Windows Client Windows Client
Level-500-Referenz fĂŒr Windows 10/11 Deployment, Autopilot, MDT, Security Features, WSL, Sandbox, Edge for Business, Update-Strategie und MDM/GPO-Konfiguration. Level 500 reference for Windows 10/11 deployment, Autopilot, MDT, security features, WSL, Sandbox, Edge for Business, update strategy, and MDM/GPO configuration.
Windows 11
Windows 11
Deployment und Updatekette
Deployment and update chain
Autopilot
Autopilot
GerÀteregistrierung und ESP
Device registration and ESP
WDAC
WDAC
Application Control und Hardening
Application control and hardening
WSL 2
WSL 2
Developer- und Power-User-Szenarien
Developer and power-user scenarios
âčïž Windows Client Engineering verbindet Deployment, IdentitĂ€t und Security Controls
âčïž Windows client engineering connects deployment, identity, and security controls
Windows 10/11 lassen sich nicht isoliert ĂŒber Images oder Policies beherrschen. Autopilot, Update-Ringe, Security Baselines, BitLocker, Hello und Browser-Management bilden zusammen den modernen Client-Stack. Windows 10/11 cannot be governed through images or policies in isolation. Autopilot, update rings, security baselines, BitLocker, Hello, and browser management together form the modern client stack.
Deployment und Updates
Deployment and updates
Hardware, WUfB, WSUS, Upgradepfade Hardware, WUfB, WSUS, upgrade paths
Autopilot und MDT
Autopilot and MDT
Enrollment, task sequences, profiles Enrollment, task sequences, profiles
Sicherheitsfeatures
Security features
BitLocker, WDAC, AppLocker, Hello BitLocker, WDAC, AppLocker, Hello
WSL, Sandbox, Edge
WSL, Sandbox, Edge
Developer- und Browsersteuerung Developer and browser governance
Konfiguration und CSPs
Configuration and CSPs
Settings catalog, ADMX, PPKG Settings catalog, ADMX, PPKG
Windows 11 Deployment, Feature Updates und Quality Updates Windows 11 deployment, feature updates, and quality updates
| Thema Topic | Kerninhalt Core content | Werkzeuge Tools | Hinweis Note |
|---|---|---|---|
| Hardware Requirements Hardware requirements | TPM 2.0, Secure Boot, unterstĂŒtzte CPU, RAM und Storage TPM 2.0, Secure Boot, supported CPU, RAM, and storage | PC Health Check, Inventory, OEM data PC Health Check, inventory, OEM data | KompatibilitĂ€tsanalyse frĂŒh starten Start compatibility analysis early |
| Feature Updates Feature updates | JĂ€hrliche Funktionsupdates und Enablement Package Logik Annual feature updates and enablement package logic | Windows Update for Business, Intune Windows Update for Business, Intune | Ringe und Pilotgruppen getrennt planen Plan rings and pilot groups separately |
| Quality Updates Quality updates | Monatliche Sicherheits- und QualitÀtskorrekturen Monthly security and quality fixes | WUfB, WSUS, ConfigMgr WUfB, WSUS, ConfigMgr | Pause und Rollback dokumentieren Document pause and rollback paths |
| Expedite Expedite | Beschleunigte Sicherheitsverteilung Accelerated security deployment | Intune expedite policies Intune expedite policies | Nur fĂŒr echte NotfĂ€lle einsetzen Use only for true emergencies |
| WUfB Reports WUfB reports | Compliance-, Safeguard- und Fehlertransparenz Compliance, safeguard, and failure transparency | Azure Monitor / Intune reporting Azure Monitor / Intune reporting | Asset- und Deployment-IDs sauber pflegen Maintain asset and deployment IDs cleanly |
| WSUS WSUS | Lokale Update-Freigaben und Downstream-Struktur Local update approvals and downstream topology | WSUS console WSUS console | In Hybrid-Umgebungen klare Rollentrennung festlegen Define clear role separation in hybrid environments |
| Delivery Optimization Delivery Optimization | Peer-to-peer Downloadlogik Peer-to-peer download logic | DO groups, cache servers DO groups, cache servers | Branch-Networks und VPN-Verhalten evaluieren Evaluate branch networks and VPN behavior |
| Rollback Rollback | Feature Update backout path Feature update backout path | Uninstall feature update, safeguard hold Uninstall feature update, safeguard hold | Zeitfenster und App-KompatibilitÀt testen Test time windows and app compatibility |
PowerShell
PowerShell
Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion, BiosFirmwareType, CsSystemSKUNumber
Get-Tpm
Confirm-SecureBootUEFI
Windows Autopilot, ESP und Microsoft Deployment Toolkit Windows Autopilot, ESP, and Microsoft Deployment Toolkit
| Autopilot-Modell Autopilot model | Charakteristik Characteristics | Geeignet fĂŒr Suitable for | Hinweis Note |
