Center</strong>.&nbsp;You may also receive an error in <strong>Event Log</strong> related to cryptnet.dll.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 7 SP1</li></ul><div></div><div><strong>Resolution:</strong>&nbsp;This issue was resolved in <a href='https://support.microsoft.com/help/4516048' target='_blank'>KB4516048</a>.</div><br><a href ='#329msg'>Back to top</a></td><td>August 13, 2019<br><a href ='https://support.microsoft.com/help/4512506' target='_blank'>KB4512506</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4516048' target='_blank'>KB4516048</a></td><td>Resolved:<br>September 24, 2019 <br>10:00 AM PT<br><br>Opened:<br>September 10, 2019 <br>09:48 AM PT</td></tr>
</table>
"
- title: August 2019
- items:
- type: markdown
text: "
<table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='307msgdesc'></div><b>Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV</b><div>Symantec identified the potential for a negative interaction that may occur after Windows Updates code signed with SHA-2 only certificates are installed on devices with Symantec or Norton antivirus programs installed. The software may not correctly identify files included in the update as code signed by Microsoft, putting the device at risk for a delayed or incomplete update.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 7 SP1</li><li>Server: Windows Server 2008 R2 SP1</li></ul><div></div><div><strong>Resolution:&nbsp;</strong>The safeguard hold has been removed.&nbsp;Symantec has completed its evaluation of the impact of this update and future updates to Windows 7/Windows 2008 R2 and has determined that there is no increased risk of a false positive detection for all in-field versions of Symantec Endpoint Protection and Norton antivirus programs. See the <a href=\"https://support.symantec.com/us/en/article.tech255857.html\" target=\"_blank\">Symantec support article</a> for additional detail and please reach out to Symantec or Norton support if you encounter any issues.</div><br><a href ='#307msg'>Back to top</a></td><td>August 13, 2019<br><a href ='https://support.microsoft.com/help/4512506' target='_blank'>KB4512506</a></td><td>Resolved External<br></td><td>Last updated:<br>August 27, 2019 <br>02:29 PM PT<br><br>Opened:<br>August 13, 2019 <br>10:05 AM PT</td></tr>
</table>
"

1
windows/release-information/windows-message-center.yml
View File

@ -50,6 +50,7 @@ sections:
text: "
<table border ='0'><tr><td width='80%'>Message</td><td width='20%'>Date</td></tr>
<tr><td id='397'><a href = 'https://support.microsoft.com/help/4535996' target='_blank'><b>February 2020 Windows 10, version 1909 and Windows 10, version 1903 \"D\" optional release is available</b></a><a class='docon docon-link heading-anchor' aria-labelledby='397' href='#397'></a><br><div>The February 2020 optional monthly “D” release for Windows 10, version 1909 and Windows 10, version 1903 is now available. For more information on the different types of monthly quality updates, see our <a href=\"https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376\" rel=\"noopener noreferrer\" target=\"_blank\">Windows 10 update servicing cadence primer</a>. Follow&nbsp;<a href=\"https://twitter.com/windowsupdate\" rel=\"noopener noreferrer\" target=\"_blank\">@WindowsUpdate</a>&nbsp;for the latest on the availability of this release.</div></td><td>February 27, 2020 <br>01:30 PM PT</td></tr>
<tr><td id='396'><b>February 2020 Windows \"C\" optional release is available.</b><a class='docon docon-link heading-anchor' aria-labelledby='396' href='#396'></a><br><div>The February 2020<strong> </strong>optional monthly “C” release for all supported versions of Windows&nbsp;prior to Windows 10, version 1903 is now available. For more information on the different types of monthly quality updates, see our <a href=\"https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376\" rel=\"noopener noreferrer\" target=\"_blank\">Windows 10 update servicing cadence primer</a>. Follow&nbsp;<a href=\"https://twitter.com/windowsupdate\" rel=\"noopener noreferrer\" target=\"_blank\">@WindowsUpdate</a>&nbsp;for the latest on the availability of this release.</div></td><td>February 25, 2020 <br>08:00 AM PT</td></tr>
<tr><td id='394'><b>Status of February 2020 “C” release</b><a class='docon docon-link heading-anchor' aria-labelledby='394' href='#394'></a><br><div>The optional monthly “C” release for February 2020 for all supported versions of Windows and Windows Server prior to Windows 10, version 1903 and Windows Server, version 1903 will be available in the near term. For more information on the different types of monthly quality updates, see our&nbsp;<a href=\"https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376\" rel=\"noopener noreferrer\" target=\"_blank\">Windows 10 update servicing cadence primer</a>. Follow <a href=\"https://twitter.com/windowsupdate\" rel=\"noopener noreferrer\" target=\"_blank\"><u>@WindowsUpdate</u></a> for the latest on the availability of this release.</div></td><td>February 21, 2020 <br>12:00 PM PT</td></tr>
<tr><td id='391'><a href = 'https://support.microsoft.com/help/4542617' target='_blank'><b>Compatibility issue with some Windows Server container images</b></a><a class='docon docon-link heading-anchor' aria-labelledby='391' href='#391'></a><br><div>If you are encountering issues with Windows Server container images, please see <a href=\"https://support.microsoft.com/help/4542617\" rel=\"noopener noreferrer\" target=\"_blank\">KB4542617</a>.</div></td><td>February 13, 2020 <br>03:21 PM PT</td></tr>

