deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-23 06:13:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' of https://github.com/amymzhou/windows-docs-pr

Browse Source
This commit is contained in:
Amy Zhou
2022-11-30 16:09:07 -08:00
parent e2cebd1778 c1c67a1e6a
commit fbe7eef405
152 changed files with 4477 additions and 3515 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
.openpublishing.redirection.json
View File

@ -420,6 +420,11 @@
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control/citool-commands.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands",
"redirect_document_id": false
},
{
"source_path": "devices/hololens/hololens-whats-new.md",
"redirect_url": "/hololens/hololens-release-notes",
@ -19927,12 +19932,7 @@
},
{
"source_path": "windows/deployment/do/mcc-enterprise.md",
"redirect_url": "/windows/deployment/do/mcc-enterprise-overview",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/do/mcc-enterprise-overview.md",
"redirect_url": "/windows/deployment/do/mcc-enterprise-prerequisites",
"redirect_url": "/windows/deployment/do/waas-microsoft-connected-cache",
"redirect_document_id": false
},
{

8
education/docfx.json
View File

@ -62,14 +62,6 @@
"garycentric"
]
},
"fileMetadata": {
"ms.localizationpriority": {
"windows/tutorial-school-deployment/**/**.md": "medium"
},
"ms.topic": {
"windows/tutorial-school-deployment/**/**.md": "tutorial"
}
},
"externalReference": [],
"template": "op.html",
"dest": "education",

6
education/index.yml
View File

@ -2,19 +2,13 @@
title: Microsoft 365 Education Documentation
summary: Microsoft 365 Education empowers educators to unlock creativity, promote teamwork, and provide a simple and safe experience in a single, affordable solution built for education.
# brand: aspnet | azure | dotnet | dynamics | m365 | ms-graph | office | power-apps | power-automate | power-bi | power-platform | power-virtual-agents | sql | sql-server | vs | visual-studio | windows | xamarin
brand: m365
metadata:
title: Microsoft 365 Education Documentation
description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers.
ms.service: help
ms.topic: hub-page
ms.collection: education
author: paolomatarazzo
ms.author: paoloma
ms.date: 08/10/2022
manager: aaroncz
productDirectory:
title: For IT admins

8
education/windows/federated-sign-in.md
View File

@ -2,15 +2,7 @@
title: Configure federated sign-in for Windows devices
description: Description of federated sign-in feature for Windows 11 SE and how to configure it via Intune
ms.date: 09/15/2022
ms.prod: windows
ms.technology: windows
ms.topic: how-to
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer:
manager: aaroncz
ms.collection: education
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
---

8
education/windows/windows-11-se-faq.yml
View File

@ -2,15 +2,7 @@
metadata:
title: Windows 11 SE Frequently Asked Questions (FAQ)
description: Use these frequently asked questions (FAQ) to learn important details about Windows 11 SE.
ms.prod: windows
ms.technology: windows
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer:
ms.collection: education
ms.topic: faq
localizationpriority: medium
ms.date: 09/14/2022
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>

8
education/windows/windows-11-se-overview.md
View File

@ -81,6 +81,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| Application | Supported version | App Type | Vendor |
|-----------------------------------------|-------------------|----------|------------------------------|
| 3d builder | 15.2.10821.1070 | Win32 | Microsoft |
| AirSecure | 8.0.0 | Win32 | AIR |
| Alertus Desktop | 5.4.44.0 | Win32 | Alertus technologies |
| Brave Browser | 106.0.5249.65 | Win32 | Brave |
@ -95,6 +96,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| DRC INSIGHT Online Assessments | 12.0.0.0 | Store | Data recognition Corporation |
| Duo from Cisco | 2.25.0 | Win32 | Cisco |
| e-Speaking Voice and Speech recognition | 4.4.0.8 | Win32 | e-speaking |
|Epson iProjection | 3.31 | Win32 | Epson |
| eTests | 4.0.25 | Win32 | CASAS |
| FortiClient | 7.2.0.4034+ | Win32 | Fortinet |
| Free NaturalReader | 16.1.2 | Win32 | Natural Soft |
@ -104,6 +106,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| Illuminate Lockdown Browser | 2.0.5 | Win32 | Illuminate Education |
| Immunet | 7.5.0.20795 | Win32 | Immunet |
| Impero Backdrop Client | 4.4.86 | Win32 | Impero Software |
| Inspiration 10 | 10.11 | Win32 | Inspiration Software, Inc. |
| JAWS for Windows | 2022.2112.24 | Win32 | Freedom Scientific |
| Kite Student Portal | 8.0.3.0 | Win32 | Dynamic Learning Maps |
| Kortext | 2.3.433.0 | Store | Kortext |
@ -122,6 +125,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| NextUp Talker | 1.0.49 | Win32 | NextUp Technologies |
| NonVisual Desktop Access | 2021.3.1 | Win32 | NV Access |
| NWEA Secure Testing Browser | 5.4.356.0 | Win32 | NWEA |
| PaperCut | 22.0.6 | Win32 | PaperCut Software International Pty Ltd |
| Pearson TestNav | 1.10.2.0 | Store | Pearson |
| Questar Secure Browser | 4.8.3.376 | Win32 | Questar, Inc |
| ReadAndWriteForWindows | 12.0.60.0 | Win32 | Texthelp Ltd. |
@ -130,8 +134,12 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| Respondus Lockdown Browser | 2.0.9.00 | Win32 | Respondus |
| Safe Exam Browser | 3.3.2.413 | Win32 | Safe Exam Browser |
| Senso.Cloud | 2021.11.15.0 | Win32 | Senso.Cloud |
| Smoothwall monitor | 2.8.0 | Win32 | Smoothwall Ltd |
| SuperNova Magnifier & Screen Reader | 21.02 | Win32 | Dolphin Computer Access |
| SuperNova Magnifier & Speech | 21.02 | Win32 | Dolphin Computer Access |
| VitalSourceBookShelf | 10.2.26.0 | Win32 | VitalSource Technologies Inc |
| Winbird | 19 | Win32 | Winbird Co., Ltd. |
| WordQ | 5.4.23 | Win32 | Mathetmots |
| Zoom | 5.9.1 (2581) | Win32 | Zoom |
| ZoomText Fusion | 2022.2109.10 | Win32 | Freedom Scientific |
| ZoomText Magnifier/Reader | 2022.2109.25 | Win32 | Freedom Scientific |

63
smb/docfx.json
View File

@ -1,63 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"smb/**",
"**/includes/**"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"smb/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/smb/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"feedback_system": "None",
"hideEdit": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "TechNet.smb",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"Kellylorenebaker",
"jborsecnik",
"tiburd",
"AngelaMotherofDragons",
"dstrome",
"v-dihans",
"garycentric"
],
"titleSuffix": "Windows for Small to Midsize Business"
},
"fileMetadata": {},
"template": [],
"dest": "smb",
"markdownEngineName": "markdig"
}
}

11
smb/includes/smb-content-updates.md
View File

@ -1,11 +0,0 @@
<!-- This file is generated automatically each week. Changes made to this file will be overwritten.-->
## Week of July 18, 2022
| Published On |Topic title | Change |
|------|------------|--------|
| 7/22/2022 | Deploy and manage a full cloud IT solution for your business | removed |

4
windows/client-management/azure-active-directory-integration-with-mdm.md
View File

@ -202,9 +202,9 @@ The following table shows the required information to create an entry in the Azu
### Add on-premises MDM to the app gallery
There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrator to add an app to their tenant.
There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrators to add an app to their tenant.
However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. Thee ID and key obtain authorization to access the Microsoft Graph API and for reporting device compliance.
However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. The ID and key obtain authorization to access the Microsoft Graph API and for reporting device compliance.
## Themes

4
windows/client-management/mdm/laps-csp.md
View File

@ -17,7 +17,7 @@ ms.date: 09/20/2022
The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. This CSP was added in Windows 11 as of version 25145.
> [!IMPORTANT]
> Windows LAPS is currently only available in Windows Insider builds as of 25145 and later. Support for the Windows LAPS Azure AD scenario is currently limited to a small group of Windows Insiders.
> Windows LAPS currently is available only in [Windows 11 Insider Preview Build 25145 and later](/windows-insider/flight-hub/#active-development-builds-of-windows-11). Support for the Windows LAPS Azure Active Directory scenario is currently in private preview, and limited to a small number of customers who have a direct engagement with engineering. Once public preview is declared in 2023, all customers will be able to evaluate this AAD scenario.
> [!TIP]
> This article covers the specific technical details of the LAPS CSP. For more information about the scenarios in which the LAPS CSP would be used, see [Windows Local Administrator Password Solution](/windows-server/identity/laps/laps).
@ -63,7 +63,7 @@ The LAPS CSP can be used to manage devices that are either joined to Azure AD or
|ResetPasswordStatus|Yes|Yes|
> [!IMPORTANT]
> Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see the TBD reference on LAPS policy configuration.
> Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see [Configure policy settings for Windows LAPS](/windows-server/identity/laps/laps-management-policy-settings).
## ./Device/Vendor/MSFT/LAPS

2
windows/configuration/kiosk-policies.md
View File

@ -56,7 +56,7 @@ Remove Task Manager | Enabled
Remove Change Password option in Security Options UI | Enabled
Remove Sign Out option in Security Options UI | Enabled
Remove All Programs list from the Start Menu | Enabled Remove and disable setting
Prevent access to drives from My Computer | Enabled - Restrict all drivers
Prevent access to drives from My Computer | Enabled - Restrict all drives
>[!NOTE]
>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.

2
windows/configuration/lock-down-windows-10-to-specific-apps.md
View File

@ -576,7 +576,7 @@ These apps are in addition to any mixed reality apps that you allow.
After the admin has completed setup, the kiosk account can sign in and repeat the setup. The admin user may want to complete the kiosk user setup before providing the PC to employees or customers.
There's a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the [Mixed Reality home](https://developer.microsoft.com/windows/mixed-reality/navigating_the_windows_mixed_reality_home). The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they'll see only a blank display in the device, and won't have access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Start screen.
There's a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the [Mixed Reality home](/windows/mixed-reality/discover/navigating-the-windows-mixed-reality-home). The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they'll see only a blank display in the device, and won't have access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Start screen.
## Policies set by multi-app kiosk configuration

8
windows/deployment/TOC.yml
View File

@ -184,11 +184,11 @@
href: update/deploy-updates-intune.md
- name: Monitor
items:
- name: Windows Update for Business reports (preview)
- name: Windows Update for Business reports
items:
- name: Windows Update for Business reports overview
href: update/wufb-reports-overview.md
- name: Enable Windows Update for Business reports (preview)
- name: Enable Windows Update for Business reports
items:
- name: Windows Update for Business reports prerequisites
href: update/wufb-reports-prerequisites.md
@ -200,7 +200,7 @@
href: update/wufb-reports-configuration-manual.md
- name: Configure clients with Microsoft Intune
href: update/wufb-reports-configuration-intune.md
- name: Use Windows Update for Business reports (preview)
- name: Use Windows Update for Business reports
items:
- name: Windows Update for Business reports workbook
href: update/wufb-reports-workbook.md
@ -210,7 +210,7 @@
href: update/wufb-reports-use.md
- name: Feedback, support, and troubleshooting
href: update/wufb-reports-help.md
- name: Windows Update for Business reports (preview) schema reference
- name: Windows Update for Business reports schema reference
items:
- name: Windows Update for Business reports schema reference
href: update/wufb-reports-schema.md

33
windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
View File

@ -15,40 +15,47 @@ ms.date: 10/27/2022
# Add a Windows 10 operating system image using Configuration Manager
**Applies to**
*Applies to:*
- Windows 10
- Windows 10
Operating system images are typically the production image used for deployment throughout the organization. This article shows you how to add a Windows 10 operating system image created with Microsoft Configuration Manager, and how to distribute the image to a distribution point.
## Infrastructure
For the purposes of this guide, we'll use one server computer: CM01.
- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server.
- CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
>[!IMPORTANT]
>The procedures in this article require a reference image. Our reference images is named **REFW10-X64-001.wim**. If you have not already created a reference image, then perform all the steps in [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md) on CM01, replacing MDT01 with CM01. The final result will be a reference image located in the D:\MDTBuildLab\Captures folder that you can use for the procedure below.
> [!IMPORTANT]
> The procedures in this article require a reference image. Our reference images is named **REFW10-X64-001.wim**. If you have not already created a reference image, then perform all the steps in [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md) on CM01, replacing MDT01 with CM01. The final result will be a reference image located in the D:\MDTBuildLab\Captures folder that you can use for the procedure below.
## Add a Windows 10 operating system image
## Add a Windows 10 operating system image
On **CM01**:
1. Using File Explorer, in the **D:\\Sources\\OSD\\OS** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**.
2. Copy the REFW10-X64-001.wim file to the **D:\\Sources\\OSD\\OS\\Windows 10 Enterprise x64 RTM** folder.
1. Using File Explorer, in the **`D:\Sources\OSD\OS`** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**.
2. Copy the `REFW10-X64-001.wim` file to the **`D:\Sources\OSD\OS\Windows 10 Enterprise x64 RTM`** folder.
![figure 17.](../images/ref-image.png)
The Windows 10 image being copied to the Sources folder structure.
3. Using the Configuration Manager Console, in the Software Library workspace, right-click **Operating System Images**, and select **Add Operating System Image**.
4. On the **Data Source** page, in the **Path:** text box, browse to \\\\CM01\\Sources$\\OSD\\OS\\Windows 10 Enterprise x64 RTM\\REFW10-X64-001.wim, select x64 next to Architecture and choose a language, then select **Next**.
5. On the **General** page, assign the name Windows 10 Enterprise x64 RTM, select **Next** twice, and then select **Close**.
6. Distribute the operating system image to the CM01 distribution point by right-clicking the **Windows 10 Enterprise x64 RTM** operating system image and then clicking **Distribute Content**.
7. In the Distribute Content Wizard, add the CM01 distribution point, select **Next** and select **Close**.
8. View the content status for the Windows 10 Enterprise x64 RTM package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
3. Using the Configuration Manager Console, in the **Software Library** workspace, right-click **Operating System Images**, and select **Add Operating System Image**.
4. On the **Data Source** page, in the **Path:** text box, browse to **`\\CM01\Sources$\OSD\OS\Windows 10 Enterprise x64 RTM\REFW10-X64-001.wim`**, select x64 next to Architecture and choose a language, then select **Next**.
5. On the **General** page, assign the name Windows 10 Enterprise x64 RTM, select **Next** twice, and then select **Close**.
6. Distribute the operating system image to the CM01 distribution point by right-clicking the **Windows 10 Enterprise x64 RTM** operating system image and then clicking **Distribute Content**.
7. In the Distribute Content Wizard, add the CM01 distribution point, select **Next** and select **Close**.
8. View the content status for the Windows 10 Enterprise x64 RTM package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the `D:\Program Files\Microsoft Configuration Manager\Logs\distmgr.log` file and look for the **STATMSG: ID=2301** line.
![figure 18.](../images/fig18-distwindows.png)

40
windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
View File

@ -15,13 +15,14 @@ ms.date: 10/27/2022
# Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager
**Applies to**
*Applies to:*
- Windows 10
In this article, you'll learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it's likely you'll have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system.
For the purposes of this guide, we'll use one server computer: CM01.
- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
@ -30,10 +31,10 @@ For the purposes of this guide, we'll use one server computer: CM01.
This section will show you how to import some network and storage drivers for Windows PE.
>[!NOTE]
>Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you've an issue or are missing functionality, and in these cases you should only add the driver that you need. An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure.
> [!NOTE]
> Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you've an issue or are missing functionality, and in these cases you should only add the driver that you need. An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure.
This section assumes you've downloaded some drivers to the **D:\\Sources\\OSD\\DriverSources\\WinPE x64** folder on CM01.
This section assumes you've downloaded some drivers to the **`D:\Sources\OSD\DriverSources\WinPE x64`** folder on CM01.
![Drivers.](../images/cm01-drivers.png)
@ -41,12 +42,18 @@ Driver folder structure on CM01
On **CM01**:
1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**.
2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\WinPE x64** folder and select **Next**.
1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**.
2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **`\\CM01\Sources$\OSD\DriverSources\WinPE x64`** folder and select **Next**.
3. On the **Specify the details for the imported driver** page, select **Categories**, create a category named **WinPE x64**, and then select **Next**.
4. On the **Select the packages to add the imported driver** page, select **Next**.
5. On the **Select drivers to include in the boot image** page, select the **Zero Touch WinPE x64** boot image and select **Next**.
6. In the popup window that appears, select **Yes** to automatically update the distribution point.
7. Select **Next**, wait for the image to be updated, and then select **Close**.
![Add drivers to Windows PE step 1.](../images/fig21-add-drivers1.png)<br>
@ -68,27 +75,28 @@ Driver folder structure on CM01
On **CM01**:
1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**.
2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder and select **Next**. Wait a minute for driver information to be validated.
1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**.
2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **`\\CM01\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w`** folder and select **Next**. Wait a minute for driver information to be validated.
3. On the **Specify the details for the imported driver** page, select **Categories**, create a category named **Windows 10 x64 - HP EliteBook 8560w**, select **OK**, and then select **Next**.
![Create driver categories.](../images/fig22-createcategories.png "Create driver categories")
Create driver categories
4. On the **Select the packages to add the imported driver** page, select **New Package**, use the following settings for the package, and then select **Next**:
* Name: Windows 10 x64 - HP EliteBook 8560w
* Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w
- Name: Windows 10 x64 - HP EliteBook 8560w
- Path: **`\\CM01\Sources$\OSD\DriverPackages\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w`**
>[!NOTE]
>The package path does not yet exist, so you've to type it in. The wizard will create the new package using the path you specify.
> [!NOTE]
> The package path does not yet exist so it has to be created by typing it in. The wizard will create the new package using the path you specify.
5. On the **Select drivers to include in the boot image** page, don't select anything, and select **Next** twice. After the package has been created, select **Close**.
5. On the **Select drivers to include in the boot image** page, don't select anything, and select **Next** twice. After the package has been created, select **Close**.
>[!NOTE]
>If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import.
> [!NOTE]
> If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import.
![Drivers imported and a new driver package created.](../images/cm01-drivers-packages.png "Drivers imported and a new driver package created")

56
windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
View File

@ -15,14 +15,16 @@ ms.date: 10/27/2022
# Create a custom Windows PE boot image with Configuration Manager
**Applies to**
*Applies to:*
- Windows 10
In Microsoft Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This article shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
- The boot image that is created is based on the version of ADK that is installed.
For the purposes of this guide, we'll use one server computer: CM01.
- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
@ -31,16 +33,21 @@ For the purposes of this guide, we'll use one server computer: CM01.
The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. These steps are optional. If you don't wish to add DaRT, skip the steps below to copy DaRT tools, and later skip adding the DaRT component to the boot image.
We assume you've downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you've created a custom background image and saved it in **C:\\Setup\\Branding** on CM01. In this section, we use a custom background image named <a href="../images/ContosoBackground.png">ContosoBackground.bmp</a>.
We assume you've downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you've created a custom background image and saved it in **`C:\Setup\Branding`** on CM01. In this section, we use a custom background image named [ContosoBackground.png](../images/ContosoBackground.png)
On **CM01**:
1. Install DaRT 10 (C:\\Setup\\DaRT 10\\MSDaRT100.msi) using the default settings.
2. Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder.
3. Copy the Toolsx64.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x64** folder.
4. Copy the Toolsx86.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x86** folder.
5. Using File Explorer, navigate to the **C:\\Setup** folder.
6. Copy the **Branding** folder to **D:\\Sources\\OSD**.
1. Install DaRT 10 (**`C:\\Setup\\DaRT 10\\MSDaRT100.msi`**) using the default settings.
2. Using File Explorer, navigate to the **`C:\Program Files\Microsoft DaRT\v10`** folder.
3. Copy the Toolsx64.cab file to the **`C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64`** folder.
4. Copy the Toolsx86.cab file to the **`C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86`** folder.
5. Using File Explorer, navigate to the **`C:\Setup`** folder.
6. Copy the **Branding** folder to **`D:\Sources\OSD`**.
## Create a boot image for Configuration Manager using the MDT wizard
@ -48,15 +55,18 @@ By using the MDT wizard to create the boot image in Configuration Manager, you g
On **CM01**:
1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Boot Images**, and select **Create Boot Image using MDT**.
2. On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Boot\\Zero Touch WinPE x64** and select **Next**.
1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and select **Create Boot Image using MDT**.
>[!NOTE]
>The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard.
2. On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, enter **`\\CM01\Sources$\OSD\Boot\Zero Touch WinPE x64`** and select **Next**.
3. On the **General Settings** page, assign the name **Zero Touch WinPE x64** and select **Next**.
4. On the **Options** page, select the **x64** platform, and select **Next**.
5. On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box and select **Next**.
> [!NOTE]
> The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard.
3. On the **General Settings** page, assign the name **Zero Touch WinPE x64** and select **Next**.
4. On the **Options** page, select the **x64** platform, and select **Next**.
5. On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box and select **Next**.
![Add the DaRT component to the Configuration Manager boot image.](../images/mdt-06-fig16.png "Add the DaRT component to the Configuration Manager boot image")
@ -64,19 +74,25 @@ On **CM01**:
>Note: Another common component to add here is Windows PowerShell to enable PowerShell support within Windows PE.
6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ContosoBackground.bmp** and then select **Next** twice. Wait a few minutes while the boot image is generated, and then select **Finish**.
7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**.
8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard.
9. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Don't continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **\Monitoring\Overview\Distribution Status\Content Status\Zero Touch WinPE x64**. See the following examples:
6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **`\\CM01\Sources$\OSD\Branding\ContosoBackground.bmp`** and then select **Next** twice. Wait a few minutes while the boot image is generated, and then select **Finish**.
7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**.
8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard.
9. Using Configuration Manager Trace, review the `D:\Program Files\Microsoft Configuration Manager\Logs\distmgr.log` file. Don't continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **Monitoring** > **Overview** > **Distribution Status** > **Content Status** > **Zero Touch WinPE x64**. See the following examples:
![Content status for the Zero Touch WinPE x64 boot image step 1.](../images/fig16-contentstatus1.png)<br>
![Content status for the Zero Touch WinPE x64 boot image step 2.](../images/fig16-contentstatus2.png)
Content status for the Zero Touch WinPE x64 boot image
10. Using the Configuration Manager Console, in the Software Library workspace, under **Boot Images**, right-click the **Zero Touch WinPE x64** boot image and select **Properties**.
10. Using the Configuration Manager Console, in the **Software Library** workspace, under **Boot Images**, right-click the **Zero Touch WinPE x64** boot image and select **Properties**.
11. On the **Data Source** tab, select the **Deploy this boot image from the PXE-enabled distribution point** check box, and select **OK**.
12. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for this text: **Expanding PS100009 to D:\\RemoteInstall\\SMSImages**.
13. Review the **D:\\RemoteInstall\\SMSImages** folder. You should see three folders containing boot images. Two are from the default boot images, and the third folder (PS100009) is from your new boot image with DaRT. See the examples below:
![PS100009 step 1.](../images/ps100009-1.png)<br>