|---|---|---|---|
| User-driven User-driven | Benutzer authentifiziert sich selbst wÀhrend OOBE User signs in during OOBE | Wissensarbeiter und StandardgerÀte Knowledge workers and standard devices | ESP und App-Last sauber austarieren Balance ESP and app load carefully |
| Pre-provisioned Pre-provisioned | IT oder Partner fĂŒhrt White-Glove-Vorbereitung aus IT or partner performs white-glove preparation | GerĂ€te mit umfangreichen App-Stacks Devices with heavy app stacks | GerĂ€tezertifikate und ESP-Phasen verstehen Understand device certificates and ESP phases |
| Self-deploying Self-deploying | GerÀt startet ohne BenutzeridentitÀt Device starts without user identity | Kiosk, Shared Devices Kiosk, shared devices | TPM-Attestation ist Pflicht TPM attestation is required |
| Autopilot Reset Autopilot reset | Setzt Benutzerkontext zurĂŒck, behĂ€lt Intune/Entra-Bindung Resets user context while keeping Intune/Entra binding | Reassignment im Bestand Reassignment in existing stock | App-Daten und lokale Inhalte bewerten Assess app data and local content |
| MDT-Baustein MDT building block | WofĂŒr What for | Best Practice Best practice | Hinweis Note |
|---|---|---|---|
| Deployment Share Deployment share | Ablage fĂŒr Images, Treiber, Apps und Skripte Store for images, drivers, apps, and scripts | Versionierung und Stage-Struktur Versioning and stage structure | Nicht unkontrolliert wachsen lassen Do not let it grow uncontrolled |
| Task Sequence Task sequence | Installations- und Migrationslogik Installation and migration logic | Modulare Schritte und Variablen Modular steps and variables | Conditions und Logging konsequent einsetzen Use conditions and logging consistently |
| Boot Image Boot image | WinPE-Laufzeit fĂŒr Deployment WinPE runtime for deployment | Treiber minimal und zielgerichtet Keep drivers minimal and targeted | RegelmĂ€Ăig mit ADK-Version prĂŒfen Review regularly against ADK version |
| Out-of-Box Drivers Out-of-box drivers | Treiberverwaltung Driver management | Modell- oder Plattformselektion Model or platform selection | Treiber-Chaos durch klare Kataloge verhindern Prevent driver chaos with clear catalogs |
| Lite Touch Lite touch | Teilautomatisiert mit Benutzerstart Partially automated with user initiation | Klassische Imaging-Szenarien Classic imaging scenarios | Heute oft nur fĂŒr SonderfĂ€lle nötig Often needed only for special cases today |
| Zero Touch Zero touch | Vollautomatisiert ĂŒber ConfigMgr/Orchestrierung Fully automated via ConfigMgr/orchestration | GroĂe On-premises Deployments Large on-premises deployments | Höherer Infrastrukturaufwand Higher infrastructure overhead |
BitLocker, Windows Hello, Guard-Technologien und Application Control BitLocker, Windows Hello, guard technologies, and application control
| Sicherheitsfeature Security feature | Wirkung Effect | Voraussetzungen Prerequisites | Hinweis Note |
|---|---|---|---|
| BitLocker BitLocker | VerschlĂŒsselt System- und Datenvolumes Encrypts system and data volumes | TPM, Recovery Key Management TPM, recovery key management | Recovery-Workflow und Entra/AD-Backup testen Test recovery workflow and Entra/AD backup |
| Network Unlock Network Unlock | Automatisches Entsperren im Firmennetz Automatic unlock on the corporate network | UEFI, DHCP, PKI UEFI, DHCP, PKI | Nur fĂŒr gut kontrollierte LAN-Szenarien Only for well-controlled LAN scenarios |
| Windows Hello for Business Windows Hello for Business | Phishing-resistente Anmeldung Phishing-resistant sign-in | TPM, identity provider, policy TPM, identity provider, policy | Cloud Kerberos Trust versus Certificate Trust bewusst wÀhlen Choose cloud Kerberos trust versus certificate trust intentionally |
| Credential Guard Credential Guard | SchĂŒtzt Anmeldegeheimnisse via VBS Protects credentials through VBS | Virtualization-based security Virtualization-based security | Legacy Auth und Virtualisierung prĂŒfen Review legacy auth and virtualization |
| Device Guard / VBS Device Guard / VBS | HĂ€rtet Kernel und CodeausfĂŒhrung Hardens the kernel and code execution | Supported hardware and policies Supported hardware and policies | Performance und TreiberkompatibilitĂ€t testen Test performance and driver compatibility |
| WDAC WDAC | Allow-/deny-basierte Anwendungskontrolle Allow/deny application control | Code Integrity Policies Code integrity policies | ZunÀchst Audit Mode, dann Enforced Start in audit mode, then enforce |
