diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md index 95a35f0149..0214e455b2 100644 --- a/windows/application-management/app-v/appv-supported-configurations.md +++ b/windows/application-management/app-v/appv-supported-configurations.md @@ -59,7 +59,7 @@ The following table lists the SQL Server versions that the App-V Management data |SQL Server version|Service pack|System architecture| |---|---|---| -|Microsoft SQL Server 2019||32-bit or 64-bit| +|Microsoft SQL Server 2019|CU4|32-bit or 64-bit| |Microsoft SQL Server 2017||32-bit or 64-bit| |Microsoft SQL Server 2016|SP2|32-bit or 64-bit| |Microsoft SQL Server 2014||32-bit or 64-bit| @@ -98,6 +98,7 @@ The following table lists the SQL Server versions that are supported for the App |SQL Server version|Service pack|System architecture| |---|---|---| +|Microsoft SQL Server 2019|CU4|32-bit or 64-bit| |Microsoft SQL Server 2017||32-bit or 64-bit| |Microsoft SQL Server 2016|SP2|32-bit or 64-bit| |Microsoft SQL Server 2014||32-bit or 64-bit| diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index ec5d6c0afe..0b28cf30d1 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -1,7 +1,6 @@ --- title: AssignedAccess CSP description: The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode. -ms.assetid: 421CC07D-6000-48D9-B6A3-C638AAF83984 ms.reviewer: manager: dansimp ms.author: dansimp @@ -9,7 +8,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: dansimp -ms.date: 09/18/2018 +ms.date: 05/03/2022 --- # AssignedAccess CSP @@ -80,7 +79,14 @@ For a local account, the domain name should be the device name. When Get is exec The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same. **./Device/Vendor/MSFT/AssignedAccess/Configuration** -Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). Here's the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). +Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For more information about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). For more information on the schema, see [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). + +Updated in Windows 10, version 1909. Added Microsoft Edge kiosk mode support. This allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see [Configure a Windows 10 kiosk that runs Microsoft Edge](/DeployEdge/microsoft-edge-configure-kiosk-mode). Windows 10, version 1909 also allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. The breakout sequence is defined with the format modifiers + keys. An example breakout sequence would look something like "shift+alt+a", where "shift" and "alt" are the modifiers and "a" is the key. + +> [!Note] +> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. +> +> Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective. Enterprises can use this to easily configure and manage the curated lockdown experience. @@ -249,7 +255,7 @@ KioskModeApp Replace ## AssignedAccessConfiguration XSD -Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. +The schema below is for AssignedAccess Configuration up to Windows 10 20H2 release. ```xml @@ -260,11 +266,13 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config" + xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config" targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config" > + @@ -274,8 +282,14 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. + + + + + + @@ -284,7 +298,19 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. - + + + + + + + + + + + + + @@ -385,6 +411,7 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. + @@ -423,7 +450,7 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. - +); ``` Here's the schema for new features introduced in Windows 10 1809 release @@ -502,7 +529,32 @@ Schema for Windows 10 prerelease ``` -To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure auto-launch feature that is added in 1809 release, use below sample, notice an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. +The schema below is for features introduced in Windows 10, version 1909 which has added support for Microsoft Edge kiosk mode and breakout key sequence customization. +```xml + + + + + + + + + + + + + +``` + +To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the auto-launch feature that's added in the 1809 release, use the below sample. Notice an alias r1809 is given to the 201810 namespace for the 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. ```xml @@ -569,6 +622,53 @@ To authorize a compatible configuration XML that includes 1809 or prerelease ele ``` +Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode. +```xml + + + + + + + + + + EdgeKioskUser + + + + +``` + +Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk. +> [!NOTE] +> **BreakoutSequence** can be applied to any kiosk type, not just an Edge kiosk. +```xml + + + + + + + + + + + EdgeKioskUser + + + + +``` + ## Configuration examples XML encoding (escaped) and CDATA of the XML in the Data node will both ensure that DM client can properly interpret the SyncML and send the configuration xml as string (in original format, unescaped) to AssignedAccess CSP to handle. @@ -1235,6 +1335,11 @@ ShellLauncherConfiguration Add ShellLauncherConfiguration Add AutoLogon +This function creates an autologon account on your behalf. It's a standard user with no password. The autologon account is managed by AssignedAccessCSP, so the account name isn't exposed. + +> [!Note] +> The autologon function is designed to be used after OOBE with provisioning packages. + ```xml @@ -1480,4 +1585,4 @@ This example configures the following apps: Skype, Learning, Feedback Hub, and C ## Related topics -[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index c6d84bf203..6a73458cf7 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -22,8 +22,7 @@ You can download the DDF files from the links below: - [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) - [Download all the DDF files for Windows 10, version 1607](https://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) -The XML below is for Windows 10, version 1803. - +The XML below is for Windows 10, version 1909. ```xml - com.microsoft/2.0/MDM/AssignedAccess + com.microsoft/4.0/MDM/AssignedAccess @@ -208,4 +207,3 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu - diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index d600b89da2..383f6aedfb 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -60,6 +60,9 @@ manager: dansimp
Storage/WPDDevicesDenyWriteAccessPerUser
+
+ StorageHealthMonitor/DisableStorageHealthMonitor +
@@ -839,3 +842,50 @@ ADMX Info:
+ +**StorageHealthMonitor/DisableStorageHealthMonitor** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + +Note: Versions prior to 21H2 will not support this policy + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Allows disable of Storage Health Monitor. + +Value type is integer. + + + + +The following list shows the supported values: + +- 0 - Storage Health Monitor is Enabled +- 1 - Storage Health Monitor is Disabled + + + + +
+ + + diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 36c96ffa8d..fbc41ad17a 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -266,7 +266,7 @@ ms.collection: highpri Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. there's a 12-hour maximum from start time. > [!NOTE] -> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information. +> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information. Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. @@ -361,7 +361,7 @@ ADMX Info: Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots aren't scheduled. This value sets the start time. There's a 12-hour maximum from end time. > [!NOTE] -> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information. +> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information. Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. @@ -426,12 +426,12 @@ ADMX Info: The following list shows the supported values: -- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. +- 0 - Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. - 1 - Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence). - 2 (default) - Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. Automatic restarting when a device isn't being used is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence). -- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. -- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only. -- 5 – Turn off automatic updates. +- 3 - Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. +- 4 - Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only. +- 5 - Turn off automatic updates. > [!IMPORTANT] @@ -536,8 +536,8 @@ ADMX Info: The following list shows the supported values: -- 0 – Not configured. -- 1 – Allowed. Accepts updates received through Microsoft Update. +- 0 - Not configured. +- 1 - Allowed. Accepts updates received through Microsoft Update. > [!NOTE] > Setting this policy back to **0** or **Not configured** doesn't revert the configuration to receive updates from Microsoft Update automatically. In order to revert the configuration, you can run the PowerShell commands that are listed below to remove the Microsoft Update service:. @@ -588,8 +588,8 @@ This policy is specific to desktop and local publishing via WSUS for third-party The following list shows the supported values: -- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. -- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. +- 0 - Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. +- 1 - Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. @@ -629,7 +629,7 @@ Even when Windows Update is configured to receive updates from an intranet updat Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working. > [!NOTE] -> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. +> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. @@ -643,8 +643,8 @@ ADMX Info: The following list shows the supported values: -- 0 – Update service isn't allowed. -- 1 (default) – Update service is allowed. +- 0 - Update service isn't allowed. +- 1 (default) - Update service is allowed. @@ -856,8 +856,8 @@ ADMX Info: The following list shows the supported values: -- 1 (default) – Auto Dismissal. -- 2 – User Dismissal. +- 1 (default) - Auto Dismissal. +- 2 - User Dismissal. @@ -1306,7 +1306,7 @@ Defers Feature Updates for the specified number of days. Supported values are 0-365 days. > [!IMPORTANT] -> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703. +> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703. @@ -1393,7 +1393,7 @@ ADMX Info: > [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. Allows IT Admins to specify update delays for up to four weeks. @@ -1471,7 +1471,7 @@ ADMX Info: > [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. Allows IT Admins to specify other upgrade delays for up to eight months. @@ -1616,18 +1616,18 @@ The following list shows the supported values: -Available in Windows Update for Business (WUfB) devices running Windows 10, version 1809 and above and installed with October 2020 security update. This policy setting specifies that a WUfB device should skip safeguards. +Available in Windows Update for Business devices running Windows 10, version 1809 and above and installed with October 2020 security update. This policy setting specifies that a Windows Update for Business device should skip safeguards. Safeguard holds prevent a device with a known compatibility issue from being offered a new OS version. The offering will proceed once a fix is issued and is verified on a held device. The aim of safeguards is to protect the device and user from a failed or poor upgrade experience. The safeguard holds protection is provided by default to all the devices trying to update to a new Windows 10 Feature Update version via Windows Update. -IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the “Disable safeguards for Feature Updates” Group Policy. +IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the "Disable safeguards for Feature Updates" Group Policy. > [!NOTE] > Opting out of the safeguards can put devices at risk from known performance issues. We recommend opting out only in an IT environment for validation purposes. Further, you can leverage the Windows Insider Program for Business Release Preview Channel in order to validate the upcoming Windows 10 Feature Update version without the safeguards being applied. > -> The disable safeguards policy will revert to “Not Configured” on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft’s default protection from known issues for each new feature update. +> The disable safeguards policy will revert to "Not Configured" on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft's default protection from known issues