133
windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
View File

@ -14,13 +14,14 @@ ms.date: 10/27/2022
# Create a task sequence with Configuration Manager and MDT
**Applies to**
*Applies to:*
- Windows 10
- Windows 10
In this article, you'll learn how to create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages.
For the purposes of this guide, we'll use one server computer: CM01.
- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Note: Active Directory [permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) for the **CM_JD** account are required for the task sequence to work properly.
@ -31,32 +32,46 @@ This section walks you through the process of creating a Configuration Manager t
On **CM01**:
1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
2. On the **Choose Template** page, select the **Client Task Sequence** template and select **Next**.
3. On the **General** page, assign the following settings and then select **Next**:
* Task sequence name: Windows 10 Enterprise x64 RTM
* Task sequence comments: Production image with Office 365 Pro Plus x64
4. On the **Details** page, assign the following settings and then select **Next**:
* Join a Domain
* Domain: contoso.com
* Account: contoso\\CM\_JD
* Password: pass@word1
* Windows Settings
* User name: Contoso
* Organization name: Contoso
* Product key: &lt;blank&gt;
1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
2. On the **Choose Template** page, select the **Client Task Sequence** template and select **Next**.
3. On the **General** page, assign the following settings and then select **Next**:
- Task sequence name: Windows 10 Enterprise x64 RTM
- Task sequence comments: Production image with Office 365 Pro Plus x64
4. On the **Details** page, assign the following settings and then select **Next**:
- Join a Domain
- Domain: contoso.com
- Account: contoso\\CM\_JD
- Password: pass@word1
- Windows Settings
- User name: Contoso
- Organization name: Contoso
- Product key: *\<blank\>*
5. On the **Capture Settings** page, accept the default settings, and select **Next**.
6. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then select **Next**.
7. On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, enter **`\\CM01\Sources$\OSD\MDT\MDT`**. Then select **Next**.
8. On the **MDT Details** page, assign the name **MDT** and select **Next**.
9. On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then select **Next**.
5. On the **Capture Settings** page, accept the default settings, and select **Next**.
6. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then select **Next**.
7. On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\MDT\\MDT**. Then select **Next**.
8. On the **MDT Details** page, assign the name **MDT** and select **Next**.
9. On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then select **Next**.
10. On the **Deployment Method** page, accept the default settings (Zero Touch installation) and select **Next**.
11. On the **Client Package** page, browse and select the **Microsoft Corporation Configuration Manager Client Package** and select **Next**.
12. On the **USMT Package** page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package and select **Next**.
13. On the **Settings Package** page, select the **Create a new settings package** option, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Settings\\Windows 10 x64 Settings** and select **Next**.
13. On the **Settings Package** page, select the **Create a new settings package** option, and in the **Package source folder to be created (UNC Path):** text box, enter **`\\CM01\Sources$\OSD\Settings\Windows 10 x64 Settings`** and select **Next**.
14. On the **Settings Details** page, assign the name **Windows 10 x64 Settings** and select **Next**.
15. On the **Sysprep Package** page, select **Next** twice.
16. On the **Confirmation** page, select **Finish**.
## Edit the task sequence
@ -65,53 +80,54 @@ After you create the task sequence, we recommend that you configure the task seq
On **CM01**:
1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Edit**.
2. In the **Install** group (about halfway down), select the **Set Variable for Drive Letter** action and configure the following:
* OSDPreserveDriveLetter: True
1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Edit**.
>[!NOTE]
>If you don't change this value, your Windows installation will end up in D:\\Windows.
2. In the **Post Install** group, select **Apply Network Settings**, and configure the **Domain OU** value to use the **Contoso / Computers / Workstations** OU (browse for values).
3. In the **Post Install** group, select **Apply Network Settings**, and configure the **Domain OU** value to use the **Contoso / Computers / Workstations** OU (browse for values).
4. In the **Post Install** group, disable the **Auto Apply Drivers** action. (Disabling is done by selecting the action and, in the **Options** tab, selecting the **Disable this step** check box.)
5. After the disabled **Post Install / Auto Apply Drivers** action, add a new group name: **Drivers**.
6. After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings:
* Name: HP EliteBook 8560w
* Driver Package: Windows 10 x64 - HP EliteBook 8560w
* Options tab - Add Condition: Task Sequence Variable: Model equals HP EliteBook 8560w
3. In the **Post Install** group, disable the **Auto Apply Drivers** action. (Disabling is done by selecting the action and, in the **Options** tab, selecting the **Disable this step** check box.)
>[!NOTE]
>You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%'
4. After the disabled **Post Install / Auto Apply Drivers** action, add a new group name: **Drivers**.
5. After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings:
- Name: HP EliteBook 8560w
- Driver Package: Windows 10 x64 - HP EliteBook 8560w
- Options tab - Add Condition: Task Sequence Variable: Model equals HP EliteBook 8560w
> [!NOTE]
> You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%'
![Driver package options.](../images/fig27-driverpackage.png "Driver package options")
The driver package options
7. In the **State Restore / Install Applications** group, select the **Install Application** action.
8. Select the **Install the following applications** radio button, and add the OSD / Adobe Reader DC - OSD Install application to the list.
6. In the **State Restore / Install Applications** group, select the **Install Application** action.
7. Select the **Install the following applications** radio button, and add the OSD / Adobe Reader DC - OSD Install application to the list.
![Add an application to the task sequence.](../images/fig28-addapp.png "Add an application to the task sequence")
Add an application to the Configuration Manager task sequence
>[!NOTE]
>In recent versions of Configuration Manager the Request State Store and Release State Store actions described below are present by default. These actions are used for common computer replace scenarios. There's also the additional condition on the options tab: USMTOfflineMigration not equals TRUE. If these actions are not present, try updating to the Config Mgr current branch release.
> [!NOTE]
> In recent versions of Configuration Manager the Request State Store and Release State Store actions described below are present by default. These actions are used for common computer replace scenarios. There's also the additional condition on the options tab: USMTOfflineMigration not equals TRUE. If these actions are not present, try updating to the latest Configuration Manager current branch release.
9. In the **State Restore** group, after the **Set Status 5** action, verify there's a **User State \ Request State Store** action with the following settings:
* Request state storage location to: Restore state from another computer
* If computer account fails to connect to state store, use the Network Access account: selected
* Options: Continue on error
* Options / Add Condition:
* Task Sequence Variable
* USMTLOCAL not equals True
8. In the **State Restore** group, after the **Set Status 5** action, verify there's a **User State \ Request State Store** action with the following settings:
10. In the **State Restore** group, after the **Restore User State** action, verify there's a **Release State Store** action with the following settings:
* Options: Continue on error
* Options / Condition:
* Task Sequence Variable
* USMTLOCAL not equals True
- Request state storage location to: Restore state from another computer
- If computer account fails to connect to state store, use the Network Access account: selected
- Options: Continue on error
- Options / Add Condition:
- Task Sequence Variable
- USMTLOCAL not equals True
11. Select **OK**.
9. In the **State Restore** group, after the **Restore User State** action, verify there's a **Release State Store** action with the following settings:
- Options: Continue on error
- Options / Condition:
- Task Sequence Variable
- USMTLOCAL not equals True
10. Select **OK**.
## Organize your packages (optional)
@ -121,10 +137,13 @@ To create a folder for packages:
On **CM01**:
1. Using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**.
2. Right-click **Packages**, point to **Folder**, select **Create Folder** and create the OSD folder. This process will create the Root \ OSD folder structure.
3. Select the **MDT**, **User State Migration Tool for Windows**, and **Windows 10 x64 Settings** packages, right-click and select **Move**.
4. In the **Move Selected Items** dialog box, select the **OSD** folder, and select **OK**.
1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Application Management**, and then select **Packages**.
2. Right-click **Packages**, point to **Folder**, select **Create Folder** and create the OSD folder. This process will create the Root \ OSD folder structure.
3. Select the **MDT**, **User State Migration Tool for Windows**, and **Windows 10 x64 Settings** packages, right-click and select **Move**.
4. In the **Move Selected Items** dialog box, select the **OSD** folder, and select **OK**.
Next, see [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md).

71
windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
View File

@ -15,60 +15,71 @@ ms.date: 10/27/2022
# Create an application to deploy with Windows 10 using Configuration Manager
*Applies to:*
**Applies to**
- Windows 10
- Windows 10
Microsoft Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Configuration Manager that you later configure the task sequence to use.
For the purposes of this guide, we'll use one server computer: CM01.
- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
>[!NOTE]
>The [reference image](add-a-windows-10-operating-system-image-using-configuration-manager.md) used in this lab already contains some applications, such as Microsoft Office 365 Pro Plus x64. The procedure demonstrated in this article enables you to add some additional custom applications beyond those included in the reference image.
> [!NOTE]
> The [reference image](add-a-windows-10-operating-system-image-using-configuration-manager.md) used in this lab already contains some applications, such as Microsoft Office 365 Pro Plus x64. The procedure demonstrated in this article enables you to add some additional custom applications beyond those included in the reference image.
## Example: Create the Adobe Reader application
On **CM01**:
1. Create the **D:\Setup** folder if it doesn't already exist.
1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (ex: AcroRdrDC2000620034_en_US.exe) to **D:\\Setup\\Adobe** on CM01. The filename will differ depending on the version of Acrobat Reader.
2. Extract the .exe file that you downloaded to a .msi. The source folder will differ depending on where you downloaded the file. See the following example:
1. Create the **`D:\Setup`** folder if it doesn't already exist.
```powershell
Set-Location C:\Users\administrator.CONTOSO\Downloads
.\AcroRdrDC2000620034_en_US.exe -sfx_o"d:\Setup\Adobe\" -sfx_ne
```
>Note: the extraction process will create the "Adobe" folder
2. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (ex: AcroRdrDC2000620034_en_US.exe) to **`D:\Setup\Adobe`** on CM01. The filename will differ depending on the version of Acrobat Reader.
3. Using File Explorer, copy the **D:\\Setup\\Adobe** folder to the **D:\\Sources\\Software\\Adobe** folder.
4. In the Configuration Manager Console, in the Software Library workspace, expand **Application Management**.
5. Right-click **Applications**, point to **Folder** and then select **Create Folder**. Assign the name **OSD**.
6. Right-click the **OSD** folder, and select **Create Application**.
7. In the Create Application Wizard, on the **General** page, use the following settings:
3. Extract the .exe file that you downloaded to a .msi. The source folder will differ depending on where you downloaded the file. See the following example:
* Automatically detect information about this application from installation files
* Type: Windows Installer (\*.msi file)
* Location: \\\\CM01\\Sources$\\Software\\Adobe\\AcroRead.msi
```powershell
Set-Location C:\Users\administrator.CONTOSO\Downloads
.\AcroRdrDC2000620034_en_US.exe -sfx_o"d:\Setup\Adobe\" -sfx_ne
```
> [!NOTE]
> The extraction process will create the "Adobe" folder.
4. Using File Explorer, copy the **`D:\Setup\Adobe`** folder to the **`D:\Sources\Software\Adobe`** folder.
5. In the Configuration Manager Console, in the **Software Library** workspace, expand **Application Management**.
6. Right-click **Applications**, point to **Folder** and then select **Create Folder**. Assign the name **OSD**.
7. Right-click the **OSD** folder, and select **Create Application**.
8. In the Create Application Wizard, on the **General** page, use the following settings:
- Automatically detect information about this application from installation files
- Type: Windows Installer (\*.msi file)
- Location: `\\CM01\Sources$\Software\Adobe\AcroRead.msi`
![The Create Application Wizard.](../images/mdt-06-fig20.png "The Create Application Wizard")
The Create Application Wizard
8. Select **Next**, and wait while Configuration Manager parses the MSI file.
9. On the **Import Information** page, review the information and then select **Next**.
10. On the **General Information** page, name the application Adobe Acrobat Reader DC - OSD Install, select **Next** twice, and then select **Close**.
9. Select **Next**, and wait while Configuration Manager parses the MSI file.
>[!NOTE]
>Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence.
10. On the **Import Information** page, review the information and then select **Next**.
![Add the OSD Install suffix to the application name.](../images/mdt-06-fig21.png "Add the OSD Install suffix to the application name")
11. On the **General Information** page, name the application Adobe Acrobat Reader DC - OSD Install, select **Next** twice, and then select **Close**.
Add the "OSD Install" suffix to the application name
> [!NOTE]
> Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence.
11. In the **Applications** node, select the Adobe Reader - OSD Install application, and select **Properties** on the ribbon bar (this path is another place to view properties, you can also right-click and select properties).
12. On the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and select **OK**.
![Add the OSD Install suffix to the application name.](../images/mdt-06-fig21.png "Add the OSD Install suffix to the application name")
Add the "OSD Install" suffix to the application name
12. In the **Applications** node, select the Adobe Reader - OSD Install application, and select **Properties** on the ribbon bar (this path is another place to view properties, you can also right-click and select properties).
13. On the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and select **OK**.
Next, see [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md).

43
windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
View File

@ -14,13 +14,14 @@ ms.date: 10/27/2022
# Deploy Windows 10 using PXE and Configuration Manager
**Applies to**
*Applies to:*
- Windows 10
- Windows 10
In this article, you'll learn how to deploy Windows 10 using Microsoft Configuration Manager deployment packages and task sequences. This article will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this article.
This article assumes that you've completed the following prerequisite procedures:
- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
- [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
- [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
@ -30,37 +31,49 @@ This article assumes that you've completed the following prerequisite procedures
- [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
For the purposes of this guide, we'll use a minimum of two server computers (DC01 and CM01) and one client computer (PC0001).
- DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server. Note: DHCP services are required for the client (PC0001) to connect to the Windows Deployment Service (WDS).
- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server.
- CM01 is also running WDS that will be required to start PC0001 via PXE. **Note**: Ensure that only CM01 is running WDS.
- CM01 is also running WDS that will be required to start PC0001 via PXE.
> [!NOTE]
> Ensure that only CM01 is running WDS.
- PC0001 is a client computer that is blank, or has an operating system that will be erased and replaced with Windows 10. The device must be configured to boot from the network.
>[!NOTE]
>If desired, PC0001 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0001 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended.
> [!NOTE]
> If desired, PC0001 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0001 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended.
All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
All server and client computers referenced in this guide are on the same subnet. This connection isn't required. But each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the `contoso.com` domain. Internet connectivity is also required to download OS and application updates.
>[!NOTE]
>No WDS console configuration is required for PXE to work. Everything is done with the Configuration Manager console.
> [!NOTE]
> No WDS console configuration is required for PXE to work. Everything is done with the Configuration Manager console.
## Procedures
1. Start the PC0001 computer. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot.
2. On the **Welcome to the Task Sequence Wizard** page, type in the password **pass\@word1** and select **Next**.
2. On the **Welcome to the Task Sequence Wizard** page, enter in the password **pass\@word1** and select **Next**.
3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and select **Next**.
4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and select **OK**. Then select **Next**.
4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, enter **PC0001** and select **OK**. Then select **Next**.
5. The operating system deployment will take several minutes to complete.
6. You can monitor the deployment on CM01 using the MDT Deployment Workbench. When you see the PC0001 entry, double-click **PC0001**, and then select **DaRT Remote Control** and review the **Remote Control** option. The task sequence will run and do the following steps:
* Install the Windows 10 operating system.
* Install the Configuration Manager client and the client hotfix.
* Join the computer to the domain.
* Install the application added to the task sequence.
- Install the Windows 10 operating system.
- Install the Configuration Manager client and the client hotfix.
- Join the computer to the domain.
- Install the application added to the task sequence.
>[!NOTE]
>You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress.
> [!NOTE]
> You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress.
![MDT monitoring.](../images/pc0001-monitor.png)