2
windows/security/identity-protection/access-control/active-directory-security-groups.md
View File

@ -3375,7 +3375,7 @@ This security group has not changed since Windows Server 2008.
### <a href="" id="bkmk-serveroperators"></a>Server Operators
Members in the Server Operators group can administer domain servers. This group exists only on domain controllers. By default, the group has no members. Memebers of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved.
Members in the Server Operators group can administer domain servers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved.
By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups, Administrators and Domain Admins, in the domain, and the Enterprise Admins group. Members in this group cannot change any administrative group memberships. This is considered a service administrator account because its members have physical access to domain controllers, they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers. Note the default user rights in the following table.

2
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
View File

@ -35,7 +35,7 @@ ms.reviewer:
The Microsoft PIN reset services enables you to help users recover who have forgotten their PIN. Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment.
>[!IMPORTANT]
> The Microsoft PIN Reset service only works with Windows 10, version 1709 to 1809 with **Enterprise Edition**. The feature works with **Pro** edition with Windows 10, version 1903 and newer.
> The Microsoft PIN Reset service only works with **Enterprise Edition** for Windows 10, version 1709 to 1809. The feature works with **Enterprise Edition** and **Pro** edition with Windows 10, version 1903 and newer.
### Onboarding the Microsoft PIN reset service to your Intune tenant