for each new feature update. > > Disabling safeguards doesn't guarantee your device will be able to successfully update. The update may still fail on the device and will likely result in a bad experience post upgrade as you're bypassing the protection given by Microsoft pertaining to known issues. @@ -2069,8 +2069,8 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – Allow Windows Update drivers. -- 1 – Exclude Windows Update drivers. +- 0 (default) - Allow Windows Update drivers. +- 1 - Exclude Windows Update drivers. @@ -2121,8 +2121,8 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – Disabled. -- 1 – Enabled. +- 0 (default) - Disabled. +- 1 - Enabled. @@ -2164,8 +2164,8 @@ Specifies whether to ignore the MO download limit (allow unlimited downloading) The following list shows the supported values: -- 0 (default) – Don't ignore MO download limit for apps and their updates. -- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates. +- 0 (default) - Don't ignore MO download limit for apps and their updates. +- 1 - Ignore MO download limit (allow unlimited downloading) for apps and their updates. @@ -2217,8 +2217,8 @@ Specifies whether to ignore the MO download limit (allow unlimited downloading) The following list shows the supported values: -- 0 (default) – Don't ignore MO download limit for OS updates. -- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates. +- 0 (default) - Don't ignore MO download limit for OS updates. +- 1 - Ignore MO download limit (allow unlimited downloading) for OS updates. @@ -2312,7 +2312,7 @@ The following list shows the supported values: > [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks. @@ -2333,8 +2333,8 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – Deferrals aren't paused. -- 1 – Deferrals are paused. +- 0 (default) - Deferrals aren't paused. +- 1 - Deferrals are paused. @@ -2383,8 +2383,8 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – Feature Updates aren't paused. -- 1 – Feature Updates are paused for 35 days or until value set to back to 0, whichever is sooner. +- 0 (default) - Feature Updates aren't paused. +- 1 - Feature Updates are paused for 35 days or until value set to back to 0, whichever is sooner. @@ -2476,8 +2476,8 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – Quality Updates aren't paused. -- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. +- 0 (default) - Quality Updates aren't paused. +- 1 - Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. @@ -2580,7 +2580,7 @@ ADMX Info: -Value type is a string containing a Windows product, for example, “Windows 11” or “11” or “Windows 10”. +Value type is a string containing a Windows product, for example, "Windows 11" or "11" or "Windows 10". @@ -2624,7 +2624,7 @@ By using this Windows Update for Business policy to upgrade devices to a new pro > [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. Allows the IT admin to set a device to General Availability Channel train. @@ -2640,8 +2640,8 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – User gets upgrades from General Availability Channel (Targeted). -- 1 – User gets upgrades from General Availability Channel. +- 0 (default) - User gets upgrades from General Availability Channel (Targeted). +- 1 - User gets upgrades from General Availability Channel. @@ -2675,7 +2675,7 @@ The following list shows the supported values: > [!NOTE] -> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. +> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end user. EULAs are approved once an update is approved. @@ -2686,8 +2686,8 @@ Supported operations are Get and Replace. The following list shows the supported values: -- 0 – Not configured. The device installs all applicable updates. -- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. +- 0 - Not configured. The device installs all applicable updates. +- 1 - The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. @@ -2769,7 +2769,7 @@ Supported values are 15, 30, or 60 (minutes). > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education Allows the IT Admin to specify the period for autorestart warning reminder notifications. @@ -2839,14 +2839,14 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – Every day -- 1 – Sunday -- 2 – Monday -- 3 – Tuesday -- 4 – Wednesday -- 5 – Thursday -- 6 – Friday -- 7 – Saturday +- 0 (default) - Every day +- 1 - Sunday +- 2 - Monday +- 3 - Tuesday +- 4 - Wednesday +- 5 - Thursday +- 6 - Friday +- 7 - Saturday @@ -3110,7 +3110,7 @@ ADMX Info: > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education Enables the IT admin to schedule the time of the update installation. @@ -3178,8 +3178,8 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – Enabled -- 1 – Disabled +- 0 (default) - Enabled +- 1 - Disabled @@ -3675,9 +3675,9 @@ Display options for update notifications. This policy allows you to define what Options: -- 0 (default) – Use the default Windows Update notifications -- 1 – Turn off all notifications, excluding restart warnings -- 2 – Turn off all notifications, including restart warnings +- 0 (default) - Use the default Windows Update notifications +- 1 - Turn off all notifications, excluding restart warnings +- 2 - Turn off all notifications, including restart warnings > [!IMPORTANT] > If you choose not to get update notifications and also define other Group policies so that devices aren't automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk. diff --git a/windows/client-management/mdm/update-ddf-file.md b/windows/client-management/mdm/update-ddf-file.md index fa91e9823e..efba4330c5 100644 --- a/windows/client-management/mdm/update-ddf-file.md +++ b/windows/client-management/mdm/update-ddf-file.md @@ -560,7 +560,7 @@ The XML below is for Windows 10, version 1803. Roll back Latest Quality Update, if the machine meets the following conditions: - Condition 1: Device must be WUfB Connected + Condition 1: Device must be Windows Update for Business connected Condition 2: Device must be in a Paused State Condition 3: Device must have the Latest Quality Update installed on the device (Current State) If the conditions are not true, the device will not Roll Back the Latest Quality Update. @@ -588,7 +588,7 @@ The XML below is for Windows 10, version 1803. Roll Back Latest Feature Update, if the machine meets the following conditions: - Condition 1: Device must be WUfB Connected + Condition 1: Device must be Windows Update for Business connected Condition 2: Device must be in Paused State Condition 3: Device must have the Latest Feature Update Installed on the device (Current State) Condition 4: Machine should be within the uninstall period diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md index 5c3537ac79..81396fc528 100644 --- a/windows/client-management/troubleshoot-stop-errors.md +++ b/windows/client-management/troubleshoot-stop-errors.md @@ -1,157 +1,144 @@ --- -title: Advanced troubleshooting for Stop error or blue screen error issue -ms.reviewer: -manager: dansimp -description: Learn advanced options for troubleshooting Stop errors, also known as blue screen errors or bug check errors. +title: Advanced troubleshooting for stop or blue screen errors +description: Learn advanced options for troubleshooting stop errors, also known as blue screen errors or bug check errors. ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library +ms.technology: windows ms.topic: troubleshooting -author: dansimp +author: aczechowski +ms.author: aaroncz +manager: dougeby +ms.reviewer: ms.localizationpriority: medium -ms.author: dansimp ms.collection: highpri --- -# Advanced troubleshooting for Stop error or blue screen error issue +# Advanced troubleshooting for stop or blue screen errors ->[!NOTE] ->If you're not a support agent or IT professional, you'll find more helpful information about Stop error ("blue screen") messages in [Troubleshoot blue screen errors](https://support.microsoft.com/help/14238). +> [!NOTE] +> If you're not a support agent or IT professional, you'll find more helpful information about stop error ("blue screen") messages in [Troubleshoot blue screen errors](https://support.microsoft.com/sbs/windows/troubleshoot-blue-screen-errors-5c62726c-6489-52da-a372-3f73142c14ad). - -## What causes Stop errors? +## What causes stop errors? -A Stop error is displayed as a blue screen that contains the name of the faulty driver, such as any of the following example drivers: +A stop error is displayed as a blue screen that contains the name of the faulty driver, such as any of the following example drivers: - `atikmpag.sys` - `igdkmd64.sys` - `nvlddmkm.sys` -There's no simple explanation for the cause of Stop errors (also known as blue screen errors or bug check errors). Many different factors can be involved. However, various studies indicate that Stop errors usually aren't caused by Microsoft Windows components. Instead, these errors are related to malfunctioning hardware drivers or drivers that are installed by third-party software. These drivers include video cards, wireless network cards, security programs, and so on. +There's no simple explanation for the cause of stop errors (also known as blue screen errors or bug check errors). Many different factors can be involved. However, various studies indicate that stop errors usually aren't caused by Microsoft Windows components. Instead, these errors are related to malfunctioning hardware drivers or drivers that are installed by third-party software. These drivers include video cards, wireless network cards, security programs, and so on. Our analysis of the root causes of crashes indicates that: -- 70 percent are caused by third-party driver code -- 10 percent are caused by hardware issues -- 5 percent are caused by Microsoft code -- 15 percent have unknown causes (because the memory is too corrupted to analyze) +- 70% are caused by third-party driver code. +- 10% are caused by hardware issues. +- 5% are caused by Microsoft code. +- 15% have unknown causes, because the memory is too corrupted to analyze. > [!NOTE] -> The root cause of Stop errors is never a user-mode process. While a user-mode process (such as Notepad or Slack) may trigger a Stop error, it is merely exposing the underlying bug which is always in a driver, hardware, or the OS. +> The root cause of stop errors is never a user-mode process. While a user-mode process (such as Notepad or Slack) may trigger a stop error, it is merely exposing the underlying bug which is always in a driver, hardware, or the OS. ## General troubleshooting steps -To troubleshoot Stop error messages, follow these general steps: +To troubleshoot stop error messages, follow these general steps: -1. Review the Stop error code that you find in the event logs. Search online for the specific Stop error codes to see whether there are any known issues, resolutions, or workarounds for the problem. +1. Review the stop error code that you find in the event logs. Search online for the specific stop error codes to see whether there are any known issues, resolutions, or workarounds for the problem. -2. As a best practice, we recommend that you do the following steps: +1. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system. For example: - 1. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system: + - [Windows 10, version 21H2](https://support.microsoft.com/topic/windows-10-update-history-857b8ccb-71e4-49e5-b3f6-7073197d98fb) + - [Windows 10, version 21H1](https://support.microsoft.com/topic/windows-10-update-history-1b6aac92-bf01-42b5-b158-f80c6d93eb11) + - [Windows 10, version 20H2](https://support.microsoft.com/topic/windows-10-update-history-7dd3071a-3906-fa2c-c342-f7f86728a6e3) - - [Windows 10, version 21H2](https://support.microsoft.com/topic/windows-10-update-history-857b8ccb-71e4-49e5-b3f6-7073197d98fb) - - [Windows 10, version 21H1](https://support.microsoft.com/topic/windows-10-update-history-1b6aac92-bf01-42b5-b158-f80c6d93eb11) - - [Windows 10, version 20H2](https://support.microsoft.com/topic/windows-10-update-history-7dd3071a-3906-fa2c-c342-f7f86728a6e3) - - [Windows 10, version 2004](https://support.microsoft.com/help/4555932) - - [Windows 10, version 1909](https://support.microsoft.com/help/4529964) - - [Windows 10, version 1903](https://support.microsoft.com/help/4498140) - - [Windows 10, version 1809](https://support.microsoft.com/help/4464619) - - [Windows 10, version 1803](https://support.microsoft.com/help/4099479) - - [Windows 10, version 1709](https://support.microsoft.com/help/4043454) - - [Windows 10, version 1703](https://support.microsoft.com/help/4018124) - - [Windows Server 2016 and Windows 10, version 1607](https://support.microsoft.com/help/4000825) - - [Windows 10, version 1511](https://support.microsoft.com/help/4000824) - - [Windows Server 2012 R2 and Windows 8.1](https://support.microsoft.com/help/4009470) - - [Windows Server 2008 R2 and Windows 7 SP1](https://support.microsoft.com/help/4009469) +1. Make sure that the BIOS and firmware are up-to-date. - 1. Make sure that the BIOS and firmware are up-to-date. +1. Run any relevant hardware and memory tests. - 1. Run any relevant hardware and memory tests. +1. Run [Microsoft Safety Scanner](/microsoft-365/security/intelligence/safety-scanner-download) or any other virus detection program that includes checks of the MBR for infections. -3. Run [Microsoft Safety Scanner](https://www.microsoft.com/security/scanner/en-us/default.aspx) or any other virus detection program that includes checks of the Master Boot Record for infections. +1. Make sure that there's sufficient free space on the hard disk. The exact requirement varies, but we recommend 10-15 percent free disk space. -4. Make sure that there is sufficient free space on the hard disk. The exact requirement varies, but we recommend 10–15 percent free disk space. +1. Contact the respective hardware or software vendor to update the drivers and applications in the following scenarios: -5. Contact the respective hardware or software vendor to update the drivers and applications in the following scenarios: - - - The error message indicates that a specific driver is causing the problem. - - You're seeing an indication of a service that is starting or stopping before the crash occurred. In this situation, determine whether the service behavior is consistent across all instances of the crash. - - You have made any software or hardware changes. + - The error message indicates that a specific driver is causing the problem. + - You're seeing an indication of a service that is starting or stopping before the crash occurred. In this situation, determine whether the service behavior is consistent across all instances of the crash. + - You have made any software or hardware changes. - >[!NOTE] - >If there are no updates available from a specific manufacturer, it is recommended that you disable the related service. - > - >To do this, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135). - > - >You can disable a driver by following the steps in [How to temporarily deactivate the kernel mode filter driver in Windows](/troubleshoot/windows-server/performance/deactivate-kernel-mode-filter-driver). - > - >You may also want to consider the option of rolling back changes or reverting to the last-known working state. For more information, see [Roll Back a Device Driver to a Previous Version](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732648(v=ws.11)). + > [!NOTE] + > If there are no updates available from a specific manufacturer, we recommend that you disable the related service. + > + > For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/topic/how-to-perform-a-clean-boot-in-windows-da2f9573-6eec-00ad-2f8a-a97a1807f3dd). + > + > You can disable a driver by following the steps in [How to temporarily deactivate the kernel mode filter driver in Windows](/troubleshoot/windows-server/performance/deactivate-kernel-mode-filter-driver). + > + > You may also want to consider the option of rolling back changes or reverting to the last-known working state. For more information, see [Roll back a device driver to a previous version](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732648(v=ws.11)). ### Memory dump collection To configure the system for memory dump files, follow these steps: -1. Use the DumpConfigurator tool. +1. Select the Taskbar search box, type **Advanced system settings**, and then press **Enter**. -2. Extract the .zip file and navigate to **Source Code** folder. +2. On the **Advanced** tab on the System Properties box, select the **Settings** button that appears in the section **Startup and Recovery**. -3. Run the tool DumpConfigurator.hta, and then select **Elevate this HTA**. +3. In the new window, select the drop-down below the option **Write debugging information**. -4. Select **Auto Config Kernel**. +4. Choose **Automatic memory dump**. -5. Restart the computer for the setting to take effect. +5. Select **OK**. -6. Stop and disable Automatic System Restart Services (ASR) to prevent dump files from being written. +6. Restart the computer for the setting to take effect. 7. If the server is virtualized, disable auto reboot after the memory dump file is created. This disablement lets you take a snapshot of the server in-state and also if the problem recurs. The memory dump file is saved at the following locations: -| Dump file type | Location | -|----------------|----------| -|(none) | %SystemRoot%\MEMORY.DMP (inactive, or grayed out) | -|Small memory dump file (256 kb) | %SystemRoot%\Minidump | -|Kernel memory dump file | %SystemRoot%\MEMORY.DMP | -| Complete memory dump file | %SystemRoot%\MEMORY.DMP | -| Automatic memory dump file | %SystemRoot%\MEMORY.DMP | -| Active memory dump file | %SystemRoot%\MEMORY.DMP | +| Dump file type | Location | +|---------------------------------|-----------------------------------------------------| +| (none) | `%SystemRoot%\MEMORY.DMP` (inactive, or grayed out) | +| Small memory dump file (256 kb) | `%SystemRoot%\Minidump` | +| Kernel memory dump file | `%SystemRoot%\MEMORY.DMP` | +| Complete memory dump file | `%SystemRoot%\MEMORY.DMP` | +| Automatic memory dump file | `%SystemRoot%\MEMORY.DMP` | +| Active memory dump file | `%SystemRoot%\MEMORY.DMP` | -You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files aren't corrupted or invalid. For more information, see the following video:

+You can use the Microsoft Crash Dump File Checker (DumpChk) tool to verify that the memory dump files aren't corrupted or invalid. For more information, see the following video: ->[!video https://www.youtube.com/embed/xN7tOfgNKag] +> [!VIDEO https://www.youtube.com/embed/xN7tOfgNKag] -More information on how to use Dumpchk.exe to check your dump files: +For more information on how to use Dumpchk.exe to check your dump files, see the following articles: - [Using DumpChk](/windows-hardware/drivers/debugger/dumpchk) -- [Download DumpCheck](https://developer.microsoft.com/windows/downloads/windows-10-sdk) +- [Download DumpChk](https://developer.microsoft.com/windows/downloads/windows-10-sdk) -### Pagefile Settings +### Pagefile settings -- [Introduction of page file in Long-Term Servicing Channel and General Availability Channel of Windows](/windows/client-management/introduction-page-file) -- [How to determine the appropriate page file size for 64-bit versions of Windows](/windows/client-management/determine-appropriate-page-file-size) -- [How to generate a kernel or a complete memory dump file in Windows Server 2008 and Windows Server 2008 R2](/windows/client-management/generate-kernel-or-complete-crash-dump) +For more information on pagefile settings, see the following articles: + +- [Introduction to page files](introduction-page-file.md) +- [How to determine the appropriate page file size for 64-bit versions of Windows](determine-appropriate-page-file-size.md) +- [Generate a kernel or complete crash dump](generate-kernel-or-complete-crash-dump.md) ### Memory dump analysis Finding the root cause of the crash may not be easy. Hardware problems are especially difficult to diagnose because they may cause erratic and unpredictable behavior that can manifest itself in various symptoms. -When a Stop error occurs, you should first isolate the problematic components, and then try to cause them to trigger the Stop error again. If you can replicate the problem, you can usually determine the cause. +When a stop error occurs, you should first isolate the problematic components, and then try to cause them to trigger the stop error again. If you can replicate the problem, you can usually determine the cause. -You can use the tools such as Windows Software Development KIT (SDK) and Symbols to diagnose dump logs. The next section discusses how to use this tool. +You can use the tools such as Windows Software Development Kit (SDK) and symbols to diagnose dump logs. The next section discusses how to use this tool. ## Advanced troubleshooting steps ->[!NOTE] ->Advanced troubleshooting of crash dumps can be very challenging if you aren't experienced with programming and internal Windows mechanisms. We have attempted to provide a brief insight here into some of the techniques used, including some examples. However, to really be effective at troubleshooting a crash dump, you should spend time becoming familiar with advanced debugging techniques. For a video overview, see [Advanced Windows Debugging](https://channel9.msdn.com/Blogs/Charles/Advanced-Windows-Debugging-An-Introduction) and [Debugging Kernel Mode Crashes and Hangs](https://channel9.msdn.com/Shows/Defrag-Tools/DefragTools-137-Debugging-kernel-mode-dumps). Also see the advanced references listed below. +> [!NOTE] +> Advanced troubleshooting of crash dumps can be very challenging if you aren't experienced with programming and internal Windows mechanisms. We have attempted to provide a brief insight here into some of the techniques used, including some examples. However, to really be effective at troubleshooting a crash dump, you should spend time becoming familiar with advanced debugging techniques. For a video overview, [Debugging kernel mode crashes and hangs](/shows/defrag-tools/defragtools-137-debugging-kernel-mode-dumps). Also see the advanced references listed below. ### Advanced debugging references -- [Advanced Windows Debugging](https://www.amazon.com/Advanced-Windows-Debugging-Mario-Hewardt/dp/0321374460) -- [Debugging Tools for Windows (WinDbg, KD, CDB, NTSD)](/windows-hardware/drivers/debugger/index) +- [Advanced Windows Debugging, first edition book](https://www.amazon.com/Advanced-Windows-Debugging-Mario-Hewardt/dp/0321374460) +- [Debugging Tools for Windows (WinDbg, KD, CDB, NTSD)](/windows-hardware/drivers/debugger/) ### Debugging steps -1. Verify that the computer is set up to generate a complete memory dump file when a crash occurs. For more information, see the steps [here](troubleshoot-windows-freeze.md#method-1-memory-dump). +1. Verify that the computer is set up to generate a complete memory dump file when a crash occurs. For more information, see [Method 1: Memory dump](troubleshoot-windows-freeze.md#method-1-memory-dump). 2. Locate the memory.dmp file in your Windows directory on the computer that is crashing, and copy that file to another computer. @@ -159,29 +146,30 @@ You can use the tools such as Windows Software Development KIT (SDK) and Symbols 4. Start the install and choose **Debugging Tools for Windows**. The WinDbg tool is installed. -5. Open the WinDbg tool and set the symbol path by clicking **File** and then clicking **Symbol File Path**. +5. Go to the **File** menu and select **Symbol File Path** to open the WinDbg tool and set the symbol path. - 1. If the computer is connected to the Internet, enter the [Microsoft public symbol server](/windows-hardware/drivers/debugger/microsoft-public-symbols) (https://msdl.microsoft.com/download/symbols) and click **OK**. This method is the recommended one. + 1. If the computer is connected to the internet, enter the [Microsoft public symbol server](/windows-hardware/drivers/debugger/microsoft-public-symbols): `https://msdl.microsoft.com/download/symbols` and select **OK**. This method is recommended. - 1. If the computer isn't connected to the Internet, you must specify a local [symbol path](/windows-hardware/drivers/debugger/symbol-path). + 1. If the computer isn't connected to the internet, specify a local [symbol path](/windows-hardware/drivers/debugger/symbol-path). -6. Click on **Open Crash Dump**, and then open the memory.dmp file that you copied. See the example below. +6. Select **Open Crash Dump**, and then open the memory.dmp file that you copied. - :::image type="content" alt-text="WinDbg img." source="images/windbg.png" lightbox="images/windbg.png"::: + :::image type="content" alt-text="Example output in WinDbg when opening a crash dump file." source="images/windbg.png" lightbox="images/windbg.png"::: -7. There should be a link that says **!analyze -v** under **Bugcheck Analysis**. Click that link. The command !analyze -v is entered in the prompt at the bottom of the page. +7. Under **Bugcheck Analysis**, select **`!analyze -v`**. The command `!analyze -v` is entered in the prompt at the bottom of the page. -8. A detailed bugcheck analysis will appear. See the example below. +8. A detailed bug check analysis appears. - :::image type="content" alt-text="Bugcheck analysis." source="images/bugcheck-analysis.png" lightbox="images/bugcheck-analysis.png"::: + :::image