69
windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
View File

@ -15,31 +15,32 @@ ms.date: 10/27/2022
# Finalize the operating system configuration for Windows 10 deployment with Configuration Manager
**Applies to**
*Applies to:*
- Windows 10
- Windows 10
This article walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enabling optional MDT monitoring for Configuration Manager, logs folder settings, rules configuration, content distribution, and deployment of the previously created task sequence.
For the purposes of this guide, we'll use one server computer: CM01.
- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
## Enable MDT monitoring
This section will walk you through the process of creating the D:\\MDTProduction deployment share using the MDT Deployment Workbench to enable monitoring for Configuration Manager.
This section will walk you through the process of creating the **`D:\MDTProduction`** deployment share using the MDT Deployment Workbench to enable monitoring for Configuration Manager.
On **CM01**:
1. Open the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. Use the following settings for the New Deployment Share Wizard:
1. Open the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. Use the following settings for the New Deployment Share Wizard:
* Deployment share path: D:\\MDTProduction
* Share name: MDTProduction$
* Deployment share description: MDT Production
* Options: &lt;default settings&gt;
- Deployment share path: D:\\MDTProduction
- Share name: MDTProduction$
- Deployment share description: MDT Production
- Options: *\<default settings\>*
2. Right-click the **MDT Production** deployment share, and select **Properties**. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box, and select **OK**.
2. Right-click the **MDT Production** deployment share, and select **Properties**. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box, and select **OK**.
![Enable MDT monitoring for Configuration Manager.](../images/mdt-06-fig31.png)
@ -51,16 +52,17 @@ The D:\Logs folder was [created previously](prepare-for-zero-touch-installation-
On **CM01**:
1. To configure NTFS permissions using icacls.exe, type the following command at an elevated Windows PowerShell prompt:
1. To configure NTFS permissions using `icacls.exe`, enter the following command at an elevated Windows PowerShell prompt:
```
icacls D:\Logs /grant '"CM_NAA":(OI)(CI)(M)'
```cmd
icacls.exe D:\Logs /grant '"CM_NAA":(OI)(CI)(M)'
```
2. Using File Explorer, navigate to the **D:\\Sources\\OSD\\Settings\\Windows 10 x64 Settings** folder.
3. To enable server-side logging, edit the CustomSetting.ini file with Notepad.exe and enter the following settings:
2. Using File Explorer, navigate to the **`D:\Sources\OSD\Settings\Windows 10 x64 Settings`** folder.
```
3. To enable server-side logging, edit the `CustomSetting.ini` file with `Notepad.exe` and enter the following settings:
```ini
[Settings]
Priority=Default
Properties=OSDMigrateConfigFiles,OSDMigrateMode
@ -79,12 +81,12 @@ On **CM01**:
![Settings package during deployment.](../images/fig30-settingspack.png)
The Settings package, holding the rules and the Unattend.xml template used during deployment
The Settings package, holding the rules and the `Unattend.xml` template used during deployment
3. In the Configuration Manager console, update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**. Select **OK** in the popup dialog box.
4. In the Configuration Manager console, update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**. Select **OK** in the popup dialog box.
>[!NOTE]
>Although you haven't yet added a distribution point, you still need to select Update Distribution Points. This process also updates the Configuration Manager content library with changes.
> [!NOTE]
> Although you haven't yet added a distribution point, you still need to select Update Distribution Points. This process also updates the Configuration Manager content library with changes.
## Distribute content to the CM01 distribution portal
@ -92,9 +94,11 @@ In Configuration Manager, you can distribute all packages needed by a task seque
On **CM01**:
1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems** and select **Task Sequences**. Right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Distribute Content**.
2. In the Distribute Content Wizard, select **Next** twice then on the **Specify the content destination** page add the Distribution Point: **CM01.CONTOSO.COM**, and then complete the wizard.
3. Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Don't continue until you see all the new packages being distributed successfully.
1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems** and select **Task Sequences**. Right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Distribute Content**.
2. In the Distribute Content Wizard, select **Next** twice then on the **Specify the content destination** page add the Distribution Point: **CM01.CONTOSO.COM**, and then complete the wizard.
3. Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the `distmgr.log` file, or use the Distribution Status / Content Status option in the Monitoring workspace. Don't continue until you see all the new packages being distributed successfully.
![Content status.](../images/cm01-content-status1.png)
@ -106,20 +110,25 @@ This section provides steps to help you create a deployment for the task sequenc
On **CM01**:
1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems** and select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM** and then select **Deploy**.
1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems** and select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM** and then select **Deploy**.
2. In the Deploy Software Wizard, on the **General** page, select the **All Unknown Computers** collection and select **Next**.
3. On the **Deployment Settings** page, use the below settings and then select **Next**:
* Purpose: Available
* Make available to the following: Only media and PXE
- Purpose: Available
- Make available to the following: Only media and PXE
![Configure the deployment settings.](../images/mdt-06-fig33.png)
Configure the deployment settings
4. On the **Scheduling** page, accept the default settings and select **Next**.
5. On the **User Experience** page, accept the default settings and select **Next**.
6. On the **Alerts** page, accept the default settings and select **Next**.
7. On the **Distribution Points** page, accept the default settings, select **Next** twice, and then select **Close**.
![Task sequence deployed.](../images/fig32-deploywiz.png)
@ -134,17 +143,17 @@ This section provides steps to help you configure the All Unknown Computers coll
On **CM01**:
1. Using the Configuration Manager console, in the Asset and Compliance workspace, select **Device Collections**, right-click **All Unknown Computers**, and select **Properties**.
1. Using the Configuration Manager console, in the **Asset and Compliance** workspace, select **Device Collections**, right-click **All Unknown Computers**, and select **Properties**.
2. On the **Collection Variables** tab, create a new variable with the following settings:
* Name: OSDComputerName
* Clear the **Do not display this value in the Configuration Manager console** check box.
- Name: OSDComputerName
- Clear the **Do not display this value in the Configuration Manager console** check box.
3. Select **OK**.
>[!NOTE]
>Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard.
> [!NOTE]
> Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard.
![Configure a collection variable.](../images/mdt-06-fig35.png)

208
windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
View File

@ -14,7 +14,7 @@ ms.date: 10/27/2022
# Prepare for Zero Touch Installation of Windows 10 with Configuration Manager
**Applies to**
*Applies to:*
- Windows 10
@ -28,18 +28,30 @@ In this article, you'll use [components](#components-of-configuration-manager-op
> [!NOTE]
> Procedures in this guide use Configuration Manager version 1910. For more information about the versions of Windows 10 supported by Configuration Manager, see [Support for Windows 10](/mem/configmgr/core/plan-design/configs/support-for-windows-10).
- The [Active Directory Schema has been extended](/mem/configmgr/core/plan-design/network/extend-the-active-directory-schema) and System Management container created.
- Active Directory Forest Discovery and Active Directory System Discovery are [enabled](/mem/configmgr/core/servers/deploy/configure/configure-discovery-methods).
- IP range [boundaries and a boundary group](/mem/configmgr/core/servers/deploy/configure/define-site-boundaries-and-boundary-groups) for content and site assignment have been created.
- The Configuration Manager [reporting services](/mem/configmgr/core/servers/manage/configuring-reporting) point role has been added and configured.
- A file system folder structure and Configuration Manager console folder structure for packages has been created. Steps to verify or create this folder structure are [provided below](#review-the-sources-folder-structure).
- The [Windows ADK](/windows-hardware/get-started/adk-install) (including USMT) version 1903, Windows PE add-on, WSIM 1903 update, [MDT](https://www.microsoft.com/download/details.aspx?id=54259) version 8456, and DaRT 10 (part of [MDOP 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015)) are installed.
- The [Windows ADK](/windows-hardware/get-started/adk-install) version that is [supported for the version of Configuration Manager](/mem/configmgr/core/plan-design/configs/support-for-windows-adk) that is installed, including the Windows PE add-on. USMT should be installed as part of the Windows ADK install.
- [MDT](https://www.microsoft.com/download/details.aspx?id=54259) version 8456
- DaRT 10 (part of [MDOP 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015)) are installed.
- The [CMTrace tool](/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point.
> [!NOTE]
> CMTrace is automatically installed with the current branch of Configuration Manager at **Program Files\Microsoft Configuration Manager\tools\cmtrace.exe**.
> CMTrace is automatically installed with the current branch of Configuration Manager at **`Program Files\Microsoft Configuration Manager\tools\cmtrace.exe`**.
For the purposes of this guide, we'll use three server computers: DC01, CM01 and HV01.
- DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server.
- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server.
- HV01 is a Hyper-V host computer that is used to build a Windows 10 reference image. This computer doesn't need to be a domain member.
@ -54,12 +66,12 @@ The following generic credentials are used in this guide. You should replace the
- **Active Directory domain name**: `contoso.com`
- **Domain administrator username**: `administrator`
-**Domain administrator password**: `pass@word1`
- **Domain administrator password**: `pass@word1`
## Create the OU structure
>[!NOTE]
>If you've already [created the OU structure](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md#create-the-ou-structure) that was used in the OSD guide for MDT, the same structure is used here and you can skip this section.
> [!NOTE]
> If you've already [created the OU structure](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md#create-the-ou-structure) that was used in the OSD guide for MDT, the same structure is used here and you can skip this section.
On **DC01**:
@ -107,25 +119,27 @@ A role-based model is used to configure permissions for the service accounts nee
On **DC01**:
1. In the Active Directory Users and Computers console, browse to **contoso.com / Contoso / Service Accounts**.
2. Select the Service Accounts OU and create the CM\_JD account using the following settings:
1. In the Active Directory Users and Computers console, browse to **contoso.com** > **Contoso** > **Service Accounts**.
* Name: CM\_JD
* User sign-in name: CM\_JD
* Password: `pass@word1`
* User must change password at next logon: Clear
* User can't change password: Selected
* Password never expires: Selected
2. Select the Service Accounts OU and create the CM\_JD account using the following settings:
3. Repeat the step, but for the CM\_NAA account.
4. After creating the accounts, assign the following descriptions:
- Name: CM\_JD
- User sign-in name: CM\_JD
- Password: `pass@word1`
- User must change password at next logon: Clear
- User can't change password: Selected
- Password never expires: Selected
* CM\_JD: Configuration Manager Join Domain Account
* CM\_NAA: Configuration Manager Network Access Account
3. Repeat the step, but for the CM\_NAA account.
4. After creating the accounts, assign the following descriptions:
- CM\_JD: Configuration Manager Join Domain Account
- CM\_NAA: Configuration Manager Network Access Account
## Configure Active Directory permissions
In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain, you need to configure permissions in Active Directory. These steps assume you've downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01.
In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain, you need to configure permissions in Active Directory. These steps assume you've downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to `C:\Setup\Scripts` on DC01.
On **DC01**:
@ -139,18 +153,18 @@ On **DC01**:
2. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following list is that of permissions being granted:
* Scope: This object and all descendant objects
* Create Computer objects
* Delete Computer objects
* Scope: Descendant Computer objects
* Read All Properties
* Write All Properties
* Read Permissions
* Modify Permissions
* Change Password
* Reset Password
* Validated write to DNS host name
* Validated write to service principal name
- Scope: This object and all descendant objects
- Create Computer objects
- Delete Computer objects
- Scope: Descendant Computer objects
- Read All Properties
- Write All Properties
- Read Permissions
- Modify Permissions
- Change Password
- Reset Password
- Validated write to DNS host name
- Validated write to service principal name
## Review the Sources folder structure
@ -158,9 +172,6 @@ On **CM01**:
To support the packages you create in this article, the following folder structure should be created on the Configuration Manager primary site server (CM01):
>[!NOTE]
>In most production environments, the packages are stored on a Distributed File System (DFS) share or a "normal" server share, but in a lab environment you can store them on the site server.
- D:\\Sources
- D:\\Sources\\OSD
- D:\\Sources\\OSD\\Boot
@ -173,11 +184,13 @@ To support the packages you create in this article, the following folder structu
- D:\\Sources\\Software
- D:\\Sources\\Software\\Adobe
- D:\\Sources\\Software\\Microsoft
- D:\\Logs
> [!NOTE]
> In most production environments, the packages are stored on a Distributed File System (DFS) share or a "normal" server share, but in a lab environment you can store them on the site server.
You can run the following commands from an elevated Windows PowerShell prompt to create this folder structure:
>We'll also create the D:\Logs folder here which will be used later to support server-side logging.
```powershell
New-Item -ItemType Directory -Path "D:\Sources"
New-Item -ItemType Directory -Path "D:\Sources\OSD"
@ -203,11 +216,13 @@ To extend the Configuration Manager console with MDT wizards and templates, inst
On **CM01**:
1. Sign in as contoso\administrator.
2. Ensure the Configuration Manager Console is closed before continuing.
5. Select Start, type **Configure ConfigManager Integration**, and run the application the following settings:
* Site Server Name: CM01.contoso.com
* Site code: PS1
2. Ensure the Configuration Manager Console is closed before continuing.
3. Select Start, type **Configure ConfigManager Integration**, and run the application with the following settings:
- Site Server Name: CM01.contoso.com
- Site code: PS1
![figure 8.](../images/mdt-06-fig08.png)
@ -219,9 +234,11 @@ Most organizations want to display their name during deployment. In this section
On **CM01**:
1. Open the Configuration Manager Console, select the Administration workspace, then select **Client Settings**.
2. In the right pane, right-click **Default Client Settings** and then select **Properties**.
3. In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, type in **Contoso** and select **OK**.
1. Open the Configuration Manager Console, select the **Administration** workspace, then select **Client Settings**.
2. In the right pane, right-click **Default Client Settings** and then select **Properties**.
3. In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, enter in **Contoso** and select **OK**.
![figure 9.](../images/mdt-06-fig10.png)
@ -237,9 +254,11 @@ Configuration Manager uses the Network Access account during the Windows 10 depl
On **CM01**:
1. Using the Configuration Manager Console, in the Administration workspace, expand **Site Configuration** and select **Sites**.
2. Right-click **PS1 - Primary Site 1**, point to **Configure Site Components**, and then select **Software Distribution**.
3. On the **Network Access Account** tab, select **Specify the account that accesses network locations** and add the *New Account* **CONTOSO\\CM\_NAA** as the Network Access account (password: pass@word1). Use the new **Verify** option to verify that the account can connect to the **\\\\DC01\\sysvol** network share.
1. Using the Configuration Manager Console, in the **Administration** workspace, expand **Site Configuration** and select **Sites**.
2. Right-click **PS1 - Primary Site 1**, point to **Configure Site Components**, and then select **Software Distribution**.
3. On the **Network Access Account** tab, select **Specify the account that accesses network locations** and add the account **CONTOSO\\CM\_NAA** as the Network Access account (password: **pass@word1**). Use the new **Verify** option to verify that the account can connect to the **`\\DC01\sysvol`** network share.
![figure 11.](../images/mdt-06-fig12.png)
@ -251,36 +270,39 @@ Configuration Manager has many options for starting a deployment, but starting v
On **CM01**:
1. In the Configuration Manager Console, in the Administration workspace, select **Distribution Points**.
2. Right-click the **\\\\CM01.CONTOSO.COM distribution point** and select **Properties**.
3. On the **PXE** tab, use the following settings:
1. In the Configuration Manager Console, in the **Administration** workspace, select **Distribution Points**.
* Enable PXE support for clients
* Allow this distribution point to respond to incoming PXE requests
* Enable unknown computer
* Require a password when computers use PXE
* Password and Confirm password: pass@word1
2. Right-click the **\\\\CM01.CONTOSO.COM distribution point** and select **Properties**.
3. On the **PXE** tab, use the following settings:
- Enable PXE support for clients
- Allow this distribution point to respond to incoming PXE requests
- Enable unknown computer
- Require a password when computers use PXE
- Password and Confirm password: pass@word1
![figure 12.](../images/mdt-06-fig13.png)
Configure the CM01 distribution point for PXE.
>[!NOTE]
>If you select **Enable a PXE responder without Windows Deployment Service**, then WDS won't be installed, or if it's already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (SccmPxe) will be used instead of WDS. The ConfigMgr PXE Responder doesn't support multicast. For more information, see [Install and configure distribution points](/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe).
> [!NOTE]
> If you select **Enable a PXE responder without Windows Deployment Service**, then WDS won't be installed, or if it's already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (**SccmPxe**) will be used instead of WDS. The ConfigMgr PXE Responder doesn't support multicast. For more information, see [Install and configure distribution points](/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe).
4. Using the CMTrace tool, review the C:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Look for ConfigurePXE and CcmInstallPXE lines.
4. Using the CMTrace tool, review the **`C:\Program Files\Microsoft Configuration Manager\Logs\distmgr.log`** file. Look for the **ConfigurePXE** and **CcmInstallPXE** lines.
![figure 13.](../images/mdt-06-fig14.png)
The distmgr.log displays a successful configuration of PXE on the distribution point.
The `distmgr.log` displays a successful configuration of PXE on the distribution point.
5. Verify that you've seven files in each of the folders **D:\\RemoteInstall\\SMSBoot\\x86** and **D:\\RemoteInstall\\SMSBoot\\x64**.
5. Verify that you've seven files in each of the folders **`D:\RemoteInstall\SMSBoot\x86`** and **`D:\RemoteInstall\SMSBoot\x64`**.
![figure 14.](../images/mdt-06-fig15.png)
The contents of the D:\\RemoteInstall\\SMSBoot\\x64 folder after you enable PXE.
**Note**: These files are used by WDS. They aren't used by the ConfigMgr PXE Responder. This article doesn't use the ConfigMgr PXE Responder.
> [!NOTE]
> These files are used by WDS. They aren't used by the ConfigMgr PXE Responder. This article doesn't use the ConfigMgr PXE Responder.
Next, see [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md).
@ -288,15 +310,24 @@ Next, see [Create a custom Windows PE boot image with Configuration Manager](cre
Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are more components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which isn't used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10.
- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios.
- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages.
- **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server.
- **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process.
- **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment.
- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This image is typically the production deployment image.
- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
- **Task sequences.** The task sequences in Configuration Manager look and feel much like the sequences in MDT Lite Touch, and they're used for the same purpose. However, in Configuration Manager, the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides more task sequence templates to Configuration Manager.
- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios.
- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages.
- **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server.
- **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process.
- **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment.
- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This image is typically the production deployment image.
- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
- **Task sequences.** The task sequences in Configuration Manager look and feel much like the sequences in MDT Lite Touch, and they're used for the same purpose. However, in Configuration Manager, the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides more task sequence templates to Configuration Manager.
> [!NOTE]
> The Windows Assessment and Deployment Kit (ADK) for Windows 10 is also required to support management and deployment of Windows 10.
@ -304,28 +335,31 @@ Operating system deployment with Configuration Manager is part of the normal sof
As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name doesn't reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager.
>[!NOTE]
>MDT installation requires the following:
>- The Windows ADK for Windows 10 (installed in the previous procedure)
>- Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check)
>- Microsoft .NET Framework
> [!NOTE]
> MDT installation requires the following:
>
> - The Windows ADK for Windows 10 (installed in the previous procedure)
> - Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check)
> - Microsoft .NET Framework
### MDT enables dynamic deployment
When MDT is integrated with Configuration Manager, the task sequence takes more instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used.
When MDT is integrated with Configuration Manager, the task sequence processes more instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the `CustomSettings.ini` file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used.
The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples:
- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is an HP EliteBook 8570w. You don't have to add the package to the task sequence.
``` syntax
- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is an HP EliteBook 8570w. You don't have to add the package to the task sequence.
```ini
[Settings]
Priority=Model
[HP EliteBook 8570w]
Packages001=PS100010:Install HP Hotkeys
```
- The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop.
``` syntax
- The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop.
```ini
[Settings]
Priority= ByLaptopType, ByDesktopType
[ByLaptopType]
@ -373,13 +407,17 @@ MDT Zero Touch simply extends Configuration Manager with many useful built-in op
### Why use MDT Lite Touch to create reference images
You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons:
You can create reference images for Configuration Manager in Configuration Manager, but in general it is recommended to create them in MDT Lite Touch for the following reasons:
- You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center Virtual Machine Manager (VMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more.
- Configuration Manager performs deployment in the LocalSystem context, which means that you can't configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment.
- The Configuration Manager task sequence doesn't suppress user interface interaction.
- MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it's automatically captured.
- MDT Lite Touch doesn't require any infrastructure and is easy to delegate.
- You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center Virtual Machine Manager (VMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more.
- Configuration Manager performs deployment in the LocalSystem context, which means that you can't configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment.
- The Configuration Manager task sequence suppresses user interface interaction.
- MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it's automatically captured.
- MDT Lite Touch doesn't require any infrastructure and is easy to delegate.
## Related articles

84
windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
View File

@ -15,7 +15,7 @@ ms.date: 10/27/2022
# Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager
**Applies to**
*Applies to:*
- Windows 10
@ -23,29 +23,31 @@ This article will show you how to refresh a Windows 7 SP1 client with Windows 10
A computer refresh with Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager has the following steps:
1. Data and settings are backed up locally in a backup folder.
2. The partition is wiped, except for the backup folder.
3. The new operating system image is applied.
4. Other applications are installed.
5. Data and settings are restored.
1. Data and settings are backed up locally in a backup folder.
2. The partition is wiped, except for the backup folder.
3. The new operating system image is applied.
4. Other applications are installed.
5. Data and settings are restored.
## Infrastructure
An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
For the purposes of this article, we'll use one server computer (CM01) and one client computer (PC0003).
- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server.
- PC0003 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be refreshed to Windows 10.
>[!NOTE]
>If desired, PC0003 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0003 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended.
> [!NOTE]
> If desired, PC0003 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0003 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended.
All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
>[!IMPORTANT]
>This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed.
> [!IMPORTANT]
> This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso** > **Computers** > **Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed.
## Verify the Configuration Manager client settings
@ -53,8 +55,10 @@ To verify that PC003 is correctly assigned to the PS1 site:
On **PC0003**:
1. Open the Configuration Manager control panel (control smscfgrc).
1. Open the Configuration Manager control panel (`control.exe smscfgrc`).
2. On the **Site** tab, select **Configure Settings**, then select **Find Site**.
3. Verify that Configuration Manager has successfully found a site to manage this client is displayed. See the following example.
![Found a site to manage this client.](../images/pc0003a.png)
@ -63,49 +67,49 @@ On **PC0003**:
On **CM01**:
1. Using the Configuration Manager console, in the Asset and Compliance workspace, expand **Overview**, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
1. Using the Configuration Manager console, in the **Asset and Compliance** workspace, expand **Overview**, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
* General
* Name: Install Windows 10 Enterprise x64
* Limited Collection: All Systems
* Membership rules
* Add Rule: Direct rule
* Resource Class: System Resource
* Attribute Name: Name
* Value: PC0003
* Select Resources
* Select **PC0003**
- General
- Name: Install Windows 10 Enterprise x64
- Limited Collection: All Systems
- Membership rules
- Add Rule: Direct rule
- Resource Class: System Resource
- Attribute Name: Name
- Value: PC0003
- Select Resources
- Select **PC0003**
Use the default settings to complete the remaining wizard pages and select **Close**.
Use the default settings to complete the remaining wizard pages and select **Close**.
2. Review the Install Windows 10 Enterprise x64 collection. Don't continue until you see the PC0003 machine in the collection.
2. Review the Install Windows 10 Enterprise x64 collection. Don't continue until you see the PC0003 machine in the collection.
>[!NOTE]
>It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
> [!NOTE]
> It may take a short while for the collection to refresh; you can view progress via the `Colleval.log` file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
## Create a new deployment
On **CM01**:
Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**. Use the below settings:
Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**. Use the below settings:
- General
- Collection: Install Windows 10 Enterprise x64
- Collection: Install Windows 10 Enterprise x64
- Deployment Settings
- Purpose: Available
- Make available to the following: Configuration Manager clients, media and PXE
- Purpose: Available
- Make available to the following: Configuration Manager clients, media and PXE
>[!NOTE]
>It's not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
> [!NOTE]
> It's not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
- Scheduling
- &lt;default&gt;
- *\<default\>*
- User Experience
- &lt;default&gt;
- *\<default\>*
- Alerts
- &lt;default&gt;
- *\<default\>*
- Distribution Points
- &lt;default&gt;
- *\<default\>*
## Initiate a computer refresh
@ -113,12 +117,14 @@ Now you can start the computer refresh on PC0003.
On **CM01**:
1. Using the Configuration Manager console, in the Assets and Compliance workspace, select the **Install Windows 10 Enterprise x64** collection, right-click **PC0003**, point to **Client Notification**, select **Download Computer Policy**, and then select **OK** in the popup dialog box that appears.
1. Using the Configuration Manager console, in the **Assets and Compliance** workspace, select the **Install Windows 10 Enterprise x64** collection, right-click **PC0003**, point to **Client Notification**, select **Download Computer Policy**, and then select **OK** in the popup dialog box that appears.
On **PC0003**:
1. Open the Software Center (select Start and type **Software Center**, or select the **New software is available** balloon in the system tray), select **Operating Systems** and select the **Windows 10 Enterprise x64 RTM** deployment, then select **Install**.
2. In the **Software Center** warning dialog box, select **Install Operating System**.
1. Open the Software Center (select Start and type **Software Center**, or select the **New software is available** balloon in the system tray), select **Operating Systems** and select the **Windows 10 Enterprise x64 RTM** deployment, then select **Install**.
2. In the **Software Center** warning dialog box, select **Install Operating System**.
3. The client computer will run the Configuration Manager task sequence, boot into Windows PE, and install the new OS and applications. See the following examples:
![Task sequence example 1.](../images/pc0003b.png)<br>

159
windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
View File

@ -16,7 +16,7 @@ ms.date: 10/27/2022
# Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
**Applies to**
*Applies to:*
- Windows 10
@ -29,43 +29,53 @@ In this article, you'll create a backup-only task sequence that you run on PC000
An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
For the purposes of this article, we'll use one server computer (CM01) and two client computers (PC0004, PC0006).
- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server.
- Important: CM01 must include the **[State migration point](/configmgr/osd/get-started/manage-user-state#BKMK_StateMigrationPoint)** role for the replace task sequence used in this article to work.
- PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be replaced.
- PC0006 is a domain member client computer running Windows 10, with the Configuration Manager client installed, that will replace PC0004.
>[!NOTE]
>PC0004 and PC006 can be VMs hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, the VMs must have sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended.
> [!NOTE]
> PC0004 and PC006 can be VMs hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, the VMs must have sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended.
All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
>[!IMPORTANT]
>This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed.
> [!IMPORTANT]
> This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed.
## Create a replace task sequence
On **CM01**:
1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
2. On the **Choose Template** page, select the **Client Replace Task Sequence** template and select **Next**.
3. On the **General** page, assign the following settings and select **Next**:
* Task sequence name: Replace Task Sequence
* Task sequence comments: USMT backup only
- Task sequence name: Replace Task Sequence
- Task sequence comments: USMT backup only
4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then select **Next**.
5. On the **MDT Package** page, browse and select the **OSD / MDT** package. Then select **Next**.
6. On the **USMT Package** page, browse and select the **OSD / Microsoft Corporation User State Migration Tool for Windows** package. Then select **Next**.
7. On the **Settings Package** page, browse and select the **OSD / Windows 10 x64 Settings** package. Then select **Next**.
8. On the **Summary** page, review the details and then select **Next**.
9. On the **Confirmation** page, select **Finish**.
10. Review the Replace Task Sequence.
>[!NOTE]
>This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the **Client Replace Task Sequence** template when creating the task sequence.
> [!NOTE]
> This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the **Client Replace Task Sequence** template when creating the task sequence.
![The back-up only task sequence.](../images/mdt-06-fig42.png "The back-up only task sequence")
@ -77,70 +87,78 @@ This section walks you through the process of associating a new, blank device (P
On **HV01** (if PC0006 is a VM) or in the PC0006 BIOS:
1. Make a note of the MAC address for PC0006. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. Don't attempt to PXE boot PC0006 yet.
1. Make a note of the MAC address for PC0006. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. Don't attempt to PXE boot PC0006 yet.
On **CM01**:
2. When you're using the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices**, and then select **Import Computer Information**.
3. On the **Select Source** page, select **Import single computer** and select **Next**.
4. On the **Single Computer** page, use the following settings and then select **Next**:
1. When you're using the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Devices**, and then select **Import Computer Information**.
* Computer Name: PC0006
* MAC Address: &lt;the mac address that you wrote down&gt;
* Source Computer: PC0004
2. On the **Select Source** page, select **Import single computer** and select **Next**.
3. On the **Single Computer** page, use the following settings and then select **Next**:
- Computer Name: PC0006
- MAC Address: *\<the mac address that you wrote down*\>
- Source Computer: PC0004
![Create the computer association.](../images/mdt-06-fig43.png "Create the computer association")
Creating the computer association between PC0004 and PC0006.
5. On the **User Accounts** page, select **Capture and restore all user accounts** and select **Next**.
6. On the **Data Preview** page, select **Next**.
7. On the **Choose additional collections** page, select **Add** and then select the **Install Windows 10 Enterprise x64** collection. Now, select the checkbox next to the Install Windows 10 Enterprise x64 collection you just added, and then select **Next**.
8. On the **Summary** page, select **Next**, and then select **Close**.
9. Select the **User State Migration** node and review the computer association in the right hand pane.
10. Right-click the **PC0004/PC0006** association and select **View Recovery Information**. A recovery key has been assigned already, but a user state store location hasn't.
11. Review the **Install Windows 10 Enterprise x64** collection. Don't continue until you see the **PC0006** computer in the collection. You might have to update membership and refresh the collection again.
4. On the **User Accounts** page, select **Capture and restore all user accounts** and select **Next**.
5. On the **Data Preview** page, select **Next**.
6. On the **Choose additional collections** page, select **Add** and then select the **Install Windows 10 Enterprise x64** collection. Now, select the checkbox next to the Install Windows 10 Enterprise x64 collection you just added, and then select **Next**.
7. On the **Summary** page, select **Next**, and then select **Close**.
8. Select the **User State Migration** node and review the computer association in the right hand pane.
9. Right-click the **PC0004/PC0006** association and select **View Recovery Information**. A recovery key has been assigned already, but a user state store location hasn't.
10. Review the **Install Windows 10 Enterprise x64** collection. Don't continue until you see the **PC0006** computer in the collection. You might have to update membership and refresh the collection again.
## Create a device collection and add the PC0004 computer
On **CM01**:
1. When you're using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
1. When you're using the Configuration Manager console, in the **Asset and Compliance** workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
* General
* Name: USMT Backup (Replace)
* Limited Collection: All Systems
* Membership rules:
* Add Rule: Direct rule
* Resource Class: System Resource
* Attribute Name: Name
* Value: PC0004
* Select Resources:
* Select **PC0004**
- General
- Name: USMT Backup (Replace)
- Limited Collection: All Systems
- Membership rules:
- Add Rule: Direct rule
- Resource Class: System Resource
- Attribute Name: Name
- Value: PC0004
- Select Resources:
- Select **PC0004**
Use default settings for the remaining wizard pages, then select **Close**.
2. Review the **USMT Backup (Replace)** collection. Don't continue until you see the **PC0004** computer in the collection.
2. Review the **USMT Backup (Replace)** collection. Don't continue until you see the **PC0004** computer in the collection.
## Create a new deployment
On **CM01**:
Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Replace Task Sequence**, and then select **Deploy**. Use the following settings:
Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Replace Task Sequence**, and then select **Deploy**. Use the following settings:
- General
- Collection: USMT Backup (Replace)
- Deployment Settings
- Purpose: Available
- Make available to the following: Only Configuration Manager Clients
- Scheduling
- &lt;default&gt;
- User Experience
- &lt;default&gt;
- Alerts
- &lt;default&gt;
- Distribution Points
- &lt;default&gt;
- General
- Collection: USMT Backup (Replace)
- Deployment Settings
- Purpose: Available
- Make available to the following: Only Configuration Manager Clients
- Scheduling
- *\<default*\>
- User Experience
- *\<default*\>
- Alerts
- *\<default*\>
- Distribution Points
- *\<default*\>
## Verify the backup
@ -148,15 +166,17 @@ This section assumes that you have a computer named PC0004 with the Configuratio
On **PC0004**:
1. If it's not already started, start the PC0004 computer and open the Configuration Manager control panel (control smscfgrc).
2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and then select **OK** in the popup dialog box that appears.
1. If it's not already started, start the PC0004 computer and open the Configuration Manager control panel (**`control.exe smscfgrc`**).
2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and then select **OK** in the popup dialog box that appears.
>[!NOTE]