| AppLocker AppLocker | Regelbasierte Anwendungssteuerung Rule-based application control | Enterprise edition, GPO or CSP Enterprise edition, GPO or CSP | WDAC ist stÀrker, AppLocker oft einfacher WDAC is stronger; AppLocker is often simpler |
| Exploit Guard Exploit Guard | ASR, network protection, controlled folder access ASR, network protection, controlled folder access | Defender stack Defender stack | ASR-Regeln gestuft ausrollen Roll out ASR rules gradually |
| Controlled Folder Access Controlled Folder Access | SchĂŒtzt sensible Pfade vor unautorisierten Schreibzugriffen Protects sensitive paths from unauthorized writes | Defender and policy management Defender and policy management | Anwendungsallowlisting vorbereiten Prepare application allowlisting |
| SmartScreen SmartScreen | Warnt vor riskanten Downloads und URLs Warns about risky downloads and URLs | Edge/Windows integration Edge/Windows integration | Mit Browser-Policy und Awareness abstimmen Align with browser policy and awareness |
WSL 2, Windows Sandbox, Microsoft Edge for Business WSL 2, Windows Sandbox, and Microsoft Edge for Business
| Bereich Area | Kernbefehle oder Policies Core commands or policies | Nutzen Value | Hinweis Note |
|---|---|---|---|
| WSL 2 WSL 2 | wsl --install, wsl --list --verbose, .wslconfig wsl --install, wsl --list --verbose, .wslconfig | Linux-Userland und Containerentwicklung lokal Local Linux userland and container development | Netzwerk- und Dateisystemunterschiede erklÀren Explain networking and file system differences |
| GPU Support GPU support | WSLg und GPU-Passthrough WSLg and GPU passthrough | ML- und Data-Science-Szenarien ML and data science scenarios | Treiber und VM-Plattform prĂŒfen Review drivers and the VM platform |
| Windows Sandbox Windows Sandbox | .wsb Konfigurationsdateien .wsb configuration files | Isolierte Kurztests Isolated short-lived testing | Mapped folders nur bewusst freigeben Expose mapped folders intentionally |
| Edge Policies Edge policies | Startup URLs, extension control, IE mode Startup URLs, extension control, IE mode | Enterprise browser governance Enterprise browser governance | ADMX und Intune Settings Catalog parallel beherrschen Handle ADMX and Intune settings catalog in parallel |
| Enterprise Site List Enterprise site list | IE-Mode-KompatibilitĂ€t IE mode compatibility | Legacy web apps Legacy web apps | Versionierung und PilotprĂŒfung wichtig Versioning and pilot validation are important |
PowerShell
PowerShell
wsl --install -d Ubuntu
wsl --set-default-version 2
wsl --status
Enable-WindowsOptionalFeature -Online -FeatureName "Containers-DisposableClientVM" -All
Settings Catalog, ADMX, Registry, PPKG und CSP-Referenz Settings catalog, ADMX, registry, PPKG, and CSP reference
| Konfigurationsweg Configuration path | StÀrken Strengths | Typische Beispiele Typical examples | Hinweis Note |
|---|---|---|---|
| Settings Catalog Settings catalog | Breite Intune-OberflĂ€che mit Suchbarkeit Broad Intune surface with searchability | Defender, Update, Edge, Device restrictions Defender, update, Edge, device restrictions | Bevorzugter Weg fĂŒr moderne Verwaltung Preferred path for modern management |
| Administrative Templates Administrative templates | ADMX-basierte Richtlinien ADMX-based policies | Edge, Office, Windows Components Edge, Office, Windows Components | Cloud und on-prem GPO-Mapping dokumentieren Document cloud and on-prem GPO mapping |
| OMA-URI / CSP OMA-URI / CSP | Granulare MDM-Steuerung Granular MDM control | Policy CSP, BitLocker CSP Policy CSP, BitLocker CSP | Nur nutzen, wenn kein nativer Katalogeintrag existiert Use only when no native catalog entry exists |
| Registry Registry | Direkte Low-Level-Konfiguration Direct low-level configuration | Legacy app settings Legacy app settings | Mit Detection und Rollback versehen Add detection and rollback |
| Provisioning Package Provisioning package | Schnelle Offline- oder Vor-Ort-Konfiguration Fast offline or on-site configuration | Kiosk, imaging edge cases Kiosk and imaging edge cases | PPKGs sicher verteilen und schĂŒtzen Distribute and protect PPKGs securely |
| Windows Configuration Designer Windows Configuration Designer | Erstellt PPKGs und Basiskonfigurationen Creates PPKGs and base configurations | Factory floor or pilot staging Factory floor or pilot staging | Nicht als Dauerersatz fĂŒr MDM sehen Do not treat as a permanent replacement for MDM |