type="content" alt-text="An example detailed bug check analysis." source="images/bugcheck-analysis.png" lightbox="images/bugcheck-analysis.png"::: -9. Scroll down to the section where it says **STACK_TEXT**. There will be rows of numbers with each row followed by a colon and some text. That text should tell you what DLL is causing the crash and if applicable what service is crashing the DLL. +9. Scroll down to the **STACK_TEXT** section. There will be rows of numbers with each row followed by a colon and some text. That text should tell you what DLL is causing the crash. If applicable, it also says what service is crashing the DLL. -10. See [Using the !analyze Extension](/windows-hardware/drivers/debugger/using-the--analyze-extension) for details about how to interpret the STACK_TEXT output. +10. For more information about how to interpret the STACK_TEXT output, see [Using the !analyze Extension](/windows-hardware/drivers/debugger/using-the--analyze-extension). -There are many possible causes of a bugcheck and each case is unique. In the example provided above, the important lines that can be identified from the STACK_TEXT are 20, 21, and 22: +There are many possible causes of a bug check and each case is unique. In the example provided above, the important lines that can be identified from the STACK_TEXT are 20, 21, and 22: -(HEX data is removed here and lines are numbered for clarity) +> [!NOTE] +> HEX data is removed here and lines are numbered for clarity. ```console 1 : nt!KeBugCheckEx @@ -215,62 +203,114 @@ There are many possible causes of a bugcheck and each case is unique. In the exa 29 : ntdll!RtlUserThreadStart+0x21 ``` -The problem here is with **mpssvc** which is a component of the Windows Firewall. The problem was repaired by disabling the firewall temporarily and then resetting firewall policies. +This issue is because of the **mpssvc** service, which is a component of the Windows Firewall. The problem was repaired by disabling the firewall temporarily and then resetting firewall policies. -More examples are provided in the [Debugging examples](#debugging-examples) section at the bottom of this article. +For more examples, see [Debugging examples](#debugging-examples). ## Video resources The following videos illustrate various troubleshooting techniques for analyzing dump files. -- [Analyze Dump File](https://www.youtube.com/watch?v=s5Vwnmi_TEY) -- [Installing Debugging Tool for Windows (x64 and x86)](https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-Building-your-USB-thumbdrive/player#time=22m29s:paused) -- [Debugging kernel mode crash memory dumps](https://channel9.msdn.com/Shows/Defrag-Tools/DefragTools-137-Debugging-kernel-mode-dumps) -- [Special Pool](https://www.youtube.com/watch?v=vHXYS9KdU1k) - +- [Analyze dump file](https://www.youtube.com/watch?v=s5Vwnmi_TEY) +- [Installing debugging tool for Windows (x64 and x86)](/shows/defrag-tools/building-your-usb-thumbdrive) +- [Debugging kernel mode crash memory dumps](/shows/defrag-tools/defragtools-137-debugging-kernel-mode-dumps) +- [Special pool](https://www.youtube.com/watch?v=vHXYS9KdU1k) + ## Advanced troubleshooting using Driver Verifier -We estimate that about 75 percent of all Stop errors are caused by faulty drivers. The Driver Verifier tool provides several methods to help you troubleshoot. These include running drivers in an isolated memory pool (without sharing memory with other components), generating extreme memory pressure, and validating parameters. If the tool encounters errors in the execution of driver code, it proactively creates an exception to let that part of the code be examined further. +We estimate that about 75 percent of all stop errors are caused by faulty drivers. The Driver Verifier tool provides several methods to help you troubleshoot. These include running drivers in an isolated memory pool (without sharing memory with other components), generating extreme memory pressure, and validating parameters. If the tool encounters errors in the execution of driver code, it proactively creates an exception. It can then further examine that part of the code. ->[!WARNING] ->Driver Verifier consumes lots of CPU and can slow down the computer significantly. You may also experience additional crashes. Verifier disables faulty drivers after a Stop error occurs, and continues to do this until you can successfully restart the system and access the desktop. You can also expect to see several dump files created. +> [!WARNING] +> Driver Verifier consumes lots of CPU and can slow down the computer significantly. You may also experience additional crashes. Verifier disables faulty drivers after a stop error occurs, and continues to do this until you can successfully restart the system and access the desktop. You can also expect to see several dump files created. > ->Don’t try to verify all the drivers at one time. This can degrade performance and make the system unusable. This also limits the effectiveness of the tool. +> Don't try to verify all the drivers at one time. This action can degrade performance and make the system unusable. It also limits the effectiveness of the tool. Use the following guidelines when you use Driver Verifier: -- Test any “suspicious” drivers (drivers that were recently updated or that are known to be problematic). +- Test any "suspicious" drivers. For example, drivers that were recently updated or that are known to be problematic. - If you continue to experience non-analyzable crashes, try enabling verification on all third-party and unsigned drivers. -- Enable concurrent verification on groups of 10–20 drivers. +- Enable concurrent verification on groups of 10-20 drivers. - Additionally, if the computer can't boot into the desktop because of Driver Verifier, you can disable the tool by starting in Safe mode. This solution is because the tool can't run in Safe mode. For more information, see [Driver Verifier](/windows-hardware/drivers/devtest/driver-verifier). -## Common Windows Stop errors +## Common Windows stop errors This section doesn't contain a list of all error codes, but since many error codes have the same potential resolutions, your best bet is to follow the steps below to troubleshoot your error. -The following table lists general troubleshooting procedures for common Stop error codes. +The following sections list general troubleshooting procedures for common stop error codes. -Stop error message and code | Mitigation ---- | --- -VIDEO_ENGINE_TIMEOUT_DETECTED or VIDEO_TDR_TIMEOUT_DETECTED
Stop error code 0x00000141, or 0x00000117 | Contact the vendor of the listed display driver to get an appropriate update for that driver. -DRIVER_IRQL_NOT_LESS_OR_EQUAL
Stop error code 0x0000000D1 | Apply the latest updates for the driver by applying the latest cumulative updates for the system through the Microsoft Update Catalog website.Update an outdated NIC driver. Virtualized VMware systems often run “Intel(R) PRO/1000 MT Network Connection” (e1g6032e.sys). This driver is available at [http://downloadcenter.intel.com](http://downloadcenter.intel.com). Contact the hardware vendor to update the NIC driver for a resolution. For VMware systems, use the VMware integrated NIC driver (types VMXNET or VMXNET2 , VMXNET3 can be used) instead of Intel e1g6032e.sys. -PAGE_FAULT_IN_NONPAGED_AREA
Stop error code 0x000000050 | If a driver is identified in the Stop error message, contact the manufacturer for an update.If no updates are available, disable the driver, and monitor the system for stability. Run Chkdsk /f /r to detect and repair disk errors. You must restart the system before the disk scan begins on a system partition. Contact the manufacturer for any diagnostic tools that they may provide for the hard disk subsystem. Try to reinstall any application or service that was recently installed or updated. It's possible that the crash was triggered while the system was starting applications and reading the registry for preference settings. Reinstalling the application can fix corrupted registry keys.If the problem persists, and you have run a recent system state backup, try to restore the registry hives from the backup. -SYSTEM_SERVICE_EXCEPTION
Stop error code c000021a {Fatal System Error} The Windows SubSystem system process terminated unexpectedly with a status of 0xc0000005. The system has been shut down. | Use the System File Checker tool to repair missing or corrupted system files. The System File Checker lets users scan for corruptions in Windows system files and restore corrupted files. For more information, see [Use the System File Checker tool](https://support.microsoft.com/en-us/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files). -NTFS_FILE_SYSTEM
Stop error code 0x000000024 | This Stop error is commonly caused by corruption in the NTFS file system or bad blocks (sectors) on the hard disk. Corrupted drivers for hard disks (SATA or IDE) can also adversely affect the system's ability to read and write to disk. Run any hardware diagnostics that are provided by the manufacturer of the storage subsystem. Use the scan disk tool to verify that there are no file system errors. To do this step, right-click the drive that you want to scan, select Properties, select Tools, and then select the Check now button. We also suggest that you update the NTFS file system driver (Ntfs.sys), and apply the latest cumulative updates for the current operating system that is experiencing the problem. -KMODE_EXCEPTION_NOT_HANDLED
Stop error code 0x0000001E | If a driver is identified in the Stop error message, disable or remove that driver. Disable or remove any drivers or services that were recently added.

If the error occurs during the startup sequence, and the system partition is formatted by using the NTFS file system, you might be able to use Safe mode to disable the driver in Device Manager. To disable the driver, follow these steps:

Go to **Settings > Update & security > Recovery**. Under **Advanced startup**, select **Restart now**. After your PC restarts to the **Choose an option** screen, select **Troubleshoot > Advanced options > Startup Settings > Restart**. After the computer restarts, you'll see a list of options. Press **4** or **F4** to start the computer in Safe mode. Or, if you intend to use the Internet while in Safe mode, press **5** or **F5** for the Safe Mode with Networking option. -DPC_WATCHDOG_VIOLATION
Stop error code 0x00000133 | This Stop error code is caused by a faulty driver that doesn't complete its work within the allotted time frame in certain conditions. To enable us to help mitigate this error, collect the memory dump file from the system, and then use the Windows Debugger to find the faulty driver. If a driver is identified in the Stop error message, disable the driver to isolate the problem. Check with the manufacturer for driver updates. Check the system log in Event Viewer for other error messages that might help identify the device or driver that is causing Stop error 0x133. Verify that any new hardware that is installed is compatible with the installed version of Windows. For example, you can get information about required hardware at Windows 10 Specifications. If Windows Debugger is installed, and you have access to public symbols, you can load the c:\windows\memory.dmp file into the Debugger, and then refer to [Determining the source of Bug Check 0x133 (DPC_WATCHDOG_VIOLATION) errors on Windows Server 2012](/archive/blogs/ntdebugging/determining-the-source-of-bug-check-0x133-dpc_watchdog_violation-errors-on-windows-server-2012) to find the problematic driver from the memory dump. -USER_MODE_HEALTH_MONITOR
Stop error code 0x0000009E | This Stop error indicates that a user-mode health check failed in a way that prevents graceful shutdown. Therefore, Windows restores critical services by restarting or enabling application failover to other servers. The Clustering Service incorporates a detection mechanism that may detect unresponsiveness in user-mode components.
This Stop error usually occurs in a clustered environment, and the indicated faulty driver is RHS.exe.Check the event logs for any storage failures to identify the failing process. Try to update the component or process that is indicated in the event logs. You should see the following event recorded:
Event ID: 4870
Source: Microsoft-Windows-FailoverClustering
Description: User mode health monitoring has detected that the system isn't being responsive. The Failover cluster virtual adapter has lost contact with the Cluster Server process with a process ID ‘%1’, for ‘%2’ seconds. Recovery action is taken. Review the Cluster logs to identify the process and investigate which items might cause the process to hang.