>You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
> [!NOTE]
> You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
3. Open the Software Center, select the **Replace Task Sequence** deployment and then select **Install**.
4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again.
5. Allow the Replace Task Sequence to complete. The PC0004 computer will gather user data, boot into Windows PE and gather more data, then boot back to the full OS. The entire process should only take a few minutes.
3. Open the Software Center, select the **Replace Task Sequence** deployment and then select **Install**.
4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again.
5. Allow the Replace Task Sequence to complete. The PC0004 computer will gather user data, boot into Windows PE and gather more data, then boot back to the full OS. The entire process should only take a few minutes.
![Task sequence example.](../images/pc0004b.png)
@ -164,11 +184,12 @@ Capturing the user state
On **CM01**:
6. Open the state migration point storage folder (ex: D:\Migdata) and verify that a subfolder was created containing the USMT backup.
7. Using the Configuration Manager console, in the Assets and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. The object now also has a user state store location.
1. Open the state migration point storage folder (ex: D:\Migdata) and verify that a subfolder was created containing the USMT backup.
>[!NOTE]
>It may take a few minutes for the user state store location to be populated.
2. Using the Configuration Manager console, in the **Assets and Compliance** workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. The object now also has a user state store location.
> [!NOTE]
> It may take a few minutes for the user state store location to be populated.
## Deploy the new computer
@ -176,16 +197,16 @@ On **PC0006**:
1. Start the PC0006 virtual machine (or physical computer), press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings:
* Password: pass@word1
* Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM
- Password: pass@word1
- Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM
2. The setup now starts and does the following steps:
2. The setup now starts and does the following steps:
* Installs the Windows 10 operating system
* Installs the Configuration Manager client
* Joins it to the domain
* Installs the applications
* Restores the PC0004 backup
- Installs the Windows 10 operating system
- Installs the Configuration Manager client
- Joins it to the domain
- Installs the applications
- Restores the PC0004 backup
When the process is complete, you'll have a new Windows 10 computer in your domain with user data and settings restored. See the following examples:

89
windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
View File

@ -15,21 +15,21 @@ ms.date: 10/27/2022
# Perform an in-place upgrade to Windows 10 using Configuration Manager
*Applies to:*
**Applies to**
- Windows 10
- Windows 10
The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Configuration Manager task sequence to completely automate the process.
>[!IMPORTANT]
>Beginning with Windows 10 and Windows Server 2016, Windows Defender is already installed. A management client for Windows Defender is also installed automatically if the Configuration Manager client is installed. However, previous Windows operating systems installed the System Center Endpoint Protection (SCEP) client with the Configuration Manager client. The SCEP client can block in-place upgrade to Windows 10 due to incompatibility, and must be removed from a device before performing an in-place upgrade to Windows 10.
> [!IMPORTANT]
> Beginning with Windows 10 and Windows Server 2016, Windows Defender is already installed. A management client for Windows Defender is also installed automatically if the Configuration Manager client is installed. However, previous Windows operating systems installed the System Center Endpoint Protection (SCEP) client with the Configuration Manager client. The SCEP client can block in-place upgrade to Windows 10 due to incompatibility, and must be removed from a device before performing an in-place upgrade to Windows 10.
## Infrastructure
An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
For the purposes of this article, we'll use one server computer (CM01) and one client computer (PC0004).
- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server.
- PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be upgraded to Windows 10.
@ -43,30 +43,40 @@ Configuration Manager Current Branch includes a native in-place upgrade task. Th
On **CM01**:
1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Operating System Upgrade Packages**, and select **Add Operating System Upgrade Package**.
2. On the **Data Source** page, under **Path**, select **Browse** and enter the UNC path to your media source. In this example, we've extracted the Windows 10 installation media to **\\\\cm01\\Sources$\\OSD\\UpgradePackages\\Windows 10**.
1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Upgrade Packages**, and select **Add Operating System Upgrade Package**.
2. On the **Data Source** page, under **Path**, select **Browse** and enter the UNC path to your media source. In this example, we've extracted the Windows 10 installation media to **`\\cm01\Sources$\OSD\UpgradePackages\Windows 10`**.
3. If you have multiple image indexes in the installation media, select **Extract a specific image index from install.wim...** and choose the image index you want from the dropdown menu. In this example, we've chosen **Windows 10 Enterprise**.
4. Next to **Architecture**, select **x64**, choose a language from the dropdown menu next to **Language**, and then select **Next**.
5. Next to **Name**, enter **Windows 10 x64 RTM** and then complete the wizard by clicking **Next** and **Close**.
6. Distribute the OS upgrade package to the CM01 distribution point by right-clicking the **Windows 10 x64 RTM** OS upgrade package and then clicking **Distribute Content**.
7. In the Distribute Content Wizard, add the CM01 distribution point, select **Next** and select **Close**.
8. View the content status for the Windows 10 x64 RTM upgrade package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
6. Distribute the OS upgrade package to the CM01 distribution point by right-clicking the **Windows 10 x64 RTM** OS upgrade package and then clicking **Distribute Content**.
7. In the Distribute Content Wizard, add the CM01 distribution point, select **Next** and select **Close**.
8. View the content status for the Windows 10 x64 RTM upgrade package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the **`D:\Program Files\Microsoft Configuration Manager\Logs\distmgr.log`** file and look for the **STATMSG: ID=2301** line.
## Create an in-place upgrade task sequence
On **CM01**:
1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create Task Sequence**.
1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create Task Sequence**.
2. On the **Create a new task sequence** page, select **Upgrade an operating system from an upgrade package** and select **Next**.
3. Use the below settings to complete the wizard:
* Task sequence name: Upgrade Task Sequence
* Description: In-place upgrade
* Upgrade package: Windows 10 x64 RTM
* Include software updates: Don't install any software updates
* Install applications: OSD \ Adobe Acrobat Reader DC
- Task sequence name: Upgrade Task Sequence
- Description: In-place upgrade
- Upgrade package: Windows 10 x64 RTM
- Include software updates: Don't install any software updates
- Install applications: OSD \ Adobe Acrobat Reader DC
4. Complete the wizard, and select **Close**.
5. Review the Upgrade Task Sequence.
![The upgrade task sequence.](../images/cm-upgrade-ts.png)
@ -79,7 +89,7 @@ After you create the upgrade task sequence, you can create a collection to test
On **CM01**:
1. When you're using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
1. When you're using the Configuration Manager console, in the **Asset and Compliance** workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
- General
- Name: Windows 10 x64 in-place upgrade
- Limited Collection: All Systems
@ -91,7 +101,7 @@ On **CM01**:
- Select Resources
- Select PC0004
2. Review the Windows 10 x64 in-place upgrade collection. Don't continue until you see PC0004 in the collection.
2. Review the Windows 10 x64 in-place upgrade collection. Don't continue until you see PC0004 in the collection.
## Deploy the Windows 10 upgrade
@ -99,15 +109,23 @@ In this section, you create a deployment for the Windows 10 Enterprise x64 Updat
On **CM01**:
1. Using the Configuration Manager console, in the Software Library workspace, right-click the **Upgrade Task Sequence** task sequence, and then select **Deploy**.
2. On the **General** page, browse and select the **Windows 10 x64 in-place upgrade** collection, and then select **Next**.
3. On the **Content** page, select **Next**.
4. On the **Deployment Settings** page, select **Next**:
5. On the **Scheduling** page, accept the default settings, and then select **Next**.
6. On the **User Experience** page, accept the default settings, and then select **Next**.
7. On the **Alerts** page, accept the default settings, and then select **Next**.
7. On the **Distribution Points** page, accept the default settings, and then select **Next**.
8. On the **Summary** page, select **Next**, and then select **Close**.
1. Using the Configuration Manager console, in the **Software Library** workspace, right-click the **Upgrade Task Sequence** task sequence, and then select **Deploy**.
2. On the **General** page, browse and select the **Windows 10 x64 in-place upgrade** collection, and then select **Next**.
3. On the **Content** page, select **Next**.
4. On the **Deployment Settings** page, select **Next**:
5. On the **Scheduling** page, accept the default settings, and then select **Next**.
6. On the **User Experience** page, accept the default settings, and then select **Next**.
7. On the **Alerts** page, accept the default settings, and then select **Next**.
8. On the **Distribution Points** page, accept the default settings, and then select **Next**.
9. On the **Summary** page, select **Next**, and then select **Close**.
## Start the Windows 10 upgrade
@ -115,15 +133,18 @@ Next, run the in-place upgrade task sequence on PC0004.
On **PC0004**:
1. Open the Configuration Manager control panel (control smscfgrc).
2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and then select **OK** in the popup dialog box that appears.
1. Open the Configuration Manager control panel (`control.exe smscfgrc`).
>[!NOTE]
>You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and then select **OK** in the popup dialog box that appears.
3. Open the Software Center, select the **Upgrade Task Sequence** deployment and then select **Install**.
4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again.
5. Allow the Upgrade Task Sequence to complete. The PC0004 computer will download the install.wim file, perform an in-place upgrade, and install your added applications. See the following examples:
> [!NOTE]
> You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
3. Open the Software Center, select the **Upgrade Task Sequence** deployment and then select **Install**.
4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again.
5. Allow the Upgrade Task Sequence to complete. The PC0004 computer will download the **Operating System Upgrade Package** (the Windows installation source files), perform an in-place upgrade, and install your added applications. See the following examples:
![Upgrade task sequence example 1.](../images/pc0004-a.png)<br>
![Upgrade task sequence example 2.](../images/pc0004-b.png)<br>

4
windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
View File

@ -143,8 +143,8 @@ When you configure your MDT Build Lab deployment share, you can also add applica
On **MDT01**:
1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200320263_en_US.exe) to **D:\\setup\\adobe** on MDT01.
2. Extract the .exe file that you downloaded to a .msi (ex: .\AcroRdrDC2200320263_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200320282_en_US.exe) to **D:\\setup\\adobe** on MDT01.
2. Extract the .exe file that you downloaded to a .msi (ex: .\AcroRdrDC2200320282_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
4. Right-click the **Applications** node, and create a new folder named **Adobe**.

1
windows/deployment/do/TOC.yml
View File

@ -65,4 +65,3 @@
href: delivery-optimization-endpoints.md

209
windows/deployment/do/delivery-optimization-test.md Normal file
View File

@ -0,0 +1,209 @@
---
title: Testing Delivery Optimization
description: Explanation of Delivery Optimization distributed cache and high-level design. Demonstrate how Delivery Optimization peer-to-peer works in different test scenarios.
ms.date: 11/08/2022
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
ms.localizationpriority: medium
author: cmknox
ms.author: carmenf
ms.reviewer: mstewart
manager: naengler
---
# Testing Delivery Optimization
## Overview
Delivery Optimization is a powerful and useful tool to help enterprises manage bandwidth usage for downloading Microsoft content. It's a solution designed to be used in large-scale environments with large numbers of devices, various content sizes, etc. Delivery Optimization is native to Win10+ and provides default configuration to get the most out of the typical customer environment. It's used to deliver many different types of content, so Microsoft customers enjoy the best possible download experience for their environment. There are three components to Delivery Optimization, 1) HTTP downloader, 2) Peer-to-peer (P2P) cloud technology, and 3) Microsoft Connected Cache. One of the most powerful advantages of using Delivery Optimization is the ability to fine-tune settings that empower users to dial in Microsoft content delivery to meet the needs of specific environments.
## Monitoring The Results
Since Delivery Optimization is on by default, you'll be able to monitor the value either through the Windows Settings for Delivery Optimization, using Delivery Optimization PowerShell [cmdlets.](waas-delivery-optimization-setup.md), and/or via the [Windows Update for Business Report.](../update/wufb-reports-workbook.md) experience in Azure.
In the case where Delivery Optimization isn't working in your environment, it's important to investigate to get to the root of the problem. We recommend a test environment be created to easily evaluate typical devices to ensure Delivery Optimization is working properly. For starters, Scenario 1: Basic Setup should be created to test the use of Delivery Optimization between two machines. This scenario is designed to eliminate any noise in the environment to ensure there's nothing preventing Delivery Optimization from working on the devices. Once you have a baseline, you can expand the test environment for more sophisticated tests.
## Expectations and Goals
The focus of the testing scenarios in this article is primarily centered on demonstrating the Delivery Optimization policies centered around the successful downloading of bytes using P2P. More specifically, the goal will be to show peer to peer is working as expected, using the following criteria:
* Peers can find each other (for example on the same LAN / subnet / Group matching your 'Download Mode' policy).
* Files are downloading in the expected 'Download Mode' policy setting (validates connectivity to DO cloud, HTTP, and local configs).
* At least some downloads happening via P2P (validates connectivity between peers).
Several elements that influence overall peering, using Delivery Optimization. The most common, impactful environment factors should be considered.
* **The number of files in the cache and** **the** **number of devices have a big effect on overall peering.** There's a set number of files available for peering at a time, from each client, so the peering device may not be serving a particular file.
* **File size** **and** **internet connection** **reliability matter.** There's a Delivery Optimization setting to determine the minimum file size to use P2P. In addition, an internet connection must be open and reliable enough to let the Delivery Optimization client make cloud service API calls and download metadata files before starting a file download.
* **Delivery Optimization Policies can play a role.** In general, it's important to familiarize yourself with the Delivery Optimization settings and defaults [Delivery Optimization reference - Windows Deployment | Microsoft Docs.](waas-delivery-optimization-reference.md).
### Delivery Optimization is a Hybrid P2P Platform
* Delivery Optimizations hybrid approach to downloading from multiple sources (HTTP and peer) in parallel is especially critical for large-scale environments, constantly assessing the optimal source from which to deliver the content. In conjunction, the distribution of content cache, across participating devices, contributes to Delivery Optimizations ability to find bandwidth savings as more peers become available.
* At the point a download is initiated, the DO client starts downloading from the HTTP source and discovering peers simultaneously. With a smaller file, most of the bytes could be downloaded from an HTTP source before connecting to a peer, even though peers are available. With a larger file and quality LAN peers, it might reduce the HTTP request rate to near zero, but only after making those initial requests from HTTP.
* In the next section, you'll see how the two testing scenarios produce differing results in the number of bytes coming from HTTP vs. peers, which shows Delivery Optimization continuously evaluating the optimal location from which to download the content.
## Test Scenarios
### Scenario 1: Basic Setup
**Goal:**
Demonstrate how Delivery Optimization peer-to-peer technology works using two machines in a controlled test environment
**Expected Results:**
Machine 1 will download zero bytes from peers and Machine 2 will download 50-99% from peers.
#### Test Machine Setup
|Setup Checklist| Value/Explanation
|--------|-------------------------------|
|Number of machines used| 2 |
|Virtual Machines/physical devices| 2 |
|Windows OS version | Windows 10 (21H2) and Windows 11 (21H2) |
|RAM | 8 GB |
|Disk size | 127 GB |
|Network | Connected to same network, one that is representative of the corporate network. |
|Pause Windows Updates | This controls the test environment so no other content is made available during the test, and potentially altering the outcome of the test. If there are problems and no peering happens, use 'Get-DeliveryOptimizationStatus' on the first machine to return a real-time list of the connected peers. |
|Ensure all Store apps are up to date | This will help prevent any new, unexpected updates to download during testing. |
|Delivery Optimization 'Download Mode' Policy | 2 (Group)(set on each machine) |
|Delivery Optimization 'GroupID' Policy | Set the *same* 'GUID' on each test machine. A GUID is a required value, which can be generated using PowerShell, [[guid]::NewGuid().](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/). |
|**Required on Windows 11 devices only** set Delivery Optimization 'Restrict Peer Selection' policy | 0-NAT (set on each machine). The default behavior in Windows 11 is set to '2-Local Peer Discovery'. For testing purposes, this needs to be scoped to the NAT. |
#### Test Instructions
The following set of instructions will be used for each machine:
1. Open PowerShell console as 'Administrator'.
* Clear the DO cache: 'Delete-DeliveryOptimizationCache'.
* Run 'Get-DeliveryOptimizationStatus'.
2. Open MS Store and search for 'Asphalt Legends 9'. Select *Get* to initiate the download of the content (content size: ~3.4 GB).
**On machine #1**
* Run 'Test Instructions'
|Windows 10 | Windows 11
|--------|-------------------------------|
| :::image type="content" source="images/test-scenarios/win10/m1-basic-complete.png" alt-text="Windows 10 21H2 - Machine 1 - Basic Test." lightbox="images/test-scenarios/win10/m1-basic-complete.png"::: | :::image type="content" source="images/test-scenarios/win11/m1-basic-complete.png" alt-text="Windows 11 21H2 - Machine 1 - Basic Test." lightbox="images/test-scenarios/win11/m1-basic-complete.png"::: |
| **Observations** | |
| * No peers were found on the first machine downloading the content.<br>* 'TotalBytesDownloaded' is equal to the file size.<br>* Status is set to 'Caching' the content so future peers can use it.<br>* Download was happening in the foreground.<br>* DownloadMode is set to 'Group' and no peers were found.<br>* No distinct observations seen between Window 10 and Windows 11 devices. |
*Wait 5 minutes*.
**On machine #2**
* Run 'Test Instructions'
|Windows 10 | Windows 11 |
|--------|--------------------------------|
| :::image type="content" source="images/test-scenarios/win10/m2-basic-complete.png" alt-text="Windows 10 21H2 - Machine 2 - Basic Test." lightbox="images/test-scenarios/win10/m2-basic-complete.png"::: | :::image type="content" source="images/test-scenarios/win11/m2-basic-complete.png" alt-text="Windows 11 21H2 - Machine 2 - Basic Test." lightbox="images/test-scenarios/win11/m2-basic-complete.png":::|
| **Observations** | **Observations**|
| * A peer was found for the content and 87% of total bytes came from the peer. <br> * One peer was found for the piece of content, which is expected as there are only two devices in the peering group. <br> * Download mode was set to 'Group', but since group mode includes both LAN and Group devices, Delivery Optimization prioritizes LAN peers, if found. Therefore, 'BytesFromLanPeers' shows bytes where 'BytesFromGroupPeers' doesn't. <br> * 'DownloadDuration' is roughly the same between machines.|* A peer was found for the content and 90% of total bytes came from the peer. <br> * All other points are the same as Windows 10 results. |
### Scenario 2: Advance Setup
**Goal:**
Demonstrate how Delivery Optimization peer-to-peer technology works in a non-controlled environment and expanding to three machines
**Expected Results:**
Machine 1 will download zero bytes from peers and Machine 2 will find peers and download 50-99% from peers. Machine 3 will find two peers and download 50-99% from peers.
#### Test Machine Setup
|Setup Checklist| Value/Explanation |
|--------|-------------------------------|
|Number of machines used| 3 |
|Virtual Machines| 3 |
|Windows OS version | Windows 10 (21H2) |
|RAM | 8 GB |
|Disk size | 127 GB |
|Network | Connected to same network, one that is representative of the corporate network. |
|Delivery Optimization 'Download Mode' Policy| 2 (Group)(set on each machine) |
|Delivery Optimization 'Group ID' Policy| Set the *same* 'GUID' on each test machine. A GUID is required value, which can be generated using PowerShell, '[guid]::NewGuid().](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)'. |
|Delivery Optimization 'Delay background download from http' Policy | 60 (set on each machine) |
|Delivery Optimization 'Delay foreground download from http Policy |60 (set on each machine) |
#### Testing Instructions
The following set of instructions will be used for each machine:
1. Clear the DO cache: Delete-DeliveryOptimizationCache.
2. Open MS Store and search for 'Asphalt Legends 9'. Select *Get* to initiate the download of the content (content size: ~3.4 GB).
3. Open PowerShell console as Administrator. Run 'Get-DeliveryOptimizationStatus'.
**On machine #1:**
* Run Test Instructions
**Output: Windows 10 (21H2)**
![Windows 10 21H2 - Machine 1 - Advanced Test.](images/test-scenarios/win10/m1-adv-complete.png)
**Observations**
* The first download in the group of devices shows all bytes coming from HTTP, 'BytesFromHttp'.
* Download is in the Foreground because the Store app is doing the download and in the foreground on the device because it is initiated by the user in the Store app.
* No peers are found.
*Wait 5 minutes*.
**On machine #2:**
* Run Test Instructions
**Output** Windows 10 (21H2)
![Windows 10 21H2 - Machine 2 - Advanced Test.](images/test-scenarios/win10/m2-adv-complete.png)
**Observations**
* 'PercentPeerCaching' is 99.8%
* There are still 'BytesFromHttp' source being used
* One peer was found
* All peering was done from device on the LAN, as shown with 'BytesFromLanPeers'
**On machine #3:**
* Run Test Instructions
**Output:** Windows 10 (21H2)
![Windows 10 21H2 - Machine 3 - Advanced Test.](images/test-scenarios/win10/m3-adv-complete.png)
**Observations**
* 'PercentPeerCaching' is roughly the same as machine #2, at 99.7%.
* Now, two peers are found.
* Still downloading from HTTP source as seen with 'BytesFromHttp' value.
## Peer sourcing observations for all machines in the test group
The distributed nature of the Delivery Optimization technology is obvious when you rerun the Get-DeliveryOptimizationStatus cmdlet on each of the test machines. For each, there's a new value populated for the BytesToLanPeers field. This demonstrates that as more peers become available, the requests to download bytes are distributed across the peering group and act as the source for the peering content. Each peer plays a role in servicing the other.
**Output:** Machine 1
'BytesToPeers' sourced from Machine 1 are '5704426044'. This represents the total number of bytes downloaded by the two peers in the group.
![Windows 10 21H2 - Machine 1 - Advanced BytesToPeers Test.](images/test-scenarios/win10/m1-adv-bytes-to-peers.png)
**Output:** Machine 2
'BytesToPeers' sourced from Machine 2 are '1899143740'. When there are two peers in the group with bytes available, notice that the distribution of bytes comes from either Machine 1 or Machine 2.
![Windows 10 21H2 - Machine 2 - Advanced BytesToPeers Test.](images/test-scenarios/win10/m2-adv-bytes-to-peers.png)
**Output:** Machine 3
'BytesToPeers' sourced from Machine 3 are '0'. This means that no other peers are downloading bytes from this peer, which is expected since it was the last machine in the group.
![Windows 10 21H2 - Machine 3 - Advanced BytesToPeers Test.](images/test-scenarios/win10/m3-adv-bytes-to-peers.png)
## Conclusion
Using Delivery Optimization can help make a big impact in customer environments to optimize bandwidth. The peer-to-peer technology offers many configurations designed to be flexible for any organization. Delivery Optimization uses a distributed cache across different sources to ensure the most optimal download experience, while limiting the resources used on each device.
The testing scenarios found in this document help to show a controlled test environment, helping to prevent updates from interrupting the peering results. The other, a more real-world case, demonstrates how content available across peers will be used as the source of the content.
If there are issues found while testing, the Delivery Optimization PowerShell [cmdlets.](waas-delivery-optimization-setup.md) can be a helpful tool to help explain what is happening in the environment.

BIN
windows/deployment/do/images/test-scenarios/win10/m1-adv-bytes-to-peers.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 100 KiB

BIN
windows/deployment/do/images/test-scenarios/win10/m1-adv-complete.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 98 KiB

BIN
windows/deployment/do/images/test-scenarios/win10/m1-basic-complete.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 101 KiB

BIN
windows/deployment/do/images/test-scenarios/win10/m2-adv-bytes-to-peers.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 77 KiB

BIN
windows/deployment/do/images/test-scenarios/win10/m2-adv-complete.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 103 KiB

BIN
windows/deployment/do/images/test-scenarios/win10/m2-basic-complete.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 384 KiB

BIN
windows/deployment/do/images/test-scenarios/win10/m3-adv-bytes-to-peers.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 79 KiB

BIN
windows/deployment/do/images/test-scenarios/win10/m3-adv-complete.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 105 KiB

BIN
windows/deployment/do/images/test-scenarios/win11/m1-basic-complete.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 101 KiB

BIN
windows/deployment/do/images/test-scenarios/win11/m2-basic-complete.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 107 KiB

2
windows/deployment/do/index.yml
View File

@ -102,4 +102,6 @@ landingContent:
url: delivery-optimization-proxy.md
- text: Content endpoints for Delivery Optimization and Microsoft Connected Cache
url: delivery-optimization-endpoints.md
- text: Testing Delivery Optimization
url: delivery-optimization-test.md

17
windows/deployment/do/mcc-isp-create-provision-deploy.md
View File

@ -96,7 +96,7 @@ There are five IDs that the device provisioning script takes as input in order t
| ID | Description |
|---|---|
| Customer ID | The Azure subscription ID that the cache node is created in. |
| Customer ID | A unique alphanumeric ID that the cache nodes are associated with. |
| Cache node ID | The unique alphanumeric ID of the cache node being provisioned. |
| Customer key | The unique alphanumeric ID that provides secure authentication of the cache node to Delivery Optimization services. |
| Registration key | Single use device registration key used by Microsoft Delivery Optimization services. |
@ -108,10 +108,15 @@ There are five IDs that the device provisioning script takes as input in order t
1. Open a terminal window in the directory where you would like to deploy your cache node and run the following command to change the access permission to the Bash script:
```bash
sudo chmod +x installmcc.sh
sudo chmod +x provisionmcc.sh
```
1. Run the deployment script that is shown for your cache node in Azure portal by copying and pasting the script in your terminal. The script may take a few minutes to run. If there were no errors, you have set up your cache node successfully. To verify the server is set up correctly, follow the [verification steps](mcc-isp-verify-cache-node.md).
1. Copy and paste the script command line shown in the Azure portal.
1. Run the script in your server terminal for your cache node by . The script may take a few minutes to run. If there were no errors, you have set up your cache node successfully. To verify the server is set up correctly, follow the [verification steps](mcc-isp-verify-cache-node.md).
> [!NOTE]
> The same script can be used to provision multiple cache nodes, but the command line is unique per cache node. Additionally, if you need to reprovision your server or provision a new server or VM for the cache node, you must copy the command line from the Azure portal again as the "registrationkey" value is unique for each successful execution of the provisioning script.
### General configuration fields
@ -124,9 +129,13 @@ There are five IDs that the device provisioning script takes as input in order t
### Storage fields
> [!IMPORTANT]
> All cache drives must have read/write permissions set or the cache node will not function.
> For example, in a terminal you can run: `sudo chmod 777 /path/to/cachedrive`
| Field Name | Expected Value| Description |
|---|---|---|
| **Cache drive** | File path string | Up to 9 drives can be configured for each cache node to configure cache storage. Enter the file path to each drive. For example: /dev/folder/ |
| **Cache drive** | File path string | Up to 9 drives can be configured for each cache node to configure cache storage. Enter the file path to each drive. For example: `/dev/folder/` Each cache drive should have read/write permissions configured. |
| **Cache drive size in gigabytes** | Integer in GB | Set the size of each drive configured for the cache node. |
### Client routing fields

2
windows/deployment/do/mcc-isp-verify-cache-node.md
View File

@ -73,7 +73,7 @@ For more information about how to build your custom charts and graphs, see [Azur
To view the metrics associated with your cache nodes, navigate to the **Overview** > **Monitoring** tab within the Azure portal.
:::image type="content" source="./images/mcc-isp-metrics.png" alt-text="Screenshot of the Azure portal displaying the metrics view in the Overview tab".:::
:::image type="content" source="./images/mcc-isp-metrics.png" alt-text="Screenshot of the Azure portal displaying the metrics view in the Overview tab.":::
You can choose to monitor the health and performance of all cache nodes or one at a time by using the dropdown menu. The **Egress bits per second** graph shows your inbound and outbound traffic of your cache nodes over time. You can change the time range (1 hour, 12 hours, 1 day, 7 days, 14 days, and 30 days) by selecting the time range of choice on the top bar.

2
windows/deployment/do/mcc-isp.md
View File

@ -110,7 +110,7 @@ To deploy MCC:
1. [Provide Microsoft with your Azure subscription ID](#provide-microsoft-with-your-azure-subscription-id)
2. [Create the MCC Resource in Azure](#create-the-mcc-resource-in-azure)
3. [Create a Cache Node](#create-a-mcc-node-in-azure)
3. [Create a Cache Node](#create-an-mcc-node-in-azure)
4. [Configure Cache Node Routing](#edit-cache-node-information)
5. [Install MCC on a physical server or VM](#install-mcc)
6. [Verify properly functioning MCC server](#verify-properly-functioning-mcc-server)

BIN
windows/deployment/update/images/update-terminology.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 61 KiB

After

Width:  |  Height:  |  Size: 50 KiB

4
windows/deployment/update/servicing-stack-updates.md
View File

@ -40,7 +40,9 @@ Servicing stack update are released depending on new issues or vulnerabilities.
Both Windows client and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates.
Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update.
Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
Beginning with the February 2021 LCU, Microsoft will publish all future cumulative updates and SSUs for Windows 10, version 2004 and later together as one cumulative monthly update to the normal release category in WSUS.
## Is there any special guidance?

2
windows/deployment/update/waas-manage-updates-wufb.md
View File

@ -48,7 +48,7 @@ Windows Update for Business enables an IT administrator to receive and manage a
Windows Update for Business provides management policies for several types of updates to Windows 10 devices:
- **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released as soon as they become available.
- **Quality updates:** Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as updates for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and you can set devices to receive such updates (or not) along with their Windows updates.
- **Quality updates:** Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates.
- **Driver updates:** Updates for non-Microsoft drivers that are relevant to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer.
- **Microsoft product updates**: Updates for other Microsoft products, such as versions of Office that are installed by using Windows Installer (MSI). Versions of Office that are installed by using Click-to-Run can't be updated by using Windows Update for Business. Product updates are off by default. You can turn them on by using Windows Update for Business policies.

2
windows/deployment/update/wufb-reports-admin-center.md
View File

@ -9,7 +9,7 @@ ms.localizationpriority: medium
ms.collection:
- M365-analytics
ms.topic: article
ms.date: 06/20/2022
ms.date: 11/15/2022
ms.technology: itpro-updates
---

4
windows/deployment/update/wufb-reports-configuration-intune.md
View File

@ -9,11 +9,11 @@ ms.author: mstewart
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article
ms.date: 08/24/2022
ms.date: 11/15/2022
ms.technology: itpro-updates
---
# Configuring Microsoft Intune devices for Windows Update for Business reports (preview)
# Configuring Microsoft Intune devices for Windows Update for Business reports
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10 managed by [Microsoft Intune](/mem/intune/fundamentals/what-is-intune)***

4
windows/deployment/update/wufb-reports-configuration-manual.md
View File

@ -9,11 +9,11 @@ ms.author: mstewart
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article
ms.date: 06/06/2022
ms.date: 11/15/2022
ms.technology: itpro-updates
---
# Manually configuring devices for Windows Update for Business reports (preview)
# Manually configuring devices for Windows Update for Business reports
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***

4
windows/deployment/update/wufb-reports-configuration-script.md
View File

@ -9,11 +9,11 @@ ms.author: mstewart
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article
ms.date: 06/16/2022
ms.date: 11/15/2022
ms.technology: itpro-updates
---
# Configuring devices through the Windows Update for Business reports (preview) configuration script
# Configuring devices through the Windows Update for Business reports configuration script
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***

4
windows/deployment/update/wufb-reports-enable.md
View File

@ -8,11 +8,11 @@ author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
ms.date: 06/06/2022
ms.date: 11/15/2022
ms.technology: itpro-updates
---
# Enable Windows Update for Business reports (preview)
# Enable Windows Update for Business reports
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***

10
windows/deployment/update/wufb-reports-help.md
View File

@ -8,11 +8,11 @@ author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
ms.date: 08/10/2022
ms.date: 11/15/2022
ms.technology: itpro-updates
---
# Windows Update for Business reports (preview) feedback, support, and troubleshooting
# Windows Update for Business reports feedback, support, and troubleshooting
<!-- MAX6325272, OS33771278 -->
***(Applies to: Windows 11 & Windows 10)***
@ -51,9 +51,9 @@ You can open support requests directly from the Azure portal. If the **Help + S
- **Issue type** - ***Technical***
- **Subscription** - Select the subscription used for Windows Update for Business reports
- **Service** - ***My services***
- **Service type** - ***Log Analytics***
- **Problem type** - ***Solutions or Insights***
- **Problem subtype** - ***Update Compliance***
- **Service type** - ***Monitoring and Management***
- **Problem type** - ***Windows Update for Business reports***
1. Based on the information you provided, you'll be shown some **Recommended solutions** you can use to try to resolve the problem.
1. Complete the **Additional details** tab and then create the request on the **Review + create** tab.

4
windows/deployment/update/wufb-reports-overview.md
View File

@ -8,11 +8,11 @@ author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
ms.date: 08/09/2022
ms.date: 11/15/2022
ms.technology: itpro-updates
---
# Windows Update for Business reports (preview) overview
# Windows Update for Business reports overview
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***

4
windows/deployment/update/wufb-reports-prerequisites.md
View File

@ -8,11 +8,11 @@ author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
ms.date: 06/30/2022
ms.date: 11/15/2022
ms.technology: itpro-updates
---
# Windows Update for Business reports (preview) prerequisites
# Windows Update for Business reports prerequisites
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***

4
windows/deployment/update/wufb-reports-schema.md
View File

@ -8,11 +8,11 @@ author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: reference
ms.date: 06/06/2022
ms.date: 11/15/2022
ms.technology: itpro-updates
---
# Windows Update for Business reports (preview)schema
# Windows Update for Business reports schema
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***

4
windows/deployment/update/wufb-reports-use.md
View File

@ -8,11 +8,11 @@ author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
ms.date: 06/06/2022
ms.date: 11/15/2022
ms.technology: itpro-updates
---
# Use Windows Update for Business reports (preview)
# Use Windows Update for Business reports
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***

4
windows/deployment/update/wufb-reports-workbook.md
View File

@ -8,11 +8,11 @@ author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
ms.date: 10/24/2022
ms.date: 11/15/2022
ms.technology: itpro-updates
---
# Windows Update for Business reports (preview) workbook
# Windows Update for Business reports workbook
<!-- MAX6325272, OS33771278 -->
***(Applies to: Windows 11 & Windows 10)***

6
windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
View File

@ -34,7 +34,7 @@ This article outlines the general process that you should follow to migrate file
6. Create a [Config.xml File](usmt-configxml-file.md) if you want to exclude any components from the migration. To create this file, use the [ScanState Syntax](usmt-scanstate-syntax.md) option together with the other .xml files when you use the `ScanState.exe` command. For example, the following command creates a `Config.xml` file by using the `MigDocs.xml` and `MigApp.xml` files:
``` syntax
```cmd
ScanState.exe /genconfig:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:ScanState.log
```
@ -51,7 +51,7 @@ This article outlines the general process that you should follow to migrate file
3. Run the `ScanState.exe` command on the source computer to collect files and settings. You should specify all of the .xml files that you want the `ScanState.exe` command to use. For example,
``` syntax
```cmd
ScanState.exe \\server\migration\mystore /config:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:ScanState.log
```
@ -78,7 +78,7 @@ This article outlines the general process that you should follow to migrate file
For example, the following command migrates the files and settings:
``` syntax
```cmd
LoadState.exe \\server\migration\mystore /config:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:LoadState.log
```