132
windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
View File

@ -1,5 +1,5 @@
---
title: Create an Application to access Microsoft Defender ATP without a user
title: Create an app to access Microsoft Defender ATP without a user
ms.reviewer:
description: Learn how to design a web app to get programmatic access to Microsoft Defender ATP without a user.
keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query
@ -23,104 +23,88 @@ ms.topic: article
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
This page describes how to create an application to get programmatic access to Microsoft Defender ATP without a user.
If you need programmatic access Microsoft Defender ATP on behalf of a user, see [Get access with user context](exposed-apis-create-app-nativeapp.md)
If you are not sure which access you need, see [Get started](apis-intro.md).
This page describes how to create an application to get programmatic access to Microsoft Defender ATP without a user. If you need programmatic access to Microsoft Defender ATP on behalf of a user, see [Get access with user context](exposed-apis-create-app-nativeapp.md). If you are not sure which access you need, see [Get started](apis-intro.md).
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate work flows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
In general, youll need to take the following steps to use the APIs:
- Create an AAD application
- Get an access token using this application
- Use the token to access Microsoft Defender ATP API
- Create an Azure Active Directory (Azure AD) application.
- Get an access token using this application.
- Use the token to access Microsoft Defender ATP API.
This page explains how to create an AAD application, get an access token to Microsoft Defender ATP and validate the token.
This article explains how to create an Azure AD application, get an access token to Microsoft Defender ATP, and validate the token.
## Create an app
1. Log on to [Azure](https://portal.azure.com) with user that has **Global Administrator** role.
1. Log on to [Azure](https://portal.azure.com) with a user that has the **Global Administrator** role.
2. Navigate to **Azure Active Directory** > **App registrations** > **New registration**.
![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app2.png)
3. In the registration form, choose a name for your application and then click **Register**.
3. In the registration form, choose a name for your application, and then select **Register**.
4. Allow your Application to access Microsoft Defender ATP and assign it **'Read all alerts'** permission:
4. To enable your app to access Microsoft Defender ATP and assign it **'Read all alerts'** permission, on your application page, select **API Permissions** > **Add permission** > **APIs my organization uses** >, type **WindowsDefenderATP**, and then select **WindowsDefenderATP**.
- On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
- **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
> [!NOTE]
> WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
![Image of API access and API selection](images/add-permission.png)
- Choose **Application permissions** > **Alert.Read.All** > Click on **Add permissions**
- Select **Application permissions** > **Alert.Read.All**, and then select **Add permissions**.
![Image of API access and API selection](images/application-permissions.png)
**Important note**: You need to select the relevant permissions. 'Read All Alerts' is only an example!
Note that you need to select the relevant permissions. 'Read All Alerts' is only an example. For instance:
For instance,
- To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
- To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
- To [run advanced queries](run-advanced-query-api.md), select the 'Run advanced queries' permission.
- To [isolate a machine](isolate-machine.md), select the 'Isolate machine' permission.
- To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
5. Click **Grant consent**
5. Select **Grant consent**.
- **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect.
> [!NOTE]
> Every time you add a permission, you must select **Grant consent** for the new permission to take effect.
![Image of Grant permissions](images/grant-consent.png)
![Image of Grant permissions](images/grant-consent.png)
6. Add a secret to the application.
6. To add a secret to the application, select **Certificates & secrets**, add a description to the secret, and then select **Add**.
- Click **Certificates & secrets**, add description to the secret and click **Add**.
**Important**: After click Add, **copy the generated secret value**. You won't be able to retrieve after you leave!
> [!NOTE]
> After you select **Add**, select **copy the generated secret value**. You won't be able to retrieve this value after you leave.
![Image of create app key](images/webapp-create-key2.png)
7. Write down your application ID and your tenant ID:
- On your application page, go to **Overview** and copy the following:
7. Write down your application ID and your tenant ID. On your application page, go to **Overview** and copy the following.
![Image of created app id](images/app-and-tenant-ids.png)
8. **For Microsoft Defender ATP Partners only** - Set your application to be multi-tenanted (available in all tenants after consent)
8. **For Microsoft Defender ATP Partners only**. Set your app to be multi-tenanted (available in all tenants after consent). This is **required** for third-party apps (for example, if you create an app that is intended to run in multiple customers' tenant). This is **not required** if you create a service that you want to run in your tenant only (for example, if you create an application for your own usage that will only interact with your own data). To set your app to be multi-tenanted:
This is **required** for 3rd party applications (for example, if you create an application that is intended to run in multiple customers tenant).
- Go to **Authentication**, and add https://portal.azure.com as the **Redirect URI**.
This is **not required** if you create a service that you want to run in your tenant only (i.e. if you create an application for your own usage that will only interact with your own data)
- On the bottom of the page, under **Supported account types**, select the **Accounts in any organizational directory** application consent for your multi-tenant app.
- Go to **Authentication** > Add https://portal.azure.com as **Redirect URI**.
You need your application to be approved in each tenant where you intend to use it. This is because your application interacts Microsoft Defender ATP on behalf of your customer.
- On the bottom of the page, under **Supported account types**, mark **Accounts in any organizational directory**
You (or your customer if you are writing a third-party app) need to select the consent link and approve your app. The consent should be done with a user who has administrative privileges in Active Directory.
- Application consent for your multi-tenant Application:
You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with Microsoft Defender ATP application on behalf of your customer.
You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory.
Consent link is of the form:
The consent link is formed as follows:
```
https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true
```
where 00000000-0000-0000-0000-000000000000 should be replaced with your Application ID
Where 00000000-0000-0000-0000-000000000000 is replaced with your application ID.
- **Done!** You have successfully registered an application!
- See examples below for token acquisition and validation.
**Done!** You have successfully registered an application! See examples below for token acquisition and validation.
## Get an access token examples:
## Get an access token
For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
For more details on Azure AD tokens, see the [Azure AD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds).
### Using PowerShell
### Use PowerShell
```
# That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory
@ -144,19 +128,19 @@ Out-File -FilePath "./Latest-token.txt" -InputObject $token
return $token
```
### Using C#:
### Use C#:
>The below code was tested with Nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8
The following code was tested with Nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8.
- Create a new Console Application
- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/)
- Add the below using
1. Create a new console application.
1. Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/).
1. Add the following:
```
using Microsoft.IdentityModel.Clients.ActiveDirectory;
```
- Copy/Paste the below code in your application (do not forget to update the 3 variables: ```tenantId, appId, appSecret```)
1. Copy and paste the following code in your app (don't forget to update the three variables: ```tenantId, appId, appSecret```):
```
string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here
@ -173,26 +157,25 @@ return $token
```
### Using Python
### Use Python
Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token)
See [Get token using Python](run-advanced-query-sample-python.md#get-token).
### Using Curl
### Use Curl
> [!NOTE]
> The below procedure supposed Curl for Windows is already installed on your computer
> The following procedure assumes that Curl for Windows is already installed on your computer.
- Open a command window
- Set CLIENT_ID to your Azure application ID
- Set CLIENT_SECRET to your Azure application secret
- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access Microsoft Defender ATP application
- Run the below command:
1. Open a command prompt, and set CLIENT_ID to your Azure application ID.
1. Set CLIENT_SECRET to your Azure application secret.
1. Set TENANT_ID to the Azure tenant ID of the customer that wants to use your app to access Microsoft Defender ATP.
1. Run the following command:
```
curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k
```
You will get an answer of the form:
You will get an answer in the following form:
```
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn <truncated> aWReH7P0s0tjTBX8wGWqJUdDA"}
@ -200,20 +183,21 @@ You will get an answer of the form:
## Validate the token
Sanity check to make sure you got a correct token:
- Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it
- Validate you get a 'roles' claim with the desired permissions
- In the screen shot below you can see a decoded token acquired from an Application with permissions to all of Microsoft Defender ATP's roles:
Ensure that you got the correct token:
1. Copy and paste the token you got in the previous step into [JWT](https://jwt.ms) in order to decode it.
1. Validate that you get a 'roles' claim with the desired permissions
1. In the following image, you can see a decoded token acquired from an app with permissions to all of Microsoft Defender ATP's roles:
![Image of token validation](images/webapp-decoded-token.png)
## Use the token to access Microsoft Defender ATP API
- Choose the API you want to use, for more information, see [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
- Set the Authorization header in the Http request you send to "Bearer {token}" (Bearer is the Authorization scheme)
- The Expiration time of the token is 1 hour (you can send more then one request with the same token)
1. Choose the API you want to use. For more information, see [Supported Microsoft Defender ATP APIs](exposed-apis-list.md).
1. Set the authorization header in the http request you send to "Bearer {token}" (Bearer is the authorization scheme).
1. The expiration time of the token is one hour. You can send more then one request with the same token.
- Example of sending a request to get a list of alerts **using C#**
The following is an example of sending a request to get a list of alerts **using C#**:
```
var httpClient = new HttpClient();