For more information, see ["Why is my Failover Clustering node blue screening with a Stop 0x0000009E?"](https://blogs.technet.microsoft.com/askcore/2009/06/12/why-is-my-failover-clustering-node-blue-screening-with-a-stop-0x0000009e) Also, see the following Microsoft video [What to do if a 9E occurs](https://www.youtube.com/watch?v=vOJQEdmdSgw). +### VIDEO_ENGINE_TIMEOUT_DETECTED or VIDEO_TDR_TIMEOUT_DETECTED + +Stop error code 0x00000141, or 0x00000117 + +Contact the vendor of the listed display driver to get an appropriate update for that driver. + +### DRIVER_IRQL_NOT_LESS_OR_EQUAL + +Stop error code 0x0000000D1 + +Apply the latest updates for the driver by applying the latest cumulative updates for the system through the Microsoft Update Catalog website. Update an outdated network driver. Virtualized VMware systems often run "Intel(R) PRO/1000 MT Network Connection" (e1g6032e.sys). You can download this driver from the [Intel Download Drivers & Software website](https://downloadcenter.intel.com). Contact the hardware vendor to update the network driver for a resolution. For VMware systems, use the VMware integrated network driver instead of Intel's e1g6032e.sys. For example, use VMware types `VMXNET`, `VMXNET2`, or `VMXNET3`. + +### PAGE_FAULT_IN_NONPAGED_AREA + +Stop error code 0x000000050 + +If a driver is identified in the stop error message, contact the manufacturer for an update. If no updates are available, disable the driver, and monitor the system for stability. Run `chkdsk /f /r` to detect and repair disk errors. Restart the system before the disk scan begins on a system partition. Contact the manufacturer for any diagnostic tools that they may provide for the hard disk subsystem. Try to reinstall any application or service that was recently installed or updated. It's possible that the crash was triggered while the system was starting applications and reading the registry for preference settings. Reinstalling the application can fix corrupted registry keys. If the problem persists, and you have run a recent system state backup, try to restore the registry hives from the backup. + +### SYSTEM_SERVICE_EXCEPTION + +Stop error code c000021a {Fatal System Error} The Windows SubSystem system process terminated unexpectedly with a status of 0xc0000005. The system has been shut down. + +Use the System File Checker tool to repair missing or corrupted system files. The System File Checker lets users scan for corruptions in Windows system files and restore corrupted files. For more information, see [Use the System File Checker tool](https://support.microsoft.com/topic/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files-79aa86cb-ca52-166a-92a3-966e85d4094e). + +### NTFS_FILE_SYSTEM + +Stop error code 0x000000024 + +This stop error is commonly caused by corruption in the NTFS file system or bad blocks (sectors) on the hard disk. Corrupted drivers for hard disks (SATA or IDE) can also adversely affect the system's ability to read and write to disk. Run any hardware diagnostics that are provided by the manufacturer of the storage subsystem. Use the scan disk tool to verify that there are no file system errors. To do this step, right-click the drive that you want to scan, select Properties, select Tools, and then select the Check now button. Update the NTFS file system driver (Ntfs.sys). Apply the latest cumulative updates for the current operating system that's experiencing the problem. + +### KMODE_EXCEPTION_NOT_HANDLED + +Stop error code 0x0000001E + +If a driver is identified in the stop error message, disable or remove that driver. Disable or remove any drivers or services that were recently added. + +If the error occurs during the startup sequence, and the system partition is formatted by using the NTFS file system, you might be able to use safe mode to disable the driver in Device Manager. To disable the driver, follow these steps: + +1. Go to **Settings > Update & security > Recovery**. +1. Under **Advanced startup**, select **Restart now**. +1. After your PC restarts to the **Choose an option** screen, select **Troubleshoot > Advanced options > Startup Settings > Restart**. +1. After the computer restarts, you'll see a list of options. Press **4** or **F4** to start the computer in safe mode. If you intend to use the internet while in safe mode, press **5** or **F5** for the **Safe Mode with Networking** option. + +### DPC_WATCHDOG_VIOLATION + +Stop error code 0x00000133 + +This stop error code is caused by a faulty driver that doesn't complete its work within the allotted time frame in certain conditions. To help mitigate this error, collect the memory dump file from the system, and then use the Windows Debugger to find the faulty driver. If a driver is identified in the stop error message, disable the driver to isolate the problem. Check with the manufacturer for driver updates. Check the system log in Event Viewer for other error messages that might help identify the device or driver that's causing stop error 0x133. Verify that any new hardware that's installed is compatible with the installed version of Windows. For example, you can get information about required hardware at Windows 10 Specifications. If Windows Debugger is installed, and you have access to public symbols, you can load the `c:\windows\memory.dmp` file into the debugger. Then refer to [Determining the source of Bug Check 0x133 (DPC_WATCHDOG_VIOLATION) errors on Windows Server 2012](/archive/blogs/ntdebugging/determining-the-source-of-bug-check-0x133-dpc_watchdog_violation-errors-on-windows-server-2012) to find the problematic driver from the memory dump. + +### USER_MODE_HEALTH_MONITOR + +Stop error code 0x0000009E + +This stop error indicates that a user-mode health check failed in a way that prevents graceful shutdown. Windows restores critical services by restarting or enabling application failover to other servers. The Clustering Service incorporates a detection mechanism that may detect unresponsiveness in user-mode components. + +This stop error usually occurs in a clustered environment, and the indicated faulty driver is RHS.exe. Check the event logs for any storage failures to identify the failing process. Try to update the component or process that's indicated in the event logs. You should see the following event recorded: + +- Event ID: 4870 +- Source: Microsoft-Windows-FailoverClustering +- Description: User mode health monitoring has detected that the system isn't being responsive. The Failover cluster virtual adapter has lost contact with the Cluster Server process with a process ID '%1', for '%2' seconds. Recovery action is taken. Review the Cluster logs to identify the process and investigate which items might cause the process to hang. + +For more information, see ["0x0000009E" Stop error on cluster nodes in a Windows Server-based multi-node failover cluster environment](https://support.microsoft.com/topic/-0x0000009e-stop-error-on-cluster-nodes-in-a-windows-server-based-multi-node-failover-cluster-environment-7e0acceb-b498-47f8-e004-96de6e497cba) Also, see the following Microsoft video [What to do if a 9E occurs](https://www.youtube.com/watch?v=vOJQEdmdSgw). ## Debugging examples ### Example 1 -This bugcheck is caused by a driver hang during upgrade, resulting in a bugcheck D1 in NDIS.sys (a Microsoft driver). The **IMAGE_NAME** tells you the faulting driver, but since this driver is Microsoft driver it can't be replaced or removed. The resolution method is to disable the network device in device manager and try the upgrade again. +This bug check is caused by a driver hang during upgrade, resulting in a bug check D1 in NDIS.sys, which is a Microsoft driver. The **IMAGE_NAME** tells you the faulting driver, but since this driver is s Microsoft driver, it can't be replaced or removed. The resolution method is to disable the network device in device manager and try the upgrade again. ```console 2: kd> !analyze -v @@ -429,7 +469,7 @@ Followup: ndiscore ### Example 2 -In this example, a non-Microsoft driver caused page fault, so we don’t have symbols for this driver. However, looking at **IMAGE_NAME** and or **MODULE_NAME** indicates it’s **WwanUsbMP.sys** that caused the issue. Disconnecting the device and retrying the upgrade is a possible solution. +In this example, a non-Microsoft driver caused page fault, so we don't have symbols for this driver. However, looking at **IMAGE_NAME** and or **MODULE_NAME** indicates it's **WwanUsbMP.sys** that caused the issue. Disconnecting the device and retrying the upgrade is a possible solution. ```console 1: kd> !analyze -v @@ -605,4 +645,4 @@ ReadVirtual: 812d1248 not properly sign extended ## References -[Bug Check Code Reference](/windows-hardware/drivers/debugger/bug-check-code-reference2) +[Bug check code reference](/windows-hardware/drivers/debugger/bug-check-code-reference2) diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md index 01d04d52a9..9820130606 100644 --- a/windows/client-management/troubleshoot-windows-freeze.md +++ b/windows/client-management/troubleshoot-windows-freeze.md @@ -1,269 +1,257 @@ --- -title: Advanced troubleshooting for Windows-based computer freeze issues -ms.reviewer: -manager: dansimp +title: Advanced troubleshooting for Windows freezes description: Learn how to troubleshoot computer freeze issues on Windows-based computers and servers. Also, you can learn how to diagnose, identify, and fix these issues. ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library +ms.technology: windows ms.topic: troubleshooting -author: dansimp +author: aczechowski +ms.author: aaroncz +manager: dougeby +ms.reviewer: ms.localizationpriority: medium -ms.author: dansimp ms.collection: highpri --- -# Advanced troubleshooting for Windows-based computer freeze issues +# Advanced troubleshooting for Windows freezes -This article describes how to troubleshoot freeze issues on Windows-based computers and servers. It also provides methods for collecting data that will help administrators or software developers diagnose, identify, and fix these issues. +This article describes how to troubleshoot freeze issues on Windows-based computers and servers. It also provides methods for collecting data that will help administrators or software developers diagnose, identify, and fix these issues. > [!NOTE] -> The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. +> The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. -## Identify the problem +## Identify the problem -* Which computer is freezing? (Example: The impacted computer is a physical server, virtual server, and so on.) -* What operation was being performed when the freezes occurred? (Example: This issue occurs when you shut down GUI, perform one or more operations, and so on.) -* How often do the errors occur? (Example: This issue occurs every night at 7 PM, every day around 7 AM, and so on.) -* On how many computers does this freeze occur? (Example: All computers, only one computer, 10 computers, and so on.) +- Which computer is freezing? For example, the affected computer is a physical server or a virtual server. +- What operation happened when it froze? For example, this issue occurs when you shut down. +- How often do the errors occur? For example, this issue occurs every night at 7 PM. +- On how many computers does this freeze occur? For example, all computers or only one computer. -## Troubleshoot the freeze issues +## Troubleshoot the freeze issues -To troubleshoot the freeze issues, check the current status of your computer, and follow one of the following methods. +To troubleshoot the freeze issues, check the current status of your computer, and follow one of the following methods. -### For the computer that's still running in a frozen state +### For the computer that's still running in a frozen state -If the physical computer or the virtual machine is still freezing, use one or more of the following methods for troubleshooting: +If the physical computer or the virtual machine is still freezing, use one or more of the following methods for troubleshooting: -* Try to access the computer through Remote