2
windows/deployment/usmt/migrate-application-settings.md
View File

@ -131,7 +131,7 @@ On a test computer, install the operating system that will be installed on the d
To speed up the time it takes to collect and migrate the data, you can migrate only one user at a time, and you can exclude all other components from the migration except the application that you're testing. To specify only **User1** in the migration, enter:
``` syntax
```cmd
/ue:*\* /ui:user1
```

4
windows/deployment/usmt/offline-migration-reference.md
View File

@ -61,7 +61,7 @@ The following table defines the supported combination of online and offline oper
User-group membership isn't preserved during offline migrations. You must configure a **&lt;ProfileControl&gt;** section in the `Config.xml` file to specify the groups that the migrated users should be made members of. The following example places all migrated users into the Users group:
``` xml
```xml
<Configuration>
<ProfileControl>
<localGroups>
@ -146,7 +146,7 @@ Syntax: `<failOnMultipleWinDir>0</failOnMultipleWinDir>`
The following XML example illustrates some of the elements discussed earlier in this article.
``` xml
```xml
<offline>
<winDir>
<path>C:\Windows</path>

24
windows/deployment/usmt/understanding-migration-xml-files.md
View File

@ -164,7 +164,7 @@ You can use multiple XML files with the ScanState and LoadState tools. Each of t
For example, you can use all of the XML migration file types for a single migration, as in the following example:
``` syntax
```cmd
ScanState.exe <store> /config:c:\myFolder\Config.xml /i:migapps.xml /i:MigDocs.xml /i:CustomRules.xml
```
@ -194,14 +194,14 @@ To generate the XML migration rules file for a source computer:
4. At the command prompt, enter:
``` syntax
```cmd
cd /d <USMTpath>
ScanState.exe /genmigxml: <filepath.xml>
```
Where *&lt;USMTpath&gt;* is the location on your source computer where you've saved the USMT files and tools, and *&lt;filepath.xml&gt;* is the full path to a file where you can save the report. For example, enter:
``` syntax
```cmd
cd /d c:\USMT
ScanState.exe /genmigxml:"C:\Documents and Settings\USMT Tester\Desktop\genMig.xml"
```
@ -230,13 +230,13 @@ The `MigDocs.xml` file calls the `GenerateDocPatterns` function, which takes thr
**Usage:**
``` syntax
```cmd
MigXmlHelper.GenerateDocPatterns ("<ScanProgramFiles>", "<IncludePatterns>", "<SystemDrive>")
```
To create include data patterns for only the system drive:
``` xml
```xml
<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
<objectSet>
<script>MigXmlHelper.GenerateDocPatterns ("FALSE","TRUE","TRUE")</script>
@ -246,7 +246,7 @@ To create include data patterns for only the system drive:
To create an include rule to gather files for registered extensions from the %PROGRAMFILES% directory:
``` xml
```xml
<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
<objectSet>
<script>MigXmlHelper.GenerateDocPatterns ("TRUE","TRUE","FALSE")</script>
@ -256,7 +256,7 @@ To create an include rule to gather files for registered extensions from the %PR
To create exclude data patterns:
``` xml
```xml
<exclude filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
<objectSet>
<script>MigXmlHelper.GenerateDocPatterns ("FALSE","FALSE","FALSE")</script>
@ -339,7 +339,7 @@ To exclude the new text document.txt file and any .txt files in "new folder", yo
To exclude Rule 1, there needs to be an exact match of the file name. However, for Rule 2, you can create a pattern to exclude files by using the file name extension.
``` xml
```xml
<exclude>
<objectSet>
<pattern type="File">D:\Newfolder\[new text document.txt]</pattern>
@ -352,7 +352,7 @@ To exclude Rule 1, there needs to be an exact match of the file name. However, f
If you don't know the file name or location of the file, but you do know the file name extension, you can use the `GenerateDrivePatterns` function. However, the rule will be less specific than the default include rule generated by the `MigDocs.xml` file, so it will not have precedence. You must use the &lt;UnconditionalExclude&gt; element to give this rule precedence over the default include rule. For more information about the order of precedence for XML migration rules, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
``` xml
```xml
<unconditionalExclude>
<objectSet>
<script>MigXmlHelper.GenerateDrivePatterns ("*[*.txt]", "Fixed")</script>
@ -364,7 +364,7 @@ If you don't know the file name or location of the file, but you do know the fil
If you want the **&lt;UnconditionalExclude&gt;** element to apply to both the system and user context, you can create a third component using the **UserandSystem** context. Rules in this component will be run in both contexts.
``` xml
```xml
<component type="Documents" context="UserandSystem">
<displayName>MigDocExcludes</displayName>
<role role="Data">
@ -389,7 +389,7 @@ The application data directory is the most common location that you would need t
This rule will include .pst files that are located in the default location, but aren't linked to Microsoft Outlook. Use the user context to run this rule for each user on the computer.
``` xml
```xml
<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
<objectSet>
<pattern type="File">%CSIDL_LOCAL_APPDATA%\Microsoft\Outlook\*[*.pst]</pattern>
@ -401,7 +401,7 @@ This rule will include .pst files that are located in the default location, but
For locations outside the user profile, such as the Program Files folder, you can add the rule to the system context component.
``` xml
```xml
<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
<objectSet>
<pattern type="File">%CSIDL_PROGRAM_FILES%\*[*.pst]</pattern>

2
windows/deployment/usmt/usmt-best-practices.md
View File

@ -91,7 +91,7 @@ As the authorized administrator, it is your responsibility to protect the privac
Although it isn't a requirement, it's good practice for **&lt;CustomFileName&gt;** to match the name of the file. For example, the following example is from the `MigApp.xml` file:
``` xml
```xml
<?xml version="1.0" encoding="UTF-8"?>
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/migapp">
```

10
windows/deployment/usmt/usmt-common-issues.md
View File

@ -107,7 +107,7 @@ To remove encryption from files that have already been migrated incorrectly, you
**Resolution:** You can use the `/mu` option when you run the **LoadState** tool to specify a new name for the user. For example,
``` syntax
```cmd
LoadState.exe /i:MigApp.xml /i:MigDocs.xml \\server\share\migration\mystore
/progress:Progress.log /l:LoadState.log /mu:fareast\user1:farwest\user1
```
@ -138,7 +138,7 @@ The following sections describe common XML file problems. Expand the section to
**Resolution:** Install all of the desired applications on the computer before running the `/genconfig` option. Then run `ScanState.exe` with all of the .xml files. For example, run the following command:
``` syntax
```cmd
ScanState.exe /genconfig:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:5 /l:ScanState.log
```
@ -248,7 +248,7 @@ The following sections describe common offline migration problems. Expand the se
**Resolution:** Use a Security Identifier (SID) to include a user when running the **ScanState** tool. For example:
``` syntax
```cmd
ScanState.exe /ui:S1-5-21-124525095-708259637-1543119021*
```
@ -262,7 +262,7 @@ You can also use patterns for SIDs that identify generic users or groups. For ex
**Resolution:** Reboot the computer or unload the registry hive at the command prompt after the **ScanState** tool has finished running. For example, at a command prompt, enter:
``` syntax
```cmd
reg.exe unload hklm\$dest$software
```
@ -282,7 +282,7 @@ The following sections describe common hard-link migration problems. Expand the
**Resolution:** Use the UsmtUtils tool to delete the store or change the store name. For example, at a command prompt, enter:
``` syntax
```cmd
UsmtUtils.exe /rd <storedir>
```

4
windows/deployment/usmt/usmt-configxml-file.md
View File

@ -50,7 +50,7 @@ The following example specifies that all locked files, regardless of their locat
Additionally, the order in the **&lt;ErrorControl&gt;** section implies priority. In this example, the first **&lt;nonFatal&gt;** tag takes precedence over the second **&lt;fatal&gt;** tag. This precedence is applied, regardless of how many tags are listed.
``` xml
```xml
<ErrorControl>
<fileError>
<nonFatal errorCode="33">* [*]</nonFatal>
@ -152,7 +152,7 @@ The **&lt;HardLinkStoreControl&gt;** sample code below specifies that hard links
> [!IMPORTANT]
> The **&lt;ErrorControl&gt;** section can be configured to conditionally ignore file access errors, based on the file's location.
``` xml
```xml
<Policy>
<HardLinkStoreControl>
<fileLocked>

8
windows/deployment/usmt/usmt-conflicts-and-precedence.md
View File

@ -37,7 +37,7 @@ If you have an **&lt;include&gt;** rule in one component and a **&lt;locationMod
The following .xml file migrates all files from C:\\Userdocs, including .mp3 files, because the **&lt;exclude&gt;** rule is specified in a separate component.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/UserDocs">
<component type="Documents" context="System">
<displayName>User Documents</displayName>
@ -71,7 +71,7 @@ The following .xml file migrates all files from C:\\Userdocs, including .mp3 fil
Specifying `migrate="no"` in the `Config.xml` file is the same as deleting the corresponding component from the migration .xml file. However, if you set `migrate="no"` for My Documents, but you have a rule similar to the one shown below in a migration .xml file (which includes all of the .doc files from My Documents), then only the .doc files will be migrated, and all other files will be excluded.
``` xml
```xml
<include>
<objectSet>
<pattern type="File">%CSIDL_PERSONAL%\* [*.doc] </pattern>
@ -103,7 +103,7 @@ If there are conflicting rules within a component, the most specific rule is app
In the following example, mp3 files won't be excluded from the migration. The mp3 files won't be excluded because directory names take precedence over the file extensions.
``` xml
```xml
<include>
<objectSet>
<pattern type="File">C:\Data\* [*]</pattern>
@ -181,7 +181,7 @@ The destination computer contains the following files:
You have a custom .xml file that contains the following code:
``` xml
```xml
<include>
<objectSet>
<pattern type="File">c:\data\* [*]</pattern>

6
windows/deployment/usmt/usmt-custom-xml-examples.md
View File

@ -22,7 +22,7 @@ The following template is a template for the sections that you need to migrate y
<details>
<summary>Expand to show <b>Example 1</b> application template:</summary>
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/migtestapp">
<component type="Application">
<!-- Name of the application -->
@ -161,7 +161,7 @@ The sample patterns describe the behavior in the following example .xml file.
<details>
<summary>Expand to show <b>Example 3</b> XML file:</summary>
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/testfilemig">
<component type="Application" context="System">
<displayName>File Migration Test</displayName>
@ -203,7 +203,7 @@ The behavior for this custom .xml file is described within the `<displayName>` t
<details>
<summary>Expand to show <b>Example 4</b> XML file:</summary>
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">

6
windows/deployment/usmt/usmt-estimate-migration-store-size.md
View File

@ -47,7 +47,7 @@ To run the ScanState tool on the source computer with USMT installed:
2. Navigate to the USMT tools. For example, enter:
``` syntax
```cmd
cd /d "C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\User State Migration Tool\<architecture>"
```
@ -55,13 +55,13 @@ To run the ScanState tool on the source computer with USMT installed:
3. Run the **ScanState** tool to generate an XML report of the space requirements. At the command prompt, enter:
``` syntax
```cmd
ScanState.exe <StorePath> /p:<path to a file>
```
Where *&lt;StorePath&gt;* is a path to a directory where the migration store will be saved and *&lt;path to a file&gt;* is the path and filename where the XML report for space requirements will be saved. For example:
``` syntax
```cmd
ScanState.exe c:\store /p:c:\spaceRequirements.xml
```

20
windows/deployment/usmt/usmt-exclude-files-and-settings.md
View File

@ -50,7 +50,7 @@ The migration .xml files, `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml`, contai
The following .xml file migrates all files located on the C: drive, except any .mp3 files.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/mp3files">
<!-- This component migrates all files except those with .mp3 extension-->
<component type="Documents" context="UserAndSystem">
@ -77,7 +77,7 @@ The following .xml file migrates all files located on the C: drive, except any .
The following .xml file migrates all files and subfolders in `C:\Data`, except the files and subfolders in `C:\Data\tmp`.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName _locID="miguser.sharedvideo">Test component</displayName>
@ -103,7 +103,7 @@ The following .xml file migrates all files and subfolders in `C:\Data`, except t
The following .xml file migrates any subfolders in `C:\`EngineeringDrafts`, but excludes all files that are in `C:\EngineeringDrafts`.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents without subfolders</displayName>
@ -129,7 +129,7 @@ The following .xml file migrates any subfolders in `C:\`EngineeringDrafts`, but
The following .xml file migrates all files and subfolders in `C:\EngineeringDrafts`, except for the `Sample.doc` file in `C:\EngineeringDrafts`.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents except Sample.doc</displayName>
@ -155,13 +155,13 @@ The following .xml file migrates all files and subfolders in `C:\EngineeringDraf
To exclude a Sample.doc file from any location on the C: drive, use the **&lt;pattern&gt;** element. If multiple files exist with the same name on the C: drive, all of these files will be excluded.
``` xml
```xml
<pattern type="File"> C:\* [Sample.doc] </pattern>
```
To exclude a Sample.doc file from any drive on the computer, use the **&lt;script&gt;** element. If multiple files exist with the same name, all of these files will be excluded.
``` xml
```xml
<script>MigXmlHelper.GenerateDrivePatterns("* [sample.doc]", "Fixed")</script>
```
@ -173,7 +173,7 @@ Here are some examples of how to use XML to exclude files, folders, and registry
The following .xml file excludes all `.mp3` files from the migration:
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/excludefiles">
<component context="System" type="Documents">
<displayName>Test</displayName>
@ -194,7 +194,7 @@ The following .xml file excludes all `.mp3` files from the migration:
The following .xml file excludes only the files located on the C: drive.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/allfiles">
<component type="Documents" context="System">
<displayName>Test</displayName>
@ -215,7 +215,7 @@ The following .xml file excludes only the files located on the C: drive.
The following .xml file unconditionally excludes the `HKEY_CURRENT_USER` registry key and all of its subkeys.
``` xml
```xml
<?xml version="1.0" encoding="UTF-8"?>
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/miguser">
<component type="Documents" context="User">
@ -242,7 +242,7 @@ The following .xml file unconditionally excludes the `HKEY_CURRENT_USER` registr
The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. Note that all `*.docx`, `*.xls` and `*.ppt` files won't be migrated because the **&lt;unconditionalExclude&gt;** element takes precedence over the **&lt;include&gt;** element.
``` xml
```xml
<?xml version="1.0" encoding="UTF-8"?>
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/miguser">
<component type="Documents" context="System">

10
windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
View File

@ -29,7 +29,7 @@ In addition, you can specify the file patterns that you want to extract by using
To extract files from the compressed migration store onto the destination computer, use the following UsmtUtils syntax:
``` syntax
```cmd
UsmtUtils.exe /extract <filePath> <destinationPath> [/i:<includePattern>] [/e:<excludePattern>] [/l:<logfile>] [/decrypt[:<AlgID>] {/key:<keystring> | /keyfile:<filename>}] [/o]
```
@ -57,7 +57,7 @@ Where the placeholders have the following values:
To extract everything from a compressed migration store to a file on the `C:\` drive, enter:
``` syntax
```cmd
UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore
```
@ -65,7 +65,7 @@ UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore
To extract specific files, such as `.txt` and `.pdf` files, from an encrypted compressed migration store, enter:
``` syntax
```cmd
UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt,*.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt
```
@ -75,7 +75,7 @@ In this example, the file is encrypted and the encryption key is located in a te
To extract all files except for one file type, such as `.exe` files, from an encrypted compressed migration store, enter:
``` syntax
```cmd
UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtutilslog.txt
```
@ -83,7 +83,7 @@ UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedS
To extract files from a compressed migration store, and to exclude files of one type (such as .exe files) while including only specific files, use both the include pattern and the exclude pattern, as in this example:
``` syntax
```cmd
UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o
```

4
windows/deployment/usmt/usmt-general-conventions.md
View File

@ -55,13 +55,13 @@ You can use the XML helper functions in the [XML elements library](usmt-xml-elem
As with parameters with a default value convention, if you have a NULL parameter at the end of a list, you can leave it out. For example, the following function:
``` syntax
```cmd
SomeFunction("My String argument",NULL,NULL)
```
is equivalent to:
``` syntax
```cmd
SomeFunction("My String argument")
```

4
windows/deployment/usmt/usmt-hard-link-migration-store.md
View File

@ -92,7 +92,7 @@ It isn't necessary to estimate the size of a hard-link migration store since har
Separate hard-link migration stores are created on each NTFS volume that contain data being migrated. In this scenario, the primary migration-store location will be specified on the command line, and should be the operating-system volume. Migration stores with identical names and directory names will be created on every volume containing data being migrated. For example:
``` syntax
```cmd
ScanState.exe /hardlink c:\USMTMIG […]
```
@ -144,7 +144,7 @@ A new section in the `Config.xml` file allows optional configuration of some of
The following XML sample specifies that files locked by an application under the `\Users` directory can remain in place during the migration. It also specifies that locked files that aren't located in the `\Users` directory should result in the **File in Use** error. It's important to exercise caution when specifying the paths using the `<createhardlink>`** tag in order to minimize scenarios that make the hard-link migration store more difficult to delete.
``` xml
```xml
<Policies>
<HardLinkStoreControl>
<fileLocked>

18
windows/deployment/usmt/usmt-include-files-and-settings.md
View File

@ -19,7 +19,7 @@ When you specify the migration .xml files, User State Migration Tool (USMT) 10.0
The following .xml file migrates a single registry key.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Application" context="System">
<displayName>Component to migrate only registry value string</displayName>
@ -44,7 +44,7 @@ The following examples show how to migrate a folder from a specific drive, and f
- **Including subfolders.** The following .xml file migrates all files and subfolders from `C:\EngineeringDrafts` to the destination computer.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents including subfolders</displayName>
@ -63,7 +63,7 @@ The following examples show how to migrate a folder from a specific drive, and f
- **Excluding subfolders.** The following .xml file migrates all files from `C:\EngineeringDrafts`, but it doesn't migrate any subfolders within `C:\EngineeringDrafts`.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents without subfolders</displayName>
@ -84,7 +84,7 @@ The following examples show how to migrate a folder from a specific drive, and f
The following .xml file migrates all files and subfolders of the `EngineeringDrafts` folder from any drive on the computer. If multiple folders exist with the same name, then all files with this name are migrated.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents folder on any drive on the computer </displayName>
@ -104,7 +104,7 @@ The following .xml file migrates all files and subfolders of the `EngineeringDra
The following .xml file migrates all files and subfolders of the `EngineeringDrafts` folder from any location on the `C:\` drive. If multiple folders exist with the same name, they're all migrated.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents EngineeringDrafts folder from where ever it exists on the C: drive </displayName>
@ -126,7 +126,7 @@ The following .xml file migrates all files and subfolders of the `EngineeringDra
The following .xml file migrates `.mp3` files located in the specified drives on the source computer into the `C:\Music` folder on the destination computer.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>All .mp3 files to My Documents</displayName>
@ -155,7 +155,7 @@ The following examples show how to migrate a file from a specific folder, and ho
- **To migrate a file from a folder.** The following .xml file migrates only the `Sample.doc` file from `C:\EngineeringDrafts` on the source computer to the destination computer.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents</displayName>
@ -174,13 +174,13 @@ The following examples show how to migrate a file from a specific folder, and ho
- **To migrate a file from any location.** To migrate the `Sample.doc` file from any location on the `C:\` drive, use the **&lt;pattern&gt;** element, as the following example shows. If multiple files exist with the same name on the `C:\` drive, all of files with this name are migrated.
``` xml
```xml
<pattern type="File"> C:\* [Sample.doc] </pattern>
```
To migrate the Sample.doc file from any drive on the computer, use &lt;script&gt; as the following example shows. If multiple files exist with the same name, all files with this name are migrated.
``` xml
```xml
<script>MigXmlHelper.GenerateDrivePatterns("* [sample.doc]", "Fixed")</script>
```

8
windows/deployment/usmt/usmt-log-files.md
View File

@ -104,7 +104,7 @@ The following examples describe common scenarios in which you can use the diagno
Let's imagine that we have the following directory structure and that we want the **data** directory to be included in the migration along with the **New Text Document.txt** file in the **New Folder**. The directory of `C:\data` contains:
``` console
```console
01/21/2009 10:08 PM <DIR> .
01/21/2009 10:08 PM <DIR> ..
01/21/2009 10:08 PM <DIR> New Folder
@ -115,7 +115,7 @@ Let's imagine that we have the following directory structure and that we want th
The directory of `C:\data\New Folder` contains:
``` console
```console
01/21/2009 10:08 PM <DIR> .
01/21/2009 10:08 PM <DIR> ..
01/21/2009 10:08 PM 0 New Text Document.txt
@ -198,7 +198,7 @@ This diagnostic log confirms that the modified **&lt;pattern&gt;** value enables
In this scenario, you have the following directory structure and you want all files in the **Data** directory to migrate, except for text files. The `C:\Data` folder contains:
``` console
```console
Directory of C:\Data
01/21/2009 10:08 PM <DIR> .
@ -211,7 +211,7 @@ Directory of C:\Data
The `C:\Data\New Folder\` contains:
``` console
```console
01/21/2009 10:08 PM <DIR> .
01/21/2009 10:08 PM <DIR> ..
01/21/2009 10:08 PM 0 New Text Document.txt