2
windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
View File

@ -45,7 +45,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi
3. Set the deployment method to **Mobile Device Management / Microsoft Intune**.
>[!NOTE]
>JamF falls under **Mobile Device Management**.
>Jamf falls under **Mobile Device Management**.
4. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
5. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.

5
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
View File

@ -62,7 +62,7 @@ In general you need to take the following steps:
- [Manual deployment](linux-install-manually.md)
- Third-party management tools:
- [Deploy using Puppet configuration management tool](linux-install-with-puppet.md)
- [Deploy using Ansbile configuration management tool](linux-install-with-ansible.md)
- [Deploy using Ansible configuration management tool](linux-install-with-ansible.md)
### System requirements
@ -92,6 +92,9 @@ The following table lists the services and their associated URLs that your netwo
| United Kingdom | unitedkingdom.x.cp.wd.microsoft.com <br/> uk-v20.events.data.microsoft.com |
| United States | unitedstates.x.cp.wd.microsoft.com <br/> us-v20.events.data.microsoft.com |
> [!NOTE]
> For a more specific URL list, see [Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server)
Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
- Transparent proxy
- Manual static proxy configuration

2
windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
View File

@ -22,7 +22,7 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Microsoft Threat Experts is a managed detection and response (MDR) service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments dont get missed.
Microsoft Threat Experts is a managed threat hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments dont get missed.
This new capability provides expert-driven insights and data through targeted attack notification and access to experts on demand.