2
windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
View File

@ -34,7 +34,7 @@ Before using the **ScanState** tool for a migration that includes encrypted file
You can run the [Cipher.exe](/windows-server/administration/windows-commands/cipher) tool at a Windows command prompt to review and change encryption settings on files and folders. For example, to remove encryption from a folder, at a command prompt enter:
``` syntax
```cmd
cipher.exe /D /S:<PATH>
```

14
windows/deployment/usmt/usmt-migrate-user-accounts.md
View File

@ -23,7 +23,7 @@ Links to detailed explanations of commands are available in the [Related article
2. Enter the following `ScanState.exe` command line in a command prompt window:
``` syntax
```cmd
ScanState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml /o
````
@ -33,13 +33,13 @@ Links to detailed explanations of commands are available in the [Related article
- If you're migrating domain accounts, enter:
``` syntax
```cmd
LoadState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml
```
- If you're migrating local accounts along with domain accounts, enter:
``` syntax
```cmd
LoadState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml /lac /lae
```
@ -54,7 +54,7 @@ Links to detailed explanations of commands are available in the [Related article
2. Enter the following `ScanState.exe` command line in a command prompt window:
``` syntax
```cmd
ScanState.exe \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:fabrikam\user2 /i:MigDocs.xml /i:MigApp.xml /o
```
@ -62,7 +62,7 @@ Links to detailed explanations of commands are available in the [Related article
4. Enter the following `LoadState.exe ` command line in a command prompt window:
``` syntax
```cmd
LoadState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml
```
@ -74,7 +74,7 @@ Links to detailed explanations of commands are available in the [Related article
2. Enter the following `ScanState.exe` command line in a command prompt window:
``` syntax
```cmd
ScanState.exe \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:contoso\user2 /i:MigDocs.xml /i:MigApp.xml /o
```
@ -82,7 +82,7 @@ Links to detailed explanations of commands are available in the [Related article
4. Enter the following `LoadState.exe ` command line in a command prompt window:
``` syntax
```cmd
LoadState.exe \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user2 /i:MigDocs.xml /i:MigApp.xml
```

6
windows/deployment/usmt/usmt-reroute-files-and-settings.md
View File

@ -19,7 +19,7 @@ To reroute files and settings, create a custom .xml file and specify the .xml fi
The following custom .xml file migrates the directories and files from `C:\EngineeringDrafts` into the **My Documents** folder of every user. **%CSIDL_PERSONAL%** is the virtual folder representing the **My Documents** desktop item, which is equivalent to **CSIDL_MYDOCUMENTS**.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="User">
<displayName>Engineering Drafts Documents to Personal Folder</displayName>
@ -47,7 +47,7 @@ The following custom .xml file migrates the directories and files from `C:\Engin
The following custom .xml file reroutes .mp3 files located in the fixed drives on the source computer into the `C:\Music` folder on the destination computer.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>All .mp3 files to My Documents</displayName>
@ -74,7 +74,7 @@ The following custom .xml file reroutes .mp3 files located in the fixed drives o
The following custom .xml file migrates the `Sample.doc` file from `C:\EngineeringDrafts` into the **My Documents** folder of every user. **%CSIDL_PERSONAL%** is the virtual folder representing the **My Documents** desktop item, which is equivalent to **CSIDL_MYDOCUMENTS**.
``` xml
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="User">
<displayName>Sample.doc into My Documents</displayName>

2
windows/deployment/usmt/usmt-scanstate-syntax.md
View File

@ -43,7 +43,7 @@ The `ScanState.exe` command's syntax is:
For example, to create a `Config.xml` file in the current directory, use:
``` syntax
```cmd
ScanState.exe /i:MigApp.xml /i:MigDocs.xml /genconfig:Config.xml /v:13
```

8
windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
View File

@ -59,7 +59,7 @@ Where the placeholders have the following values:
To verify whether the migration store is intact or whether it contains corrupted files or a corrupted catalog, enter:
``` syntax
```cmd
UsmtUtils.exe /verify D:\MyMigrationStore\store.mig
```
@ -69,7 +69,7 @@ Because no report type is specified, **UsmtUtils** displays the default summary
To verify whether the catalog file is corrupted or intact, enter:
``` syntax
```cmd
UsmtUtils.exe /verify:catalog D:\MyMigrationStore\store.mig
```
@ -77,7 +77,7 @@ UsmtUtils.exe /verify:catalog D:\MyMigrationStore\store.mig
To verify whether there are any corrupted files in the compressed migration store, and to specify the name and location of the log file, enter:
``` syntax
```cmd
UsmtUtils.exe /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt`
```
@ -87,7 +87,7 @@ In addition to verifying the status of all files, this example decrypts the file
In this example, the log file will only list the files that became corrupted during the **ScanState** process. This list will include the catalog file if it's also corrupted.
``` syntax
```cmd
UsmtUtils.exe /verify:failureonly D:\MyMigrationStore\USMT\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt
```

6
windows/deployment/usmt/xml-file-requirements.md
View File

@ -17,20 +17,20 @@ When creating custom .xml files, note the following requirements:
- **The file must be in Unicode Transformation Format-8 (UTF-8).** Save the file in this format, and you must specify the following syntax at the beginning of each .xml file:
``` xml
```xml
<?xml version="1.0" encoding="UTF-8"?>
```
- **The file must have a unique migration URL ID**. The URL ID of each file that you specify on the command line must be different. If two migration .xml files have the same URL ID, the second .xml file that is specified on the command line won't be processed. The second file won't be processed because USMT uses the URL ID to define the components within the file. For example, you must specify the following syntax at the beginning of each file:
``` xml
```xml
<?xml version="1.0" encoding="UTF-8"?>
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/<CustomFileName>">
```
- **Each component in the file must have a display name in order for it to appear in the Config.xml file.** This condition is because the `Config.xml` file defines the components by the display name and the migration URL ID. For example, specify the following syntax:
``` xml
```xml
<displayName>My Application</displayName>
```

13
windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
View File

@ -33,18 +33,31 @@ Before performing proxy activation, ensure that the network and the VAMT install
### To perform an Active Directory forest proxy activation
1. Open VAMT.
2. In the left-side pane, select the **Active Directory-Based Activation** node.
3. In the right-side **Actions** pane, select **Proxy activate forest** to open the **Install Product Key** dialog box.
4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to activate.
5. If you want to rename the ADBA object, enter a new Active Directory-Based Activation Object name. If you want to rename the ADBA object, you must do it now. After you select **Install Key**, the name can't be changed.
6. Enter the name of the file where you want to save the offline installation ID, or browse to the file location and then select **Open**. If you're activating an AD forest in an isolated workgroup, save the `.cilx` file to a removable media device.
7. Select **Install Key**. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane.
8. Insert the removable media into the VAMT host that has Internet access. Make sure that you are on the root node, and that the **Volume Activation Management Tool** view is displayed in the center pane.
9. In the right-side **Actions** pane, select **Acquire confirmation IDs for CILX** to open the **Acquire confirmation IDs for file** dialog box.
10. In the **Acquire confirmation IDs for file** dialog box, browse to where the `.cilx` file you exported from the isolated workgroup host computer is located. Select the file, and then select **Open**. VAMT displays an **Acquiring Confirmation IDs** message while it contacts Microsoft and acquires the CIDs.
11. When the CID collection process is complete, VAMT displays a **Volume Activation Management Tool** message that shows how many confirmation IDs were successfully acquired, and the name of the file to which the IDs were saved. Select **OK** to close the message.
12. Remove the storage device that contains the `.cilx` file from the Internet-connected VAMT host computer and insert it into the VAMT host computer in the isolated workgroup.
13. Open VAMT and then select the **Active Directory-Based Activation** node in the left-side pane.
14. In the right-side **Actions** pane, select **Apply confirmation ID to Active Directory domain**, browse to the `.cilx` file and then select **Open**.
VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane.

6
windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
View File

@ -14,7 +14,11 @@ ms.collection: highpri
# Activate using Active Directory-based activation
(*Applies to: Windows, Windows Server, Office*)
*Applies to:*
- Windows
- Windows Server
- Office
> [!TIP]
> Are you looking for information on retail activation?

51
windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
View File

@ -14,7 +14,15 @@ ms.technology: itpro-fundamentals
# Activate using Key Management Service
(*Applies to: Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2*)
*Applies to:*
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
> [!TIP]
> Are you looking for information on retail activation?
@ -39,14 +47,20 @@ To enable KMS functionality, a KMS key is installed on a KMS host; then, the hos
### Configure KMS in Windows 10
To activate, use the slmgr.vbs command. Open an elevated command prompt and run one of the following commands:
To activate, use the `slmgr.vbs` command. Open an elevated command prompt and run one of the following commands:
- To install the KMS key, run the command `slmgr.vbs /ipk <KmsKey>`.
- To activate online, run the command `slmgr.vbs /ato`.
- To install the KMS key, type `slmgr.vbs /ipk <KmsKey>`.
- To activate online, type `slmgr.vbs /ato`.
- To activate by telephone, follow these steps:
1. Run `slmgr.vbs /dti` and confirm the installation ID.
2. Call [Microsoft Licensing Activation Centers worldwide telephone numbers](https://www.microsoft.com/licensing/existing-customer/activation-centers) and follow the voice prompts to enter the installation ID that you obtained in step 1 on your telephone.
3. Follow the voice prompts and write down the responded 48-digit confirmation ID for OS activation.
4. Run `slmgr.vbs /atp \<confirmation ID\>`.
For more information, see the information for Windows 7 in [Deploy KMS Activation](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn502531(v=ws.11)).
@ -58,42 +72,43 @@ Installing a KMS host key on a computer running Windows Server allows you to act
> [!NOTE]
> You cannot install a client KMS key into the KMS in Windows Server.
This scenario is commonly used in larger organizations that do not find the overhead of using a server a burden.
This scenario is commonly used in larger organizations that don't find the overhead of using a server a burden.
> [!NOTE]
> If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](/troubleshoot/windows-server/deployment/error-0xc004f015-activate-windows-10).
> If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [Error 0xC004F015 when you activate Windows 10 Enterprise on a Windows Server 2012 R2 KMS host](/troubleshoot/windows-server/deployment/error-0xc004f015-activate-windows-10).
### Configure KMS in Windows Server 2012 R2
1. Sign in to a computer running Windows Server 2012 R2 with an account that has local administrative credentials.
2. Launch Server Manager.
3. Add the Volume Activation Services role, as shown in Figure 4.
![Adding the Volume Activation Services role in Server Manager.](../images/volumeactivationforwindows81-04.jpg)
**Figure 4**. Adding the Volume Activation Services role in Server Manager
4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5).
4. When the role installation is complete, select the link to launch the Volume Activation Tools (Figure 5).
![Launching the Volume Activation Tools.](../images/volumeactivationforwindows81-05.jpg)
**Figure 5**. Launching the Volume Activation Tools
5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6).
This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10.
5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6). This computer can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10.
![Configuring the computer as a KMS host.](../images/volumeactivationforwindows81-06.jpg)
**Figure 6**. Configuring the computer as a KMS host
6. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7).
6. Install your KMS host key by typing it in the text box, and then select **Commit** (Figure 7).
![Installing your KMS host key.](../images/volumeactivationforwindows81-07.jpg)
**Figure 7**. Installing your KMS host key
7. If asked to confirm replacement of an existing key, click **Yes**.
8. After the product key is installed, you must activate it. Click **Next** (Figure 8).
7. If asked to confirm replacement of an existing key, select **Yes**.
8. After the product key is installed, you must activate it. Select **Next** (Figure 8).
![Activating the software.](../images/volumeactivationforwindows81-08.jpg)
@ -109,7 +124,7 @@ Now that the KMS host is configured, it will begin to listen for activation requ
## Verifying the configuration of Key Management Service
You can verify KMS volume activation from the KMS host server or from the client computer. KMS volume activation requires a minimum threshold of 25 computers before activation requests will be processed. The verification process described here will increment the activation count each time a client computer contacts the KMS host, but unless the activation threshold is reached, the verification will take the form of an error message rather than a confirmation message.
KMS volume activation can be verified from the KMS host server or from the client computer. KMS volume activation requires a minimum threshold of 25 computers before activation requests will be processed. The verification process described here will increment the activation count each time a client computer contacts the KMS host, but unless the activation threshold is reached, the verification will take the form of an error message rather than a confirmation message.
> [!NOTE]
> If you configured Active Directory-based activation before configuring KMS activation, you must use a client computer that will not first try to activate itself by using Active Directory-based activation. You could use a workgroup computer that is not joined to a domain or a computer running Windows 7 or Windows Server 2008 R2.
@ -117,18 +132,20 @@ You can verify KMS volume activation from the KMS host server or from the client
To verify that KMS volume activation works, complete the following steps:
1. On the KMS host, open the event log and confirm that DNS publishing is successful.
2. On a client computer, open a Command Prompt window, type `Slmgr.vbs /ato`, and then press ENTER.
2. On a client computer, open a Command Prompt window and run the command `Slmgr.vbs /ato`.
The `/ato` command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
3. On a client computer or the KMS host, open an elevated Command Prompt window, type `Slmgr.vbs /dlv`, and then press ENTER.
The `/dlv` command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated.
3. On a client computer or the KMS host, open an elevated Command Prompt window and run the command `Slmgr.vbs /dlv`.
The `/dlv` command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This test confirms that KMS is functioning correctly, even though the client hasn't been activated.
For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](/windows-server/get-started/activation-slmgr-vbs-options).
## Key Management Service in earlier versions of Windows
If you have already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps:
If you've already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps:
1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed.
2. Request a new KMS host key from the Volume Licensing Service Center.

10
windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
View File

@ -14,7 +14,15 @@ ms.technology: itpro-fundamentals
# Activate clients running Windows 10
(*Applies to: Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2*)
*Applies to:*
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
> [!TIP]
> Are you looking for information on retail activation?

10
windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
View File

@ -14,7 +14,15 @@ ms.topic: article
# Appendix: Information sent to Microsoft during activation
(*Applies to: Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2*)
*Applies to:*
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
**Looking for retail activation?**

2
windows/deployment/volume-activation/configure-client-computers-vamt.md
View File

@ -99,7 +99,7 @@ There are several options for organizations to configure the WMI firewall except
- **Image.** Add the configurations to the master Windows image deployed to all clients.
- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Inbound Rules**.
- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security** > **Inbound Rules**.
- **Script.** Execute a script using Microsoft Configuration Manager or a third-party remote script execution facility.

10
windows/deployment/volume-activation/monitor-activation-client.md
View File

@ -14,7 +14,15 @@ ms.date: 11/07/2022
# Monitor activation
(*Applies to: Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2*)
*Applies to:*
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
> [!TIP]
> Are you looking for information on retail activation?

10
windows/deployment/volume-activation/plan-for-volume-activation-client.md
View File

@ -14,7 +14,15 @@ ms.date: 11/07/2022
# Plan for volume activation
(*Applies to: Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2*)
*Applies to:*
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
> [!TIP]
> Are you looking for information on retail activation?

10
windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
View File

@ -14,7 +14,15 @@ ms.technology: itpro-fundamentals
# Use the Volume Activation Management Tool
(*Applies to: Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2*)
*Applies to:*
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
> [!TIP]
> Are you looking for information on retail activation?

16
windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
View File

@ -43,7 +43,7 @@ To open PowerShell with administrative credentials, select **Start** and enter `
For all supported operating systems, you can use the VAMT PowerShell module included with the Windows ADK. By default, the module is installed with the Windows ADK in the VAMT folder. Change directories to the directory where VAMT is located. For example, if the Windows ADK is installed in the default location of `C:\Program Files(x86)\Windows Kits\10`, enter:
``` powershell
```powershell
cd "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT 3.0"
```
@ -51,7 +51,7 @@ For all supported operating systems, you can use the VAMT PowerShell module incl
To import the VAMT PowerShell module, enter the following command at a PowerShell command prompt:
``` powershell
```powershell
Import-Module .\VAMT.psd1
```
@ -61,13 +61,13 @@ To import the VAMT PowerShell module, enter the following command at a PowerShel
You can view all of the help sections for a VAMT PowerShell cmdlet, or you can view only the section that you're interested in. To view all of the Help content for a VAMT cmdlet, enter:
``` powershell
```powershell
get-help <cmdlet name> -all
```
For example, enter:
``` powershell
```powershell
get-help get-VamtProduct -all
```
@ -78,24 +78,24 @@ get-help get-VamtProduct -all
1. To get the syntax to use with a cmdlet, enter the following command at a PowerShell command prompt:
``` powershell
```powershell
get-help <cmdlet name>
```
For example, enter:
``` powershell
```powershell
get-help get-VamtProduct
```
2. To see examples using a cmdlet, enter:
``` powershell
```powershell
get-help <cmdlet name> -examples
```
For example, enter:
``` powershell
```powershell
get-help get-VamtProduct -examples
```

4
windows/deployment/volume-activation/vamt-known-issues.md
View File

@ -46,13 +46,13 @@ On the KMS host computer, perform the following steps:
3. To extract the contents of the update, run the following command:
``` syntax
```cmd
expand c:\KB3058168\Windows8.1-KB3058168-x64.msu -f:* C:\KB3058168\
```
4. To extract the contents of Windows8.1-KB3058168-x64.cab, run the following command:
``` syntax
```cmd
expand c:\KB3058168\Windows8.1-KB3058168-x64.cab -f:pkeyconfig-csvlk.xrm-ms c:\KB3058168
```

10
windows/deployment/volume-activation/volume-activation-windows-10.md
View File

@ -14,7 +14,15 @@ ms.technology: itpro-fundamentals
# Volume Activation for Windows 10
(*Applies to: Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2*)
*Applies to:*
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
> [!TIP]
> Are you looking for volume licensing information?

10
windows/deployment/windows-10-poc-sc-config-mgr.md
View File

@ -277,7 +277,7 @@ This section contains several procedures to support Zero Touch installation with
### Configure the network access account
1. In the Administration workspace, expand **Site Configuration** and select **Sites**.
1. in the **Administration** workspace, expand **Site Configuration** and select **Sites**.
2. On the **Home** ribbon at the top of the console window, select **Configure Site Components** and then select **Software Distribution**.
3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**.
4. Select the yellow starburst and then select **New Account**.
@ -286,17 +286,17 @@ This section contains several procedures to support Zero Touch installation with
### Configure a boundary group
1. In the Administration workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then select **Create Boundary**.
1. in the **Administration** workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then select **Create Boundary**.
2. Next to **Description**, type **PS1**, next to **Type** choose **Active Directory Site**, and then select **Browse**.
3. Choose **Default-First-Site-Name** and then select **OK** twice.
4. In the Administration workspace, right-click **Boundary Groups** and then select **Create Boundary Group**.
4. in the **Administration** workspace, right-click **Boundary Groups** and then select **Create Boundary Group**.
5. Next to **Name**, type **PS1 Site Assignment and Content Location**, select **Add**, select the **Default-First-Site-Name** boundary and then select **OK**.
6. On the **References** tab in the **Create Boundary Group** window, select the **Use this boundary group for site assignment** checkbox.
7. Select **Add**, select the **\\\SRV1.contoso.com** checkbox, and then select **OK** twice.
### Add the state migration point role
1. In the Administration workspace, expand **Site Configuration**, select **Sites**, and then in on the **Home** ribbon at the top of the console select **Add Site System Roles**.
1. in the **Administration** workspace, expand **Site Configuration**, select **Sites**, and then in on the **Home** ribbon at the top of the console select **Add Site System Roles**.
2. In the Add site System Roles Wizard, select **Next** twice and then on the Specify roles for this server page, select the **State migration point** checkbox.
3. Select **Next**, select the yellow starburst, type **C:\MigData** for the **Storage folder**, and select **OK**.
4. Select **Next**, and then verify under **Boundary groups** that **PS1 Site Assignment and Content Location** is displayed.
@ -862,7 +862,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
Checkpoint-VM -Name PC1 -SnapshotName BeginState
```
1. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarchy Configuration** and select on **Discovery Methods**.
1. On SRV1, in the Configuration Manager console, in the **Administration** workspace, expand **Hierarchy Configuration** and select on **Discovery Methods**.
1. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox.
1. Select the yellow starburst, select **Browse**, select **contoso\Computers**, and then select **OK** three times.
1. When a popup dialog box asks if you want to run full discovery, select **Yes**.

28
windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
View File

@ -1,7 +1,7 @@
---
title: Fix issues found by the Readiness assessment tool
description: This article details how to fix issues found by the Readiness assessment tool
ms.date: 05/30/2022
ms.date: 11/17/2022
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
@ -16,6 +16,8 @@ msreviewer: hathind
Seeing issues with your tenant? This article details how to remediate issues found with your tenant.
If you need more assistance with tenant enrollment, you can submit a [tenant enrollment support request](#submit-a-support-request).
## Check results
For each check, the tool will report one of four possible results:
@ -70,3 +72,27 @@ Windows Autopatch requires the following licenses:
| Result | Meaning |
| ----- | ----- |
| Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
## Submit a support request
> [!IMPORTANT]
> Make sure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md). The Windows Autopatch Service Engineering Team will contact these individuals for assistance with troubleshooting issues.
If you need more assistance with tenant enrollment, you can submit support tickets to the Windows Autopatch Service Engineering Team in the Windows Autopatch enrollment tool. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team.
**To submit a new support request:**
1. If the Readiness assessment tool fails, remediation steps can be found by selecting **View details** under **Management settings** and then selecting the individual check. The **Contact Support** button will be available below remediation instructions in the fly-in-pane.
2. Enter your question(s) and/or a description of the problem.
3. Review all the information you provided for accuracy.
4. When you're ready, select **Create**.
### Manage an active support request
The primary contact for the support request will receive email notifications when a case is created, assigned to a service engineer to investigate, and mitigated. If you have a question about the case, the best way to get in touch is to reply directly to one of the emails. If we have questions about your request or need more details, we'll email the primary contact listed in the support request.
**To view all your active pre-enrollment support requests:**
1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
1. In the **Windows Autopatch** section, select **Tenant Enrollment**.
1. Select the **Support history** tab. You can view the list of all support cases, or select an individual case to view the details.

3
windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
View File

@ -47,6 +47,9 @@ You'll need the following components to complete this lab:
|**Hyper-V or a physical device running Windows 10**|The guide assumes that you'll use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.|
|**An account with Azure Active Directory (Azure AD) Premium license**|This guide will describe how to get a free 30-day trial Azure AD Premium subscription that can be used to complete the lab.|
> [!NOTE]
> When using a VM for Autopilot testing, assign at least two processors and 4 GB of memory.
## Procedures
A summary of the sections and procedures in the lab is provided below. Follow each section in the order it's presented, skipping the sections that don't apply to you. Optional procedures are provided in the appendices.

21
windows/security/docfx.json
View File

@ -36,9 +36,10 @@
"recommendations": true,
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.topic": "article",
"manager": "dansimp",
"audience": "ITPro",
"ms.localizationpriority": "medium",
"ms.prod": "windows-client",
"ms.technology": "itpro-security",
"manager": "aaroncz",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
@ -48,7 +49,6 @@
"folder_relative_path_in_docset": "./"
}
},
"titleSuffix": "Windows security",
"contributors_to_exclude": [
"rjagiewich",
"traya1",
@ -56,13 +56,22 @@
"claydetels19",
"jborsecnik",
"tiburd",
"AngelaMotherofDragons",
"dstrome",
"v-dihans",
"garycentric"
],
"searchScope": ["Windows 10"]
},
"fileMetadata": {
"titleSuffix":{
"threat-protection/**/*.md": "Windows security"
"author":{
"/identity-protection/hello-for-business/*.md": "paolomatarazzo"
},
"ms.author":{
"/identity-protection/hello-for-business/*.md": "paoloma"
},
"ms.reviewer":{
"/identity-protection/hello-for-business/*.md": "erikdau"
}
},
"template": [],

356
windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
View File

@ -1,205 +1,201 @@
---
title: Deploying Certificates to Key Trust Users to Enable RDP
description: Learn how to deploy certificates to a Key Trust user to enable remote desktop with supplied credentials
title: Deploy certificates for remote desktop sign-in
description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
ms.reviewer: erikdau
ms.collection:
- M365-identity-device-management
- ContentEngagementFY23
ms.topic: how-to
localizationpriority: medium
ms.date: 02/22/2021
ms.date: 11/15/2022
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Hybrid deployment</b>
-<b>Key trust</b>
-<b>Cloud Kerberos trust</b>
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
ms.technology: itpro-security
---
# Deploy Certificates to Key Trust and Cloud Kerberos Trust Users to Enable RDP
# Deploy certificates for remote desktop (RDP) sign-in
Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. For certificate trust deployments, creation of this certificate occurs at container creation time.
This document describes Windows Hello for Business functionalities or scenarios that apply to:\
**Deployment type:** [hybrid](hello-how-it-works-technology.md#hybrid-deployment)\
**Trust type:** [cloud Kerberos trust](hello-hybrid-cloud-kerberos-trust.md), [ key trust](hello-how-it-works-technology.md#key-trust)\
**Device registration type:** [Azure AD join](hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](hello-how-it-works-technology.md#hybrid-azure-ad-join)
This document discusses an approach for key trust and cloud Kerberos trust deployments where authentication certificates can be deployed to an existing WHFB user.
<br>
Three approaches are documented here:
---
1. Deploying a certificate to hybrid joined devices using an on-premises Active Directory certificate enrollment policy.
Windows Hello for Business supports using a certificate as the supplied credential, when establishing a remote desktop connection to another Windows device. This document discusses three approaches for *cloud Kerberos trust* and *key trust* deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user:
1. Deploying a certificate to hybrid or Azure AD-joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune.
- Deploy certificates to hybrid joined devices using an on-premises Active Directory Certificate Services enrollment policy
- Deploy certificates to hybrid or Azure AD-joined devices using Intune
- Work with third-party PKIs
1. Working with non-Microsoft enterprise certificate authorities.
## Deploying a certificate to a hybrid joined device using an on-premises Active Directory Certificate enrollment policy
### Create a Windows Hello for Business certificate template
1. Sign in to your issuing certificate authority (CA).
1. Open the **Certificate Authority** Console (%windir%\system32\certsrv.msc).
1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list.
1. Right-click **Certificate Templates** and then click **Manage** to open the **Certificate Templates** console.
1. Right-click the **Smartcard Logon** template and click **Duplicate Template**
![Duplicating Smartcard Template.](images/rdpcert/duplicatetemplate.png)
1. On the **Compatibility** tab:
1. Clear the **Show resulting changes** check box
1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Authority list
1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Recipient list
1. On the **General** tab:
1. Specify a Template display name, such as **WHfB Certificate Authentication**
1. Set the validity period to the desired value
1. Take note of the Template name for later, which should be the same as the Template display name minus spaces (**WHfBCertificateAuthentication** in this example).
1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
1. On the **Subject Name** tab:
1. Select the **Build from this Active Directory** information button if it is not already selected
1. Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name is not already selected
1. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
1. On the **Request Handling** tab:
1. Select the **Renew with same key** check box
1. Set the Purpose to **Signature and smartcard logon**
1. Click **Yes** when prompted to change the certificate purpose
1. Click **Prompt the user during enrollment**
1. On the **Cryptography** tab:
1. Set the Provider Category to **Key Storage Provider**
1. Set the Algorithm name to **RSA**
1. Set the minimum key size to **2048**
1. Select **Requests must use one of the following providers**
1. Tick **Microsoft Software Key Storage Provider**
1. Set the Request hash to **SHA256**
1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them.
1. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.
1. Close the Certificate Templates console.
1. Open an elevated command prompt and change to a temporary working directory.
1. Execute the following command:
`certutil -dstemplate \<TemplateName\> \> \<TemplateName\>.txt`
Replace \<TemplateName\> with the Template name you took note of earlier in step 7.
1. Open the text file created by the command above.
1. Delete the last line of the output from the file that reads **CertUtil: -dsTemplate command completed successfully.**
1. Modify the line that reads **pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"** to **pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"**
1. Save the text file.
1. Update the certificate template by executing the following command:
certutil -dsaddtemplate \<TemplateName\>.txt
1. In the Certificate Authority console, right-click **Certificate Templates**, select **New**, and select **Certificate Template to Issue**
![Selecting Certificate Template to Issue.](images/rdpcert/certificatetemplatetoissue.png)
1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and click **OK**. It can take some time for the template to replicate to all servers and become available in this list.
1. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks** and then click **Stop Service**. Right-click the name of the CA again, click **All Tasks**, and then click **Start Service**.
### Requesting a Certificate
1. Ensure the hybrid Azure AD joined device has network line of sight to Active Directory domain controllers and the issuing certificate authority.
1. Start the **Certificates Current User** console (%windir%\system32\certmgr.msc).
1. In the left pane of the MMC, right-click **Personal**, click **All Tasks**, and then click **Request New Certificate…**
![Request a new certificate.](images/rdpcert/requestnewcertificate.png)
1. On the Certificate Enrollment screen, click **Next**.
1. Under Select Certificate Enrollment Policy, ensure **Active Directory Enrollment Policy** is selected and then click **Next**.
1. Under Request Certificates, click the check-box next to the certificate template you created in the previous section (WHfB Certificate Authentication) and then click **Enroll**.
1. After a successful certificate request, click Finish on the Certificate Installation Results screen
## Deploying a certificate to Hybrid or Azure AD Joined Devices using Simple Certificate Enrollment Protocol (SCEP) via Intune
Deploying a certificate to Azure AD Joined Devices may be achieved with the Simple Certificate Enrollment Protocol (SCEP) via Intune. For guidance deploying the required infrastructure, refer to [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune](/mem/intune/protect/certificates-scep-configure).
Next you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Azure AD Joined Devices using a Trusted root certificate profile with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune](/mem/intune/protect/certificates-trusted-root).
Once these requirements have been met, a new device configuration profile may be configured from Intune that provisions a certificate for the user of the device. Proceed as follows:
1. Sign in to the Microsoft [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to Devices \> Configuration Profiles \> Create profile.
1. Enter the following properties:
1. For Platform, select **Windows 10 and later**.
1. For Profile, select **SCEP Certificate**.
1. Click **Create**.
1. In **Basics**, enter the following parameters:
1. **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is SCEP profile for entire company.
1. **Description**: Enter a description for the profile. This setting is optional, but recommended.
1. Select **Next**.
1. In the **Configuration settings**, complete the following:
1. For Certificate Type, choose **User**.
1. For Subject name format, set it to **CN={{UserPrincipalName}}**.
1. Under Subject alternative name, select **User principal name (UPN)** from the drop-down menu and set the value to **CN={{UserPrincipalName}}**.
1. For Certificate validity period, set a value of your choosing.
1. For Key storage provider (KSP), choose **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)**.
1. For Key usage, choose **Digital Signature**.
1. For Key size (bits), choose **2048**.
1. For Hash algorithm, choose **SHA-2**.
1. Under Root Certificate, click **+Root Certificate** and select the trusted certificate profile you created earlier for the Root CA Certificate.
1. Under Extended key usage, add the following:
| Name | Object Identifier | Predefined Values |
|------|-------------------|-------------------|
| Smart Card Logon | 1.3.6.1.4.1.311.20.2.2 | Smart Card Logon |
| Client Authentication | 1.3.6.1.5.5.7.3.2 | Client Authentication |
1. For Renewal threshold (%), set a value of your choosing.
1. For SCEP Server URLs, provide the public endpoint that you configured during the deployment of your SCEP infrastructure.
1. Click **Next**
1. In Assignments, target the devices or users who should receive a certificate and click **Next**
1. In Applicability Rules, provide additional issuance restrictions if required and click **Next**
1. In Review + create, click **Create**
Once the configuration profile has been created, targeted clients will receive the profile from Intune on their next refresh cycle. You should find a new certificate in the user store. To validate the certificate is present, do the following steps:
1. Open the Certificates - Current User console (%windir%\system32\certmgr.msc)
1. In the left pane of the MMC, expand **Personal** and select **Certificates**
1. In the right-hand pane of the MMC, check for the new certificate
## Deploy certificates via Active Directory Certificate Services (AD CS)
> [!NOTE]
> This infrastructure may also deploy the same certificates to co-managed or modern-managed Hybrid Azure Active Directory-Joined devices using Intune Policies.
> This process is applicable to *hybrid Azure AD joined* devices only.
## Using non-Microsoft Enterprise Certificate Authorities
To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must first create a *certificate template*, and then deploy certificates based on that template.
If you are using a Public Key Infrastructure that uses non-Microsoft services, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune](/mem/intune/protect/certificate-authority-add-scep-overview).
Expand the following sections to learn more about the process.
As an alternative to using SCEP or if none of the previously covered solutions will work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach, you can use the [Generate-CertificateRequest](https://www.powershellgallery.com/packages/Generate-CertificateRequest) PowerShell commandlet.
<br>
<details>
<summary><b>Create a Windows Hello for Business certificate template</b></summary>
The Generate-CertificateRequest commandlet will generate an .inf file for a pre-existing Windows Hello for Business key. The .inf can be used to generate a certificate request manually using certreq.exe. The commandlet will also generate a .req file, which can be submitted to your PKI for a certificate.
Follow these steps to create a certificate template:
## RDP Sign-in with Windows Hello for Business Certificate Authentication
1. Sign in to your issuing certificate authority (CA) and open *Server Manager*
1. Select **Tools > Certification Authority**. The Certification Authority Microsoft Management Console (MMC) opens
1. In the MMC, expand the CA name and right-click **Certificate Templates > Manage**
1. The Certificate Templates console opens. All of the certificate templates are displayed in the details pane
1. Right-click the **Smartcard Logon** template and select **Duplicate Template**
1. Use the following table to configure the template:
After adding the certificate using an approach from any of the previous sections, you should be able to RDP to any Windows device or server in the same Forest as the users on-premises Active Directory account, provided the PKI certificate chain for the issuing certificate authority is deployed to that target server.
| Tab Name | Configurations |
| --- | --- |
| *Compatibility* | <ul><li>Clear the **Show resulting changes** check box</li><li>Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Authority list*</li><li>Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Recipient list*</li></ul>|
| *General* | <ul><li>Specify a **Template display name**, for example *WHfB Certificate Authentication*</li><li>Set the validity period to the desired value</li><li>Take note of the Template name for later, which should be the same as the Template display name minus spaces (*WHfBCertificateAuthentication* in this example)</li></ul>|
| *Extensions* | Verify the **Application Policies** extension includes **Smart Card Logon**|
| *Subject Name* | <ul><li> Select the **Build from this Active Directory** information button if it isn't already selected</li><li>Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name isn't already selected</li><li>Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**</li></ul>|
|*Request Handling*|<ul><li>Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purpose</li><li>Select the **Renew with same key** check box</li><li>Select **Prompt the user during enrollment**</li></ul>|
|*Cryptography*|<ul><li>Set the Provider Category to **Key Storage Provider**</li><li>Set the Algorithm name to **RSA**</li><li>Set the minimum key size to **2048**</li><li>Select **Requests must use one of the following providers**</li><li>Select **Microsoft Software Key Storage Provider**</li><li>Set the Request hash to **SHA256**</li></ul>|
|*Security*|Add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them|
1. Open the Remote Desktop Client (%windir%\system32\mstsc.exe) on the Hybrid Azure Active Directory-Joined client where the authentication certificate has been deployed.
1. Attempt an RDP session to a target server.
1. Use the certificate credential protected by your Windows Hello for Business gesture.
1. Select **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates
1. Close the Certificate Templates console
1. Open an elevated command prompt and change to a temporary working directory
1. Execute the following command, replacing `<TemplateName>` with the **Template display name** noted above
```cmd
certutil.exe -dstemplate <TemplateName> > <TemplateName.txt>
```
1. Open the text file created by the command above.
- Delete the last line of the output from the file that reads\
`CertUtil: -dsTemplate command completed successfully.`
- Modify the line that reads\
`pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"` to\
`pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"`
1. Save the text file
1. Update the certificate template by executing the following command:
```cmd
certutil.exe -dsaddtemplate <TemplateName.txt>
```
1. In the Certificate Authority console, right-click **Certificate Templates**, select **New > Certificate Template to Issue**
1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and select **OK**. It can take some time for the template to replicate to all servers and become available in this list
1. After the template replicates, in the MMC, right-click in the Certification Authority list, select **All Tasks > Stop Service**. Right-click the name of the CA again, select **All Tasks > Start Service**
</details>
<br>
<details>
<summary><b>Request a certificate</b></summary>
1. Sign in to a client that is hybrid Azure AD joined, ensuring that the client has line of sight to a domain controller and the issuing CA
1. Open the **Certificates - Current User** Microsoft Management Console (MMC). To do so, you can execute the command `certmgr.msc`
1. In the left pane of the MMC, right-click **Personal > All Tasks > Request New Certificate…**
1. On the Certificate Enrollment screen, select **Next**
1. Under *Select Certificate Enrollment Policy*, select **Active Directory Enrollment Policy > Next**
1. Under *Request Certificates*, select the check-box for the certificate template you created in the previous section (*WHfB Certificate Authentication*) and then select **Enroll**
1. After a successful certificate request, select **Finish** on the Certificate Installation Results screen
</details>
## Deploy certificates via Intune
> [!NOTE]
> This process is applicable to both *Azure AD joined* and *hybrid Azure AD joined* devices that are managed via Intune.
Deploying a certificate to Azure AD joined or hybrid Azure AD joined devices may be achieved using the Simple Certificate Enrollment Protocol (SCEP) or PKCS (PFX) via Intune. For guidance deploying the required infrastructure, refer to:
- [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune][MEM-1]
- [Configure and use PKCS certificates with Intune][MEM-2]
Next, you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Azure AD joined Devices using a *Trusted root certificate* policy with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune][MEM-5].
Once these requirements are met, a policy can be configured in Intune that provisions certificates for the users on the targeted device.
<br>
<details>
<summary><b>Create a policy in Intune</b></summary>
This section describes how to configure a SCEP policy in Intune. Similar steps can be followed to configure a PKCS policy.
1. Go to the <a href="https://go.microsoft.com/fwlink/?linkid=2109431" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
1. Select **Devices > Configuration profiles > Create profile**
1. Select **Platform > Windows 10 and later** and **Profile type > Templates > SCEP Certificate**
1. Select **Create**
1. In the *Basics* panel, provide a **Name** and, optionally, a **Description > Next**
1. In the *Configuration settings* panel, use the following table to configure the policy:
| Setting| Configurations |
| --- | --- |
|*Certificate Type*| User |
|*Subject name format* | `CN={{UserPrincipalName}}` |
|*Subject alternative name* |From the dropdown, select **User principal name (UPN)** with a value of `CN={{UserPrincipalName}}`
|*Certificate validity period* | Configure a value of your choosing|
|*Key storage provider (KSP)* | **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)**
|*Key usage*| **Digital Signature**|
|*Key size (bits)* | **2048**|
|*For Hash algorithm*|**SHA-2**|
|*Root Certificate*| Select **+Root Certificate** and select the trusted certificate profile created earlier for the Root CA Certificate|
|*Extended key usage*| <ul><li>*Name:* **Smart Card Logon**</li><li>*Object Identifier:* `1.3.6.1.4.1.311.20.2.2`</li><li>*Predefined Values:* **Smart Card Logon**</li><br><li>*Name:* **Client Authentication**</li><li>*Object Identifier:* `1.3.6.1.5.5.7.3.2 `</li><li>*Predefined Values:* **Client Authentication**</li></ul>|
|*Renewal threshold (%)*|Configure a value of your choosing|
|*SCEP Server URLs*|Provide the public endpoint(s) that you configured during the deployment of your SCEP infrastructure|
1. Select **Next**
1. In the *Assignments* panel, assign the policy to a security group that contains as members the devices or users that you want to configure and select **Next**
1. In the *Applicability Rules* panel, configure issuance restrictions, if needed, and select **Next**
1. In the *Review + create* panel, review the policy configuration and select **Create**
For more information how to configure SCEP policies, see [Configure SCEP certificate profiles in Intune][MEM-3].
To configure PKCS policies, see [Configure and use PKCS certificate with Intune][MEM-4].
</details>
<br>
<details>
<summary><b>Request a certificate</b></summary>
Once the Intune policy is created, targeted clients will request a certificate during their next policy refresh cycle. To validate that the certificate is present in the user store, follow these steps:
1. Sign in to a client targeted by the Intune policy
1. Open the **Certificates - Current User** Microsoft Management Console (MMC). To do so, you can execute the command `certmgr.msc`
1. In the left pane of the MMC, expand **Personal** and select **Certificates**
1. In the right-hand pane of the MMC, check for the new certificate
</details>
## Use third-party certification authorities
If you're using a non-Microsoft PKI, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune][MEM-6].
As an alternative to using SCEP or if none of the previously covered solutions will work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach, you can use the [Generate-CertificateRequest][HTTP-1] PowerShell commandlet.
The `Generate-CertificateRequest` commandlet will generate an *.inf* file for a pre-existing Windows Hello for Business key. The *.inf* can be used to generate a certificate request manually using `certreq.exe`. The commandlet will also generate a *.req* file, which can be submitted to your PKI for a certificate.
## RDP sign-in with Windows Hello for Business certificate authentication
After obtaining a certificate, users can RDP to any Windows devices in the same Active Directory forest as the user's Active Directory account.
> [!NOTE]
> The certificate chain of the issuing CA must be trusted by the target server.
1. Open the Remote Desktop Client (`mstsc.exe`) on the client where the authentication certificate has been deployed
1. Attempt an RDP session to a target server
1. Use the certificate credential protected by your Windows Hello for Business gesture to authenticate
[MEM-1]: /mem/intune/protect/certificates-scep-configure
[MEM-2]: /mem/intune/protect/certificates-pfx-configure
[MEM-3]: /mem/intune/protect/certificates-profile-scep
[MEM-4]: /mem/intune/protect/certificates-pfx-configure
[MEM-5]: /mem/intune/protect/certificates-trusted-root
[MEM-6]: /mem/intune/protect/certificate-authority-add-scep-overview
[HTTP-1]: https://www.powershellgallery.com/packages/Generate-CertificateRequest

8
windows/security/identity-protection/hello-for-business/hello-faq.yml
View File

@ -3,8 +3,8 @@ metadata:
title: Windows Hello for Business Frequently Asked Questions (FAQ)
description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.prod: windows-client
ms.technology: itpro-security
ms.sitesec: library
ms.pagetype: security, mobile
audience: ITPro
@ -17,7 +17,7 @@ metadata:
- highpri
ms.topic: faq
localizationpriority: medium
ms.date: 02/21/2022
ms.date: 11/11/2022
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
@ -100,7 +100,7 @@ sections:
- question: Can I use an external Windows Hello compatible camera or other Windows Hello compatible accessory when my laptop lid is closed or docked?
answer: |
Some laptops and tablets with keyboards that close may not use an external Windows Hello compatible camera or other Windows Hello compatible accessory when the computer is docked with the lid closed. The issue has been addressed in the latest Windows Insiders builds and will be available in the future version of Windows 11.
Some laptops and tablets with keyboards that close may not use an external Windows Hello compatible camera or other Windows Hello compatible accessory when the computer is docked with the lid closed. The issue has been addressed in Windows 11, version 22H2.
- question: Why does authentication fail immediately after provisioning hybrid key trust?
answer: |

3
windows/security/identity-protection/hello-for-business/index.yml
View File

@ -6,7 +6,8 @@ summary: Learn how to manage and deploy Windows Hello for Business.
metadata:
title: Windows Hello for Business documentation
description: Learn how to manage and deploy Windows Hello for Business.
ms.prod: m365-security
ms.prod: windows-client
ms.technology: itpro-security
ms.topic: landing-page
author: paolomatarazzo
ms.author: paoloma

5
windows/security/index.yml
View File

@ -6,8 +6,9 @@ summary: Built with Zero Trust principles at the core to safeguard data and acce
metadata:
title: Windows security # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Learn about Windows security # Required; article description that is displayed in search results. < 160 chars.
ms.topic: landing-page # Required
ms.prod: windows
ms.topic: landing-page
ms.prod: windows-client
ms.technology: itpro-security
ms.collection:
- m365-security-compliance
- highpri

49
windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
View File

@ -1,73 +1,70 @@
---
title: BCD settings and BitLocker (Windows 10)
description: This topic for IT professionals describes the BCD settings that are used by BitLocker.
description: This article for IT professionals describes the BCD settings that are used by BitLocker.
ms.reviewer:
ms.prod: windows-client
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.date: 11/08/2022
ms.custom: bitlocker
ms.technology: itpro-security
---
# Boot Configuration Data settings and BitLocker
**Applies to**
This article for IT professionals describes the Boot Configuration Data (BCD) settings that are used by BitLocker.
This topic for IT professionals describes the Boot Configuration Data (BCD) settings that are used by BitLocker.
When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive BCD settings have not changed since BitLocker was last enabled, resumed, or recovered.
When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive BCD settings haven't changed since BitLocker was last enabled, resumed, or recovered.
## BitLocker and BCD Settings
In Windows 7 and Windows Server 2008 R2, BitLocker validated BCD settings with the winload, winresume, and memtest prefixes to a large degree. However, this high degree of validation caused BitLocker to go into recovery mode for benign setting changes, for example, when applying a language pack, BitLocker would enter recovery mode.
In Windows 8, Windows Server 2012, and later operating systems, BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If you believe that there is a risk in excluding a particular BCD setting from the validation profile, include that BCD setting in the BCD validation coverage to suit your validation preferences.
If a default BCD setting is found to persistently trigger a recovery for benign changes, exclude that BCD setting from the validation coverage.
In Windows 8, Windows Server 2012, and later operating systems, BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If it's believed that there's a risk in excluding a particular BCD setting from the validation profile, include that BCD setting in the BCD validation coverage to suit the preferences for validation. If a default BCD setting is found to persistently trigger a recovery for benign changes, exclude that BCD setting from the validation coverage.
### When secure boot is enabled
Computers with UEFI firmware can use secure boot to provide enhanced boot security. When BitLocker is able to use secure boot for platform and BCD integrity validation, as defined by the **Allow Secure Boot for integrity validation** group policy setting, the **Use enhanced Boot Configuration Data validation profile** group policy is ignored.
One of the benefits of using secure boot is that it can correct BCD settings during boot without triggering recovery events. Secure boot enforces the same BCD settings as BitLocker. Secure boot BCD enforcement is not configurable from within the operating system.
One of the benefits of using secure boot is that it can correct BCD settings during boot without triggering recovery events. Secure boot enforces the same BCD settings as BitLocker. Secure boot BCD enforcement isn't configurable from within the operating system.
## Customizing BCD validation settings
To modify the BCD settings that are validated by BitLocker, the administrator will add or exclude BCD settings from the platform validation profile by enabling and configuring the **Use enhanced Boot Configuration Data validation profile** group policy setting.
For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications. These BCD settings can also be applied to the other Microsoft boot applications that are not part of the set to which the BCD settings are already applicable to. This can be done by attaching any of the following prefixes to the BCD settings which are being entered in the group policy settings dialog:
For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications. These BCD settings can also be applied to the other Microsoft boot applications that aren't part of the set to which the BCD settings are already applicable for. This setting can be done by attaching any of the following prefixes to the BCD settings that are being entered in the group policy settings dialog:
- winload
- winresume
- memtest
- all of the above
- winload
- winresume
- memtest
- all of the above
All BCD settings are specified by combining the prefix value with either a hexadecimal (hex) value or a friendly name.
All BCD settings are specified by combining the prefix value with either a hexadecimal (hex) value or a "friendly name."
The BCD setting hex value is reported when BitLocker enters recovery mode and is stored in the event log (event ID 523). The hex value uniquely identifies the BCD setting that caused the recovery event.
You can quickly obtain the friendly name for the BCD settings on your computer by using the command `bcdedit.exe /enum all`.
You can quickly obtain the friendly name for the BCD settings on a computer by using the command `bcdedit.exe /enum all`.
Not all BCD settings have friendly names; for those settings without a friendly name, the hex value is the only way to configure an exclusion policy.
When specifying BCD values in the **Use enhanced Boot Configuration Data validation profile** group policy setting, use the following syntax:
- Prefix the setting with the boot application prefix
- Append a colon :
- Append either the hex value or the friendly name
- If entering more than one BCD setting, you will need to enter each BCD setting on a new line
- Prefix the setting with the boot application prefix
- Append a colon `:`
- Append either the hex value or the friendly name
- If entering more than one BCD setting, each BCD setting will need to be entered on a new line
For example, either `winload:hypervisordebugport` or `winload:0x250000f4` yields the same value.
For example, either "`winload:hypervisordebugport`" or "`winload:0x250000f4`" yields the same value.
A setting that applies to all boot applications may be applied only to an individual application; however, the reverse is not true. For example, one can specify either `all:locale` or `winresume:locale`, but as the BCD setting `win-pe` does not apply to all boot applications, `winload:winpe` is valid, but `all:winpe` is not valid. The setting that controls boot debugging (`bootdebug` or 0x16000010) will always be validated and will have no effect if it is included in the provided fields.
A setting that applies to all boot applications may be applied only to an individual application. However, the reverse isn't true. For example, one can specify either "`all:locale`" or "`winresume:locale`", but as the BCD setting "`win-pe`" doesn't apply to all boot applications, "`winload:winpe`" is valid, but "`all:winpe`" isn't valid. The setting that controls boot debugging ("`bootdebug`" or 0x16000010) will always be validated and will have no effect if it's included in the provided fields.
> [!NOTE]
> Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid.
 
### Default BCD validation profile
The following table contains the default BCD validation profile used by BitLocker in Windows 8, Windows Server 2012, and subsequent versions:
@ -102,7 +99,7 @@ The following table contains the default BCD validation profile used by BitLocke
### Full list of friendly names for ignored BCD settings
This following is a full list of BCD settings with friendly names, which are ignored by default. These settings are not part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLockerprotected operating system drive to be unlocked.
The following list is a full list of BCD settings with friendly names, which are ignored by default. These settings aren't part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLocker-protected operating system drive to be unlocked.
> [!NOTE]
> Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list.

38
windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
View File

@ -9,20 +9,22 @@ metadata:
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
author: frankroj
ms.author: frankroj
manager: aaroncz
audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
ms.topic: faq
ms.date: 02/28/2019
ms.date: 11/08/2022
ms.custom: bitlocker
title: BitLocker and Active Directory Domain Services (AD DS) FAQ
summary: |
**Applies to**
- Windows 10
*Applies to:*
- Windows 10
- Windows 11
- Windows Server 2016 and above
@ -34,20 +36,20 @@ sections:
answer: |
Stored information | Description
-------------------|------------
Hash of the TPM owner password | Beginning with Windows 10, the password hash is not stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in.
BitLocker recovery password | The recovery password allows you to unlock and access the drive after a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md).
Hash of the TPM owner password | Beginning with Windows 10, the password hash isn't stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in.
BitLocker recovery password | The recovery password allows unlocking of and access to the drive after a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md).
BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, `Repair-bde`.
- question: |
What if BitLocker is enabled on a computer before the computer has joined the domain?
answer: |
If BitLocker is enabled on a drive before Group Policy has been applied to enforce a backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.
If BitLocker is enabled on a drive before Group Policy has been applied to enforce a backup, the recovery information won't be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, the Group Policy settings **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** can be chosen to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in the organization is backed up to AD DS.
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The `manage-bde` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, you would use the following command script from an elevated command prompt:
The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information. However, BitLocker doesn't automatically manage this process. The `manage-bde.exe` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, the following command script can be used from an elevated command prompt:
```PowerShell
```powershell
$BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
$RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
@ -56,29 +58,29 @@ sections:
```
> [!IMPORTANT]
> Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
> Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
- question: |
Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup?
answer: |
Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it is also possible that the log entry could be spoofed.
Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it's also possible that the log entry could be spoofed.
Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool.
Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool.
- question: |
If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password?
If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password?
answer: |
No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object.
No. By design, BitLocker recovery password entries don't get deleted from AD DS. Therefore, multiple passwords might be seen for each drive. To identify the latest password, check the date on the object.
- question: |
What happens if the backup initially fails? Will BitLocker retry it?
answer: |
If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS.
If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker doesn't try again to back up the recovery information to AD DS.
When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker can't be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-) to capture the information after connectivity is restored.
When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker won't automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-) to capture the information after connectivity is restored.

301
windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
View File

@ -4,26 +4,26 @@ description: This article for the IT professional explains how BitLocker feature
ms.reviewer:
ms.prod: windows-client
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection:
- M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.date: 11/08/2022
ms.custom: bitlocker
ms.technology: itpro-security
---
# BitLocker basic deployment
**Applies to**
*Applies to:*
- Windows 10
- Windows 11
- Windows Server 2016 and above
- Windows 10
- Windows 11
- Windows Server 2016 and above
This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
This article for the IT professional explains how BitLocker features can be used to protect data through drive encryption.
## Using BitLocker to encrypt volumes
@ -34,77 +34,148 @@ If the drive was prepared as a single contiguous space, BitLocker requires a new
> [!NOTE]
> For more info about using this tool, see [Bdehdcfg](/windows-server/administration/windows-commands/bdehdcfg) in the Command-Line Reference.
BitLocker encryption can be done using the following methods:
BitLocker encryption can be enabled and managed using the following methods:
- BitLocker control panel
- Windows Explorer
- `manage-bde` command-line interface
- BitLocker Windows PowerShell cmdlets
- BitLocker control panel
- Windows Explorer
- `manage-bde.exe` command-line interface
- BitLocker Windows PowerShell cmdlets
### Encrypting volumes using the BitLocker control panel
Encrypting volumes with the BitLocker control panel (select **Start**, type *Bitlocker*, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
Encrypting volumes with the BitLocker control panel (select **Start**, enter `Bitlocker`, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume).
To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the **BitLocker Drive Encryption Wizard**. **BitLocker Drive Encryption Wizard** options vary based on volume type (operating system volume or data volume).
### Operating system volume
#### Operating system volume
When the BitLocker Drive Encryption Wizard launches, it verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are:
For the operating system volume the **BitLocker Drive Encryption Wizard** presents several screens that prompt for options while it performs several actions:
|Requirement|Description|
|--- |--- |
|Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.|
|Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.|
|Hardware TPM|TPM version 1.2 or 2.0. <p> A TPM isn't required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.|
|BIOS configuration|<li> A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.</li> <li> The boot order must be set to start first from the hard disk, and not the USB or CD drives.</li> <li> The firmware must be able to read from a USB flash drive during startup.</li>|
|File system| One FAT32 partition for the system drive and one NTFS partition for the operating system drive. This is applicable for computers that boot natively with UEFI firmware. <br/> For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive. <br/> For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.|
|Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.|
1. When the **BitLocker Drive Encryption Wizard** first launches, it verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are:
Upon passing the initial configuration, users are required to enter a password for the volume. If the volume doesn't pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken.
Once a strong password has been created for the volume, a recovery key will be generated. The BitLocker Drive Encryption Wizard will prompt for a location to save this key. A BitLocker recovery key is a special key that you can create when you turn on BitLocker Drive Encryption for the first time on each drive that you encrypt. You can use the recovery key to gain access to your computer if the drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption and BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. A recovery key can also be used to gain access to your files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason you forget the password or your computer can't access the drive.
|Requirement|Description|
|--- |--- |
|Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.|
|Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.|
|Hardware TPM|TPM version 1.2 or 2.0. <br><br> A TPM isn't required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.|
|UEFI firmware/BIOS configuration|<ul><li> A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.</li> <li> The boot order must be set to start first from the hard disk, and not the USB or CD drives.</li> <li> The firmware must be able to read from a USB flash drive during startup.</li></ul>|
|File system| One FAT32 partition for the system drive and one NTFS partition for the operating system drive. This requirement is applicable for computers that boot natively with UEFI firmware. <br/> For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive. <br/> For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.|
|Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.|
You should store the recovery key by printing it, saving it on removable media, or saving it as a file in a network folder or on your OneDrive, or on another drive of your computer that you aren't encrypting. You can't save the recovery key to the root directory of a non-removable drive and can't be stored on the encrypted volume. You can't save the recovery key for a removable data drive (such as a USB flash drive) on removable media. Ideally, you should store the recovery key separate from your computer. After you create a recovery key, you can use the BitLocker control panel to make additional copies.
If the volume doesn't pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken.
- Encrypt used disk space only - Encrypts only disk space that contains data
- Encrypt entire drive - Encrypts the entire volume including free space
2. Upon passing the initial configuration, users may be prompted to enter a password for the volume, for example, if a TPM isn't available. If a TPM is available, the password screen will be skipped.
It's recommended that drives with little to no data use the **used disk space only** encryption option and that drives with data or an operating system use the **encrypt entire drive** option.
3. After the initial configuration/password screens, a recovery key will be generated. The **BitLocker Drive Encryption Wizard** will prompt for a location to save the recovery key. A BitLocker recovery key is a special key that is created when BitLocker Drive Encryption is turned on for the first time on each drive that is encrypted. The recovery key can be used to gain access to the computer if:
> [!NOTE]
> Deleted files appear as free space to the file system, which isn't encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
- The drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption
- BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up
Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. We recommend running this system check before starting the encryption process. If the system check isn't run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
A recovery key can also be used to gain access to the files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason the password is forgotten or the computer can't access the drive.
The recovery key can be stored using the following methods:
After completing the system check (if selected), the BitLocker Drive Encryption Wizard restarts the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel.
- **Save to your Azure AD account** (if applicable)
- **Save to a USB flash drive**
- **Save to a file** - the file needs to be saved to a location that isn't on the computer itself such as a network folder or OneDrive
- **Print the recovery key**
The recovery key can't be stored at the following locations:
- The drive being encrypted
- The root directory of a non-removable/fixed drive
- An encrypted volume
> [!TIP]
> Ideally, a computer's recovery key should be stored separate from the computer itself.
> [!NOTE]
> After a recovery key is created, the BitLocker control panel can be used to make additional copies of the recovery key.
4. The **BitLocker Drive Encryption Wizard** will then prompt how much of the drive to encrypt. The **BitLocker Drive Encryption Wizard** will have two options that determine how much of the drive is encrypted:
- **Encrypt used disk space only** - Encrypts only disk space that contains data.
- **Encrypt entire drive** - Encrypts the entire volume including free space. Also known as full disk encryption.
Each of the methods is recommended in the following scenarios:
- **Encrypt used disk space only**:
- The drive has never had data
- Formatted or erased drives that in the past have never had confidential data that was never encrypted
- **Encrypt entire drive** (full disk encryption):
- Drives that currently have data
- Drives that currently have an operating system
- Formatted or erased drives that in the past had confidential data that was never encrypted
> [!IMPORTANT]
> Deleted files appear as free space to the file system, which isn't encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
5. The **BitLocker Drive Encryption Wizard** will then prompt for an encryption mode:
- **New encryption mode**
- **Compatible mode**
Normally **New encryption mode** should be chosen, but if the drive will be potentially moved to another computer with an older Windows operating system, then select **Compatible mode**.
6. After selecting an encryption mode, the **BitLocker Drive Encryption Wizard** will give the option of running a BitLocker system check via the option **Run BitLocker system check**. This system check will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. it's recommended run this system check before starting the encryption process. If the system check isn't run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
After completing the system check (if selected), the **BitLocker Drive Encryption Wizard** will begin encryption. A reboot may be initiated to start encryption. If a reboot was initiated, if there was no TPM and a password was specified, the password will need to be entered to boot into the operating system volume.
Users can check encryption status by checking the system notification area or the BitLocker control panel.
Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning off BitLocker.
### Data volume
#### Data volume
Encrypting data volumes using the BitLocker control panel interface works in a similar fashion to encryption of the operating system volumes. Users select **Turn on BitLocker** within the control panel to begin the BitLocker Drive Encryption wizard.
Unlike for operating system volumes, data volumes aren't required to pass any configuration tests for the wizard to proceed. Upon launching the wizard, a choice of authentication methods to unlock the drive appears. The available options are **password** and **smart card** and **automatically unlock this drive on this computer**. Disabled by default, the latter option will unlock the data volume without user input when the operating system volume is unlocked.
Encrypting data volumes using the BitLocker control panel works in a similar fashion to encryption of the operating system volumes. Users select **Turn on BitLocker** within the BitLocker control panel to begin the **BitLocker Drive Encryption Wizard**.
After selecting the desired authentication method and choosing **Next**, the wizard presents options for storage of the recovery key. These options are the same as for operating system volumes.
With the recovery key saved, selecting **Next** in the wizard will show available options for encryption. These options are the same as for operating system volumes; **used disk space only** and **full drive encryption**. If the volume being encrypted is new or empty, it's recommended that used space only encryption is selected.
1. Upon launching the **BitLocker Drive Encryption Wizard**, unlike for operating system volumes, data volumes aren't required to pass any configuration tests for the **BitLocker Drive Encryption Wizard** to proceed
With an encryption method chosen, a final confirmation screen is displayed before the encryption process begins. Selecting **Start encrypting** begins encryption.
2. A choice of authentication methods to unlock the drive appears. The available options are:
- **Use a password to unlock the drive**
- **Use my smart card to unlock the drive**
- **Automatically unlock this drive on this computer** - Disabled by default but if enabled, this option will unlock the data volume without user input when the operating system volume is unlocked.
3. The **BitLocker Drive Encryption Wizard** presents options for storage of the recovery key. These options are the same as for operating system volumes:
- **Save to your Azure AD account** (if applicable)
- **Save to a USB flash drive**
- **Save to a file** - the file needs to be saved to a location that isn't on the computer itself such as a network folder or OneDrive
- **Print the recovery key**
4. After saving the recovery key, the **BitLocker Drive Encryption Wizard** will show available options for encryption. These options are the same as for operating system volumes:
- **Encrypt used disk space only** - Encrypts only disk space that contains data.
- **Encrypt entire drive** - Encrypts the entire volume including free space. Also known as full disk encryption.
5. The **BitLocker Drive Encryption Wizard** will then prompt for an encryption mode:
- **New encryption mode**
- **Compatible mode**
Normally **New encryption mode** should be chosen, but if the drive will be potentially moved to another computer with an older Windows operating system, then select **Compatible mode**.
6. The **BitLocker Drive Encryption Wizard** will display a final confirmation screen before the encryption process begins. Selecting **Start encrypting** begins encryption.
Encryption status displays in the notification area or within the BitLocker control panel.
### <a href="" id="-onedrive-option-"></a> OneDrive option
### OneDrive option
There's a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts don't give the option to use OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that aren't joined to a domain.
There's an option for storing the BitLocker recovery key using OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts don't give the option to use OneDrive. Using the OneDrive option is the default recommended recovery key storage method for computers that aren't joined to a domain.
Users can verify whether the recovery key was saved properly by checking their OneDrive for the BitLocker folder which is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
Users can verify whether the recovery key was saved properly by checking OneDrive for the BitLocker folder. The BitLocker folder on OneDrive is created automatically during the save process. The folder will contain two files, a `readme.txt` and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
### Using BitLocker within Windows Explorer
Windows Explorer allows users to launch the BitLocker Drive Encryption wizard by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, you must first install the BitLocker and Desktop-Experience features for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel.
Windows Explorer allows users to launch the **BitLocker Drive Encryption Wizard** by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, the BitLocker feature and the Desktop-Experience feature must first be installed for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel.
## <a href="" id="bkmk-dep2"></a>Down-level compatibility
## Down-level compatibility
The following table shows the compatibility matrix for systems that have been BitLocker-enabled and then presented to a different version of Windows.
The following table shows the compatibility matrix for systems that have been BitLocker enabled and then presented to a different version of Windows.
Table 1: Cross compatibility for Windows 11, Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes
@ -115,67 +186,81 @@ Table 1: Cross compatibility for Windows 11, Windows 10, Windows 8.1, Windows 8,
|Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A|
|Partially encrypted volume from Windows 7|Windows 11, Windows 10, and Windows 8.1 will complete encryption regardless of policy|Windows 8 will complete encryption regardless of policy|N/A|
## <a href="" id="bkmk-dep3"></a>Encrypting volumes using the manage-bde command-line interface
## Encrypting volumes using the `manage-bde.exe` command-line interface
Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
`Manage-bde.exe` is a command-line utility that can be used for scripting BitLocker operations. `Manage-bde.exe` offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
Manage-bde offers a multitude of wider options for configuring BitLocker. So using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected.
`Manage-bde.exe` offers a multitude of wider options for configuring BitLocker. Using the command syntax may require care. For example, using just the `manage-bde.exe -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed. For the volume to be fully protected, an authentication method needs to also be added to the volume in addition to running the `manage-bde.exe`command.
Command-line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes.
### Operating system volume
### Operating system volume commands
Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on <drive letter>` command encrypts the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key.
Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde.exe -on <drive letter>` command encrypts the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key.
**Determining volume status**
#### Determining volume status
A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status:
A good practice when using `manage-bde.exe` is to determine the volume status on the target system. Use the following command to determine volume status:
`manage-bde -status`
`manage-bde.exe -status`
This command returns the volumes on the target, current encryption status, and volume type (operating system or data) for each volume. Using this information, users can determine the best encryption method for their environment.
**Enabling BitLocker without a TPM**
#### Enabling BitLocker without a TPM
For example, suppose that you want to enable BitLocker on a computer without a TPM chip. To properly enable BitLocker for the operating system volume, you'll need to use a USB flash drive as a startup key to boot (in this example, the drive letter E). You would first create the startup key needed for BitLocker using the protectors option and save it to the USB drive on E: and then begin the encryption process. You'll need to reboot the computer when prompted to complete the encryption process.
Suppose BitLocker is desired on a computer without a TPM. In this scenario, a USB flash drive is needed as a startup key for the operating system volume. The startup key will then allow the computer to boot. To create the startup key using `manage-bde.exe`, the `-protectors` switch would be used specifying the `-startupkey` option. Assuming the USB flash drive is drive letter `E:`, then the following `manage-bde.exe` commands would be used t create the startup key and start the BitLocker encryption:
```powershell
manage-bde protectors -add C: -startupkey E:
manage-bde -on C:
manage-bde.exe -protectors -add C: -startupkey E:
manage-bde.exe -on C:
```
**Enabling BitLocker with a TPM only**
If prompted, reboot the computer to complete the encryption process.
It's possible to encrypt the operating system volume without any defined protectors by using manage-bde. Use this command:
#### Enabling BitLocker with a TPM only
`manage-bde -on C:`
It's possible to encrypt the operating system volume without any defined protectors by using `manage-bde.exe`. Use this command:
This will encrypt the drive using the TPM as the protector. If users are unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information by executing the following command:
```cmd
manage-bde.exe -on C:
```
`manage-bde -protectors -get <volume>`
This command will encrypt the drive using the TPM as the protector. If users are unsure of the protector for a volume, they can use the `-protectors` option in `manage-bde.exe` to list this information by executing the following command:
**Provisioning BitLocker with two protectors**
```cmd
manage-bde.exe -protectors -get <volume>
```
Another example is a user on a non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. This is done with the command:
#### Provisioning BitLocker with two protectors
`manage-bde -protectors -add C: -pw -sid <user or group>`
Another example is a user on a non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. Adding the protectors is done with the command:
This command requires the user to enter and then confirm the password protectors before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn BitLocker on.
```cmd
manage-bde.exe -protectors -add C: -pw -sid <user or group>
```
### Data volume
This command requires the user to enter and then confirm the password protectors before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn on BitLocker.
Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on <drive letter>` or users can choose to add protectors to the volume. We recommend that you add at least one primary protector and a recovery protector to a data volume.
### Data volume commands
**Enabling BitLocker with a password**
Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command:
A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn on BitLocker.
```cmd
manage-bde.exe -on <drive letter>
```
Or users can choose to add protectors to the volume. It is recommended to add at least one primary protector and a recovery protector to a data volume.
#### Enabling BitLocker with a password
A common protector for a data volume is the password protector. In the example below, a password protector is added to the volume and turn on BitLocker.
```powershell
manage-bde -protectors -add -pw C:
manage-bde -on C:
manage-bde.exe -protectors -add -pw C:
manage-bde.exe -on C:
```
## <a href="" id="bkmk-dep4"></a>Encrypting volumes using the BitLocker Windows PowerShell cmdlets
## Encrypting volumes using the BitLocker Windows PowerShell cmdlets
Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets.
@ -194,11 +279,11 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
|**Suspend-BitLocker**|<li>Confirm<li>MountPoint<li>RebootCount<li>WhatIf|
|**Unlock-BitLocker**|<li>AdAccountOrGroup<li>Confirm<li>MountPoint<li>Password<li>RecoveryKeyPath<li>RecoveryPassword<li>RecoveryPassword<li>WhatIf|
Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they're encrypting prior to running Windows PowerShell cmdlets.
Similar to `manage-bde.exe`, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with `manage-bde.exe`, users need to consider the specific needs of the volume they're encrypting prior to running Windows PowerShell cmdlets.
A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLocker` volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.
A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLocker` volume PowerShell cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.
Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** due to lack of space in the output display. If you don't see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** due to lack of space in the output display. If all of the protectors for a volume aren't seen, the Windows PowerShell pipe command (`|`) can be used to format a listing of the protectors.
> [!NOTE]
> In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.
@ -206,7 +291,8 @@ Occasionally, all protectors may not be shown when using **Get-BitLockerVolume**
```powershell
Get-BitLockerVolume C: | fl
```
If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
If the existing protectors need to be removed prior to provisioning BitLocker on the volume, the `Remove-BitLockerKeyProtector` cmdlet can be used. Accomplishing this action requires the GUID associated with the protector to be removed.
A simple script can pipe out the values of each **Get-BitLockerVolume** return to another variable as seen below:
```powershell
@ -214,18 +300,18 @@ $vol = Get-BitLockerVolume
$keyprotectors = $vol.KeyProtector
```
Using this script, we can display the information in the **$keyprotectors** variable to determine the GUID for each protector.
Using this information, we can then remove the key protector for a specific volume using the command:
Using this script, the information in the **$keyprotectors** variable can be displayed to determine the GUID for each protector. This information can then be used to remove the key protector for a specific volume using the command:
```powershell
Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}"
```
> [!NOTE]
> The BitLocker cmdlet requires the key protector GUID (enclosed in quotation marks) to execute. Ensure the entire GUID, with braces, is included in the command.
### Operating system volume
### Operating system volume PowerShell cmdlets
Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell.
Using the BitLocker Windows PowerShell cmdlets is similar to working with the `manage-bde.exe` tool for encrypting operating system volumes. Windows PowerShell offers users flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell.
To enable BitLocker with just the TPM protector, use this command:
@ -239,11 +325,10 @@ The example below adds one additional protector, the StartupKey protectors, and
Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath <path> -SkipHardwareTest
```
### Data volume
### Data volume PowerShell cmdlets
Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user-defined password. Last, encryption begins.
```powershell
$pw = Read-Host -AsSecureString
<user inputs password>
@ -252,12 +337,12 @@ Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
### Using an SID-based protector in Windows PowerShell
The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and be unlocked to any member computer of the cluster.
The **ADAccountOrGroup** protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and unlock to any member computer of the cluster.
> [!WARNING]
> The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes.
> The SID-based protector requires the use of an additional protector such as TPM, PIN, recovery key, etc. when used on operating system volumes.
To add an ADAccountOrGroup protector to a volume, you need either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
To add an **ADAccountOrGroup** protector to a volume, either the domain SID is needed or the group name preceded by the domain and a backslash. In the example below, the **CONTOSO\\Administrator** account is added as a protector to the data volume G.
```powershell
Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
@ -268,23 +353,25 @@ For users who wish to use the SID for the account or group, the first step is to
```powershell
Get-ADUser -filter {samaccountname -eq "administrator"}
```
> [!NOTE]
> Use of this command requires the RSAT-AD-PowerShell feature.
> [!TIP]
> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This doesn't require the use of additional features.
> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: `WHOAMI /ALL`. This doesn't require the use of additional features.
In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command:
```powershell
Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "<SID>"
```
> [!NOTE]
> Active Directory-based protectors are normally used to unlock Failover Cluster-enabled volumes.
## <a href="" id="bkmk-dep5"></a> Checking BitLocker status
## Checking BitLocker status
To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We'll look at each of the available methods in the following section.
To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, `manage-bde.exe` command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We'll look at each of the available methods in the following section.
### Checking BitLocker status with the control panel
@ -297,21 +384,21 @@ Checking BitLocker status with the control panel is the most common method used
| **Suspended** | BitLocker is suspended and not actively protecting the volume |
| **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected|
If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status.
If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, `manage-bde.exe` tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status.
Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume.
The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process.
Once BitLocker protector activation is completed, the completion notice is displayed.
### Checking BitLocker status with manage-bde
### Checking BitLocker status with `manage-bde.exe`
Administrators who prefer a command-line interface can utilize manage-bde to check volume status. Manage-bde is capable of returning more information about the volume than the graphical user interface tools in the control panel. For example, manage-bde can display the BitLocker version in use, the encryption type, and the protectors associated with a volume.
Administrators who prefer a command-line interface can utilize `manage-bde.exe` to check volume status. Manage-bde is capable of returning more information about the volume than the graphical user interface tools in the control panel. For example, `manage-bde.exe` can display the BitLocker version in use, the encryption type, and the protectors associated with a volume.
To check the status of a volume using manage-bde, use the following command:
To check the status of a volume using `manage-bde.exe`, use the following command:
```powershell
manage-bde -status <volume>
manage-bde.exe -status <volume>
```
> [!NOTE]
@ -319,22 +406,23 @@ manage-bde -status <volume>
### Checking BitLocker status with Windows PowerShell
Windows PowerShell commands offer another way to query BitLocker status for volumes. Like manage-bde, Windows PowerShell includes the advantage of being able to check the status of a volume on a remote computer.
Windows PowerShell commands offer another way to query BitLocker status for volumes. Like `manage-bde.exe`, Windows PowerShell includes the advantage of being able to check the status of a volume on a remote computer.
Using the Get-BitLockerVolume cmdlet, each volume on the system displays its current BitLocker status. To get information that is more detailed on a specific volume, use the following command:
```powershell
Get-BitLockerVolume <volume> -Verbose | fl
```
This command displays information about the encryption method, volume type, key protectors, etc.
This command displays information about the encryption method, volume type, key protectors, and more.
### Provisioning BitLocker during operating system deployment
Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation environment. This is done with a randomly generated clear key protector applied to the formatted volume and by encrypting the volume prior to running the Windows setup process. If the encryption uses the **Used Disk Space Only** option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes.
Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation environment. Enabling BitLocker prior to the operating system deployment is done with a randomly generated clear key protector applied to the formatted volume and by encrypting the volume prior to running the Windows setup process. If the encryption uses the **Used Disk Space Only** option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes.
### Decrypting BitLocker volumes
Decrypting volumes removes BitLocker and any associated protectors from the volumes. Decryption should occur when protection is no longer required. BitLocker decryption shouldn't occur as a troubleshooting step. BitLocker can be removed from a volume using the BitLocker control panel applet, manage-bde, or Windows PowerShell cmdlets. We'll discuss each method further below.
Decrypting volumes removes BitLocker and any associated protectors from the volumes. Decryption should occur when protection is no longer required. BitLocker decryption shouldn't occur as a troubleshooting step. BitLocker can be removed from a volume using the BitLocker control panel applet, `manage-bde.exe`, or Windows PowerShell cmdlets. We'll discuss each method further below.
### Decrypting volumes using the BitLocker control panel applet
@ -345,22 +433,23 @@ The control panel doesn't report decryption progress but displays it in the noti
Once decryption is complete, the drive updates its status in the control panel and becomes available for encryption.
### Decrypting volumes using the manage-bde command-line interface
### Decrypting volumes using the `manage-bde.exe` command-line interface
Decrypting volumes using manage-bde is straightforward. Decryption with manage-bde offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is:
Decrypting volumes using `manage-bde.exe` is straightforward. Decryption with `manage-bde.exe` offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is:
```powershell
manage-bde -off C:
manage-bde.exe -off C:
```
This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If users wish to check the status of the decryption, they can use the following command:
```powershell
manage-bde -status C:
manage-bde.exe -status C:
```
### Decrypting volumes using the BitLocker Windows PowerShell cmdlets
Decryption with Windows PowerShell cmdlets is straightforward, similar to manage-bde. Windows PowerShell offers the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt.
Decryption with Windows PowerShell cmdlets is straightforward, similar to `manage-bde.exe`. Windows PowerShell offers the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt.
Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for more commands. An example of this command is:
@ -374,7 +463,7 @@ If a user didn't want to input each mount point individually, using the `-MountP
Disable-BitLocker -MountPoint E:,F:,G:
```
## See also
## Related articles
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker recovery guide](bitlocker-recovery-guide-plan.md)

Some files were not shown because too many files have changed in this diff Show More