Desktop, Citrix, and so on. -* Use the domain account or local administrator account to sign in to the computer by using one of the Remote Physical Console Access features, such as Dell Remote Access Card (DRAC), HP Integrated Lights-Out (iLo), or IBM Remote supervisor adapter (RSA). -* Test ping to the computer. Packet dropping and high network latency may be observed. -* Access administrative shares (\\\\**ServerName**\\c$). -* Press Ctrl + Alt + Delete command and check response. -* Try to use Remote Admin tools such as Computer Management, remote Server Manager, and Wmimgmt.msc. +- Try to access the computer through a remote desktop connection. +- Use a domain account or local administrator account to sign in to the computer with the hardware manufacturer's remote access solution. For example, Dell Remote Access Card (DRAC), HP Integrated Lights-Out (iLo), or IBM Remote supervisor adapter (RSA). +- Test ping to the computer. Look for dropped packets and high network latency. +- Access administrative shares, for example `\\ServerName\c$`. +- Press **Ctrl** + **Alt** + **Delete** and check the response. +- Try to use Windows remote administration tools. For example, Computer Management, Server Manager, and Wmimgmt.msc. -### For the computer that is no longer frozen +### For the computer that's no longer frozen -If the physical computer or virtual machine froze but is now running in a good state, use one or more of the following methods for troubleshooting. +If the physical computer or virtual machine froze, but is now running in a good state, use one or more of the following methods for troubleshooting. -#### For a physical computer +#### For a physical computer -* Review the System and Application logs from the computer that is having the issue. Check the event logs for the relevant Event ID: +- Review the System and Application logs from the computer that's having the issue. Check the event logs for the relevant Event ID: - - Application event log: Application Error (suggesting Crash or relevant System Process) - - System Event logs, Service Control Manager Error event IDs for Critical System Services - - Error Event IDs 2019/2020 with source Srv/Server + - Application event log: Application Error, which suggests a crash or relevant system process + - System Event logs, Service Control Manager Error event IDs for critical system services + - Error Event IDs 2019/2020 with source Srv/Server -* Generate a System Diagnostics report by running the perfmon /report command. +- Generate a System Diagnostics report by running `perfmon /report`. -#### For a virtual machine +#### For a virtual machine -* Review the System and Application logs from the computer that is having the issue. -* Generate a System Diagnostics report by running the perfmon /report command. -* Check history in virtual management monitoring tools. +- Review the System and Application logs from the computer that is having the issue. +- Generate a System Diagnostics report by running `perfmon /report`. +- Check the system's history in virtual management monitoring tools. +## Collect data for the freeze issues -## Collect data for the freeze issues +To collect data for a server freeze, check the following table, and use one or more of the suggested methods. -To collect data for a server freeze, check the following table, and use one or more of the suggested methods. +|Computer type and state |Data collection method | +|-------------------------|--------------------| +|A physical computer that's running in a frozen state|[Use a memory dump file to collect data](#use-memory-dump-to-collect-data-for-the-physical-computer-thats-running-in-a-frozen-state). Or use method 2, 3, or 4. These methods are listed later in this section.| +|A physical computer that is no longer frozen|Use method 1, 2, 3, or 4. These methods are listed later in this section. And [use Pool Monitor to collect data](#use-pool-monitor-to-collect-data-for-the-physical-computer-that-is-no-longer-frozen).| +|A virtual machine that's running in a frozen state|Hyper-V or VMware: [Use a memory dump file to collect data for the virtual machine that's running in a frozen state](#use-memory-dump-to-collect-data-for-the-virtual-machine-thats-running-in-a-frozen-state).
XenServer: Use method 1, 2, 3, or 4. These methods are listed later in this section.| +|A virtual machine that is no longer frozen|Use method 1, 2, 3, or 4. These methods are listed later in this section.| -|Computer type and state |Data collection method | -|-------------------------|--------------------| -|A physical computer that's running in a frozen state|[Use a memory dump file to collect data](#use-memory-dump-to-collect-data-for-the-physical-computer-thats-running-in-a-frozen-state). Or use method 2, 3, or 4. These methods are listed later in this section.| -|A physical computer that is no longer frozen|Use method 1, 2, 3, or 4. These methods are listed later in this section. And [use Pool Monitor to collect data](#use-pool-monitor-to-collect-data-for-the-physical-computer-that-is-no-longer-frozen).| -|A virtual machine that's running in a frozen state|Hyper-V or VMware: [Use a memory dump file to collect data for the virtual machine that's running in a frozen state](#use-memory-dump-to-collect-data-for-the-virtual-machine-thats-running-in-a-frozen-state).
XenServer: Use method 1, 2, 3, or 4. These methods are listed later in this section.| -|A virtual machine that is no longer frozen|Use method 1, 2, 3, or 4. These methods are listed later in this section.| +### Method 1: Memory dump +> [!IMPORTANT] +> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/topic/how-to-back-up-and-restore-the-registry-in-windows-855140ad-e318-2a13-2829-d428a2ab0692) in case problems occur. -### Method 1: Memory dump +A complete memory dump file records all the contents of system memory when the computer stops unexpectedly. A complete memory dump file may contain data from processes that were running when the memory dump file was collected. + +If the computer is no longer frozen and now is running in a good state, use the following steps to enable memory dump so that you can collect memory dump when the freeze issue occurs again. If the virtual machine is still running in a frozen state, use the following steps to enable and collect memory dump. > [!NOTE] -> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur. +> If you have a restart feature that's enabled on the computer, such as the Automatic System Restart (ASR) feature in Compaq computers, disable it. This setting is usually found in the BIOS. With this feature enabled, if the BIOS doesn't detect a heartbeat from the operating system, it will restart the computer. The restart can interrupt the dump process. -A complete memory dump file records all the contents of system memory when the computer stops unexpectedly. A complete memory dump file may contain data from processes that were running when the memory dump file was collected. +1. Make sure that the computer is set up to get a complete memory dump file. -If the computer is no longer frozen and now is running in a good state, use the following steps to enable memory dump so that you can collect memory dump when the freeze issue occurs again. If the virtual machine is still running in a frozen state, use the following steps to enable and collect memory dump. + 1. Go to **Run** and enter `Sysdm.cpl`, and then press enter. -> [!NOTE] -> If you have a restart feature that is enabled on the computer, such as the Automatic System Restart (ASR) feature in Compaq computers, disable it. This setting is usually found in the BIOS. With this feature enabled, if the BIOS doesn't detect a heartbeat from the operating system, it will restart the computer. The restart can interrupt the dump process. + 1. In **System Properties**, on the **Advanced** tab, select **Performance** \> **Settings** \> **Advanced**. Select **Change** to check or change the virtual memory. + 1. Go back to **System Properties** \> **Advanced** \> **Settings** in **Startup and Recovery**. -1. Ensure that the computer is set up to get a complete memory dump file. To do this setup, follow these steps: + 1. In the **Write Debugging Information** section, select **Complete Memory Dump**. - 1. Go to **Run** and enter `Sysdm.cpl`, and then press enter. - - 2. In **System Properties**, on the **Advanced** tab, select **Performance** \> **Settings** \> **Advanced**, and then check or change the virtual memory by clicking **Change**. + 1. Select **Overwrite any existing file**. - 2. Go back to **System Properties** \> **Advanced** \> **Settings** in **Startup and Recovery**. + 1. Make sure that there's a paging file (pagefile.sys) on the system drive and that it's at least 100 MB over the installed RAM (Initial and Maximum Size). - 3. In the **Write Debugging Information** section, select **Complete Memory Dump**. + 1. Make sure that there's more available space on the system drive than there's physical RAM. - > [!NOTE] - > For Windows versions that are earlier than Windows 8 or Windows Server 2012, the Complete Memory Dump type isn't available in the GUI. You have to change it in Registry Editor. To do this, change the value of the following **CrashDumpEnabled** registry entry to **1** (REG_DWORD): - >**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled** +1. To allow the system to generate a dump file by using the keyboard, enable the `CrashOnCtrlScroll` registry value. - 4. Select **Overwrite any existing file**. + 1. Open the Registry Editor, and then locate the following registry keys: - 5. Make sure that there's a paging file (pagefile.sys) on the system drive and that it’s at least 100 megabytes (MB) over the installed RAM (Initial and Maximum Size). + - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters` - 6. Make sure that there's more available space on the system drive than there's physical RAM. + - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters` -2. Enable the CrashOnCtrlScroll registry value to allow the system to generate a dump file by using the keyboard. To do this enablement, follow these steps: + 1. Create the following `CrashOnCtrlScroll` registry entry in the two registry keys: - 1. Go to Registry Editor, and then locate the following registry keys: + - **Value Name**: `CrashOnCtrlScroll` + - **Data Type**: `REG_DWORD` + - **Value**: `1` - * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters` + 1. Close the Registry Editor and restart the computer. - * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters` +1. On some physical computers running earlier versions of Windows, you may generate a nonmakeable interruption (NMI) from a web interface feature such as DRAC, iLo, or RSA. However, by default, this setting will stop the system without creating a memory dump. - 2. Create the following CrashOnCtrlScroll registry entry in the two registry keys: + > [!NOTE] + > For currently supported versions of Windows, the `NMICrashDump` registry key is no longer required. An NMI causes a [Stop error that follows a memory dump data collection](/troubleshoot/windows-client/performance/nmi-hardware-failure-error). - - **Value Name**: `CrashOnCtrlScroll` - - **Data Type**: `REG_DWORD` - - **Value**: `1` - - 3. Exit Registry Editor. +1. When the computer exhibits the problem, hold down the right **Ctrl** key, and press the **Scroll Lock** key two times to generate a memory dump file. - 4. Restart the computer. + > [!NOTE] + > By default, the dump file is located in the following path: `%SystemRoot%\MEMORY.DMP` -3. On some physical computers, you may generate a nonmakeable interruption (NMI) from the Web Interface feature (such as DRAC, iLo, and RSA). However, by default, this setting will stop the system without creating a memory dump. +### Method 2: Data sanity check - To allow the operating system to generate a memory dump file at an NMI interruption, set the value of the [NMICrashDump](/previous-versions/windows/it-pro/windows-server-2003/cc783271(v=ws.10)) registry entry to `1` (REG_DWORD). Then, restart the computer to apply this change. - - > [!NOTE] - > This is applicable only for Windows 7, Windows Server 2008 R2, and earlier versions of Windows. For Windows 8 Windows Server 2012, and later versions of Windows, the NMICrashDump registry key is no longer required, and an NMI interruption will result in [a Stop error that follows a memory dump data collection](/troubleshoot/windows-client/performance/nmi-hardware-failure-error). - -4. When the computer exhibits the problem, hold down the right **Ctrl** key, and press the **Scroll Lock** key two times to generate a memory dump file. - - > [!NOTE] - > By default, the dump file is located in the following path:
- > %SystemRoot%\MEMORY.DMP - - -### Method 2: Data sanity check - -Use the Dump Check Utility (Dumpchk.exe) to read a memory dump file or verify that the file was created correctly. You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files aren't corrupted or invalid. +Use the Dump Check Utility (Dumpchk.exe) to read a memory dump file. It can also verify that the file was created correctly and isn't corrupted or invalid. - [Using DumpChk](/windows-hardware/drivers/debugger/dumpchk) -- [Download DumpCheck](https://developer.microsoft.com/windows/downloads/windows-10-sdk) +- [Download DumpChk](https://developer.microsoft.com/windows/downloads/windows-10-sdk) -Learn how to use Dumpchk.exe to check your dump files: +Learn how to use Dumpchk.exe to check your dump files: -> [!video https://www.youtube-nocookie.com/embed/xN7tOfgNKag] +> [!VIDEO https://www.youtube.com/embed/xN7tOfgNKag] +### Method 3: Performance Monitor -### Method 3: Performance Monitor +You can use Windows Performance Monitor to examine how programs that you run affect your computer's performance, both in real time and by collecting log data for later analysis. To create performance counter and event trace log collections on local and remote systems, run the following commands in a command prompt as administrator: -You can use Windows Performance Monitor to examine how programs that you run affect your computer's performance, both in real time and by collecting log data for later analysis. To create performance counter and event trace log collections on local and remote systems, run the following commands in a command prompt as administrator: +```command +Logman create counter LOGNAME_Long -u DOMAIN\USERNAME * -f bincirc -v mmddhhmm -max 500 -c "\\COMPUTERNAME\LogicalDisk(*)\*" "\\COMPUTERNAME\Memory\*" "\\COMPUTERNAME\Network Interface(*)\*" "\\COMPUTERNAME\Paging File(*)\*" "\\COMPUTERNAME\PhysicalDisk(*)\*" "\\COMPUTERNAME\Process(*)\*" "\\COMPUTERNAME\Redirector\*" "\\COMPUTERNAME\Server\*" "\\COMPUTERNAME\System\*" "\\COMPUTERNAME\Terminal Services\*" "\\COMPUTERNAME\Processor(*)\*" "\\COMPUTERNAME\Cache\*" -si 00:05:00 +``` -```console -Logman create counter LOGNAME_Long -u DOMAIN\USERNAME * -f bincirc -v mmddhhmm -max 500 -c "\\COMPUTERNAME\LogicalDisk(*)\*" "\\COMPUTERNAME\Memory\*" "\\COMPUTERNAME\Network Interface(*)\*" "\\COMPUTERNAME\Paging File(*)\*" "\\COMPUTERNAME\PhysicalDisk(*)\*" "\\COMPUTERNAME\Process(*)\*" "\\COMPUTERNAME\Redirector\*" "\\COMPUTERNAME\Server\*" "\\COMPUTERNAME\System\*" "\\COMPUTERNAME\Terminal Services\*" "\\COMPUTERNAME\Processor(*)\*" "\\COMPUTERNAME\Cache\*" -si 00:05:00 -``` +```command +Logman create counter LOGNAME_Short -u DOMAIN\USERNAME * -f bincirc -v mmddhhmm -max 500 -c "\\COMPUTERNAME\LogicalDisk(*)\*" "\\COMPUTERNAME\Memory\*" "\\COMPUTERNAME\Network Interface(*)\*" "\\COMPUTERNAME\Paging File(*)\*" "\\COMPUTERNAME\PhysicalDisk(*)\*" "\\COMPUTERNAME\Process(*)\*" "\\COMPUTERNAME\Redirector\*" "\\COMPUTERNAME\Server\*" "\\COMPUTERNAME\System\*" "\\COMPUTERNAME\Terminal Services\*" "\\COMPUTERNAME\Processor(*)\*" "\\COMPUTERNAME\Cache\*" -si 00:00:10 +``` -```console -Logman create counter LOGNAME_Short -u DOMAIN\USERNAME * -f bincirc -v mmddhhmm -max 500 -c "\\COMPUTERNAME\LogicalDisk(*)\*" "\\COMPUTERNAME\Memory\*" "\\COMPUTERNAME\Network Interface(*)\*" "\\COMPUTERNAME\Paging File(*)\*" "\\COMPUTERNAME\PhysicalDisk(*)\*" "\\COMPUTERNAME\Process(*)\*" "\\COMPUTERNAME\Redirector\*" "\\COMPUTERNAME\Server\*" "\\COMPUTERNAME\System\*" "\\COMPUTERNAME\Terminal Services\*" "\\COMPUTERNAME\Processor(*)\*" "\\COMPUTERNAME\Cache\*" -si 00:00:10 -``` +Then, you can start or stop the log by running the following commands: -Then, you can start or stop the log by running the following commands: +```command +logman start LOGNAME_Long / LOGNAME_Short +logman stop LOGNAME_Long / LOGNAME_Short +``` -```console -logman start LOGNAME_Long / LOGNAME_Short -logman stop LOGNAME_Long / LOGNAME_Short -``` +The Performance Monitor log is located in the path: `C:\PERFLOGS` -The Performance Monitor log is located in the path: C:\PERFLOGS +### Other methods to collect data -### Additional methods to collect data - -#### Use memory dump to collect data for the physical computer that's running in a frozen state +#### Use memory dump to collect data for the physical computer that's running in a frozen state > [!WARNING] -> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur. +> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/topic/how-to-back-up-and-restore-the-registry-in-windows-855140ad-e318-2a13-2829-d428a2ab0692) in case problems occur. -If the physical computer is still running in a frozen state, follow these steps to enable and collect memory dump: +If the physical computer is still running in a frozen state, follow these steps to enable and collect memory dump: +1. Make sure that the computer is set up to get a complete memory dump file and that you can access it through the network. -1. Ensure that the computer is set up to get a complete memory dump file and that you can access it through the network. To do this setup, follow these steps: - > [!NOTE] - > If it isn't possible to access the affected computer through the network, try to generate a memory dump file through NMI interruption. The result of the action may not collect a memory dump file if some of the following settings aren't qualified. + > [!NOTE] + > If it isn't possible to access the affected computer through the network, try to generate a memory dump file through NMI. The result of the action may not collect a memory dump file if some of the following settings aren't qualified. - 1. Try to access the desktop of the computer by any means. - - > [!NOTE] - > In case accessing the operating system isn't possible, try to access Registry Editor on the computer remotely in order to check the type of memory dump file and page file with which the computer is currently configured. - - 2. From a remote computer that is preferably in the same network and subnet, go to **Registry Editor** \> **Connect Network Registry**. Then, connect to the concerned computer, and verify the following settings: - - * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled` - - Make sure that the [CrashDumpEnabled](/previous-versions/windows/it-pro/windows-2000-server/cc976050(v=technet.10)) registry entry is `1`. - - * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\NMICrashDump` - - On some physical servers, if the NMICrashDump registry entry exists and its value is `1`, you may take advantage of the NMI from the remote management capabilities (such as DRAC, iLo, and RSA). - - * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PagingFiles and ExistingPageFiles` - - If the value of the **Pagefile** registry entry is system managed, the size won't be reflected in the registry (Example value: ?:\pagefile.sys). - - If the page file is customized, the size will be reflected in the registry, such as ‘?:\pagefile.sys 1024 1124’ where 1024 is the initial size and 1124 is the max size. + 1. Try to access the desktop of the computer by any means. > [!NOTE] - > If the size isn't reflected in the Registry, try to access an Administrative share where the page file is located (such as \\\\**ServerName**\C$). + > In case accessing the OS isn't possible, try to remotely access Registry Editor on the computer. You can then check the type of memory dump file and page file with which the computer is currently configured. - 3. Ensure that there's a paging file (pagefile.sys) on the system drive of the computer, and it's at least 100 MB over the installed RAM. + 1. From a remote computer that's preferably in the same network and subnet, go to **Registry Editor** \> **Connect Network Registry**. Then, connect to the affected computer, and verify the following settings: - 4. Ensure that there's more free space on the hard disk drives of the computer than there's physical RAM. + - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled` -2. Enable the **CrashOnCtrlScroll** registry value on the computer to allow the system to generate a dump file by using the keyboard. To do this enablement, follow these steps: + Make sure that the [CrashDumpEnabled](/previous-versions/windows/it-pro/windows-2000-server/cc976050(v=technet.10)) registry entry is `1`. - 1. From a remote computer preferably in the same network and subnet, go to Registry Editor \> Connect Network Registry. Connect to the concerned computer and locate the following registry keys: + - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\NMICrashDump` - * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters` + On some physical servers, if the NMICrashDump registry entry exists and its value is `1`, you may take advantage of the NMI from the remote management provider such as DRAC, iLo, and RSA. - * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters` + - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PagingFiles and ExistingPageFiles` - 2. Create the following CrashOnCtrlScroll registry entry in the two registry keys: + If the value of the **Pagefile** registry entry is system-managed, the size won't be reflected in the registry. For example, `?:\pagefile.sys)` - **Value Name**: `CrashOnCtrlScroll` - **Data Type**: `REG_DWORD` - **Value**: `1` + If the page file is customized, the size will be reflected in the registry, such as `?:\pagefile.sys 1024 1124`. In this example, `1024` is the initial size and `1124` is the max size. - 3. Exit Registry Editor. + > [!NOTE] + > If the size isn't reflected in the Registry, try to access an administrative share where the page file is located. For example, `\\ServerName\C$` - 4. Restart the computer. + 1. Make sure that there's a paging file (pagefile.sys) on the system drive of the computer, and it's at least 100 MB over the installed RAM. -3. When the computer exhibits the problem, hold down the right **CTRL** key, and press the **Scroll Lock** key two times to generate a memory dump. - > [!NOTE] - > By default, the dump file is located in the path: %SystemRoot%\MEMORY.DMP + 1. Make sure that there's more free space on the hard disk drives of the computer than there's physical RAM. -### Use Pool Monitor to collect data for the physical computer that is no longer frozen +1. Enable the **CrashOnCtrlScroll** registry value on the computer to allow the system to generate a dump file by using the keyboard. -Pool Monitor shows you the number of allocations and outstanding bytes of allocation by type of pool and the tag that is passed into calls of ExAllocatePoolWithTag. + 1. From a remote computer preferably in the same network and subnet, go to Registry Editor \> Connect Network Registry. Connect to the affected computer and locate the following registry keys: -Learn [how to use Memory Pool Monitor to troubleshoot kernel mode memory leaks](https://support.microsoft.com/office/how-to-use-memory-pool-monitor-poolmon-exe-to-troubleshoot-kernel-mode-memory-leaks-4f4a05c2-ef8a-fca4-3ae0-670b940af398). + - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters` -### Use memory dump to collect data for the virtual machine that's running in a frozen state + - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters` -Use the one of the following methods for the application on which the virtual machine is running. + 1. Create the following `CrashOnCtrlScroll` registry entry in the two registry keys: -#### Microsoft Hyper-V + **Value Name**: `CrashOnCtrlScroll` + **Data Type**: `REG_DWORD` + **Value**: `1` -If the virtual machine is running Windows 8, Windows Server 2012, or a later version of Windows on Microsoft Hyper-V Server 2012, you can use the built-in NMI feature through a [Debug-VM](/previous-versions/windows/powershell-scripting/dn464280(v=wps.630)) cmdlet to debug and get a memory dump. + 1. Close the Registry Editor and restart the computer. -To debug the virtual machines on Hyper-V, run the following cmdlet in Windows PowerShell: +1. When the computer exhibits the problem, hold down the right **CTRL** key, and press the **Scroll Lock** key two times to generate a memory dump. -```powershell + > [!NOTE] + > By default, the dump file is located in the path: `%SystemRoot%\MEMORY.DMP` + +### Use Pool Monitor to collect data for the physical computer that is no longer frozen + +Pool Monitor shows you the number of allocations and outstanding bytes of allocation by type of pool and the tag that is passed into calls of ExAllocatePoolWithTag. + +For more information, see [How to use Memory Pool Monitor to troubleshoot kernel mode memory leaks](https://support.microsoft.com/topic/4f4a05c2-ef8a-fca4-3ae0-670b940af398). + +### Use memory dump to collect data for the virtual machine that's running in a frozen state + +Use the one of the following methods for the application on which the virtual machine is running. + +#### Microsoft Hyper-V + +You can also use the built-in NMI feature through a [Debug-VM](/powershell/module/hyper-v/debug-vm) cmdlet to debug and get a memory dump. + +To debug the virtual machines on Hyper-V, run the following cmdlet in Windows PowerShell: + +```powershell Debug-VM -Name "VM Name" -InjectNonMaskableInterrupt -ComputerName Hostname -``` +``` -> [!NOTE] -> This method is applicable only to Windows 8, Windows Server 2012, and later versions of Windows virtual machines. For the earlier versions of Windows, see methods 1 through 4 that are described earlier in this section. +#### VMware -#### VMware +You can use VMware snapshots or suspend state and extract a memory dump file equivalent to a complete memory dump file. Use VMware's [Checkpoint To Core Tool (vmss2core)](https://flings.vmware.com/vmss2core) to convert both suspend (`.vmss`) and snapshot (`.vmsn`) state files to a dump file. Then analyze the file by using the standard Windows debugging tools. -You can use VMware Snapshots or suspend state and extract a memory dump file equivalent to a complete memory dump file. By using [Checkpoint To Core Tool (vmss2core)](https://labs.vmware.com/flings/vmss2core), you can convert both suspend (.vmss) and snapshot (.vmsn) state files to a dump file and then analyze the file by using the standard Windows debugging tools. +#### Citrix XenServer -#### Citrix XenServer +The memory dump process occurs by pressing the RIGHT CTRL + SCROLL LOCK + SCROLL LOCK keyboard combination. For more information, see Method 1 of [How to Trigger a Memory Dump from a Windows Virtual Machine Running on XenServer](https://support.citrix.com/article/ctx123177) from Citrix. -The memory dump process occurs by pressing the RIGHT CTRL + SCROLL LOCK + SCROLL LOCK keyboard combination that's described in Method 1 and on [the Citrix site](http://support.citrix.com/article/ctx123177). \ No newline at end of file +## Space limitations on the system drive in Windows Server + +On a Windows Server, you may not have enough free disk space to generate a complete memory dump file on the system volume. +There's a second option if the system drive doesn't have sufficient space. You can use the DedicatedDumpFile registry entry. For more information, see [Configure the destination path for a memory dump](/windows-server/administration/server-core/server-core-memory-dump#step-2-configure-the-destination-path-for-a-memory-dump). + +For more information, see [How to use the DedicatedDumpFile registry value to overcome space limitations on the system drive](/archive/blogs/ntdebugging/how-to-use-the-dedicateddumpfile-registry-value-to-overcome-space-limitations-on-the-system-drive-when-capturing-a-system-memory-dump). diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 13779d0100..7ec5869bf1 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -46,7 +46,9 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t ## Guidelines for web browsers -Starting with Windows 10 version 1809+, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) +In Windows 10, version 1909, assigned access adds support for the new Microsoft Edge kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode](/DeployEdge/microsoft-edge-configure-kiosk-mode). + +In Windows 10, version 1809, Microsoft Edge Legacy includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy). In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. @@ -156,6 +158,12 @@ You can create your own web browser Windows app by using the WebView class. Lear Avoid selecting Windows apps that may expose the information you don’t want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access. +## Customize your breakout sequence + +Assigned access allows for the specification of a new breakout sequence. A breakout sequence is a keyboard shortcut that stops the kiosk experience and brings the user back to the lock screen. By default the breakout sequence is configured to be ctrl+alt+delete, a common Windows keyboard shortcut. It is recommended that this is set to a non-standard Windows shortcut to prevent disruptions in the kiosk experience. + +There is currently no user interface for customizing the breakout sequence in Windows settings, so it would need to be specified in a provisioning method where an XML format such as MDM is used. + ## App configuration Some apps may require additional configurations before they can be used appropriately in assigned access. For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access. diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index e002ead309..179c44499b 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -342,3 +342,8 @@ If you press **Ctrl + Alt + Del** and do not sign in to another account, after a `HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI` To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. + +> [!NOTE] +> **IdleTimeOut** doesn't apply to the new Microsoft Edge kiosk mode. + +The Breakout Sequence of **Ctrl + Alt + Del** is the default, but this sequence can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence would look something like **Shift + Alt + a**, where **Shift** and **Alt** are the modifiers and **a** is the key value. For more information, see [Microsoft Edge kiosk XML sample](/windows/configuration/kiosk-xml#microsoft-edge-kiosk-xml-sample). diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index 7dd54085f1..f6ddb6a2d4 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -254,16 +254,40 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom ``` +## Microsoft Edge Kiosk XML Sample +```xml + + + + + + + + + + + EdgeKioskUser + + + + +``` + ## Global Profile Sample XML Global Profile is supported on: -- Windows 10 version 2004+ - Windows 11 +- Windows 10, version 2004 and later -Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user. +Global Profile is designed for scenarios where a user doesn't have a designated profile, yet you still want the user to run in lockdown mode. It's also used as mitigation when a profile can't be determined for a user. -This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in. +This sample demonstrates that only a global profile is used, with no active user configured. Global Profile will be applied when every non-admin account signs in. ```xml @@ -642,13 +666,12 @@ IT Admin now can specify user access to Downloads folder, Removable drives, or n ## XSD for AssignedAccess configuration XML ->[!NOTE] ->Updated for Windows 10, version 1903+. +> [!NOTE] +> Updated for Windows 10, version 1903 and later. -The following XML schema is for AssignedAccess Configuration up to Windows 10 1803 release: +The following XML schema is for AssignedAccess Configuration up to Windows 10, version 1803 release: ```xml - + @@ -670,8 +695,14 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10 18 + + + + + + @@ -680,7 +711,19 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10 18 - + + + + + + + + + + + + + @@ -781,6 +824,7 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10 18 + diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 074b1f2d92..e1650926b3 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -145,8 +145,8 @@ When you configure your MDT Build Lab deployment share, you can also add applica On **MDT01**: -1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100520060_en_US.exe) to **D:\\setup\\adobe** on MDT01. -2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2100520060_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). +1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200120117_en_US.exe) to **D:\\setup\\adobe** on MDT01. +2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2200120117_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). 3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node. 4. Right-click the **Applications** node, and create a new folder named **Adobe**. diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index d3311ce5e8..ce7b9f9219 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -190,7 +190,7 @@ Starting in Windows 10, version 1803, specifies the maximum foreground download ### Maximum Background Download Bandwidth -Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set. +Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. However, downloads from LAN peers are not throttled even when this policy is set. ### Percentage of Maximum Download Bandwidth diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md index 833a2b655d..f666a097be 100644 --- a/windows/deployment/update/how-windows-update-works.md +++ b/windows/deployment/update/how-windows-update-works.md @@ -90,6 +90,18 @@ When users start scanning in Windows Update through the Settings panel, the foll - Windows Update uses the thread ID filtering to concentrate on one particular task. ![Windows Update scan log 1.](images/update-scan-log-1.png) + +#### Proxy Behavior +For Windows Update (WU) scans URLs that are used for update detection ([MS-WUSP]: SimpleAuth Web Service | Microsoft Docs, [MS-WUSP]: Client Web Service | Microsoft Docs): +- System proxy is attempted (set using the `netsh` command). +- If WUA fails to reach the service due to a certain proxy, service, or authentication error code, then user proxy is attempted (generally it is the logged-in user). + + > [!Note] + > For intranet WSUS update service URLs, we provide an option via Windows Update policy to select the proxy behavior. + +For WU URLs that _aren't_ used for update detection, such as for download or reporting: +- User proxy is attempted. +- If WUA fails to reach the service due to a certain proxy, service, or authentication error code, then the system proxy is attempted. #### Identifies service IDs diff --git a/windows/deployment/update/wufb-wsus.md b/windows/deployment/update/wufb-wsus.md index 37ad4990d7..e90960de49 100644 --- a/windows/deployment/update/wufb-wsus.md +++ b/windows/deployment/update/wufb-wsus.md @@ -1,5 +1,5 @@ --- -title: Use Windows Update for Business (WUfB) and Windows Server Update Services (WSUS) together +title: Use Windows Update for Business and Windows Server Update Services (WSUS) together description: Learn how to use Windows Update for Business and WSUS together using the new scan source policy. ms.prod: w10 ms.mktglfcycl: manage @@ -23,7 +23,7 @@ ms.topic: article > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -The Windows update scan source policy enables you to choose what types of updates to get from either [WSUS](waas-manage-updates-wsus.md) or Windows Update for Business (WUfB) service. +The Windows update scan source policy enables you to choose what types of updates to get from either [WSUS](waas-manage-updates-wsus.md) or Windows Update for Business service. We added the scan source policy starting with the [September 1, 2021—KB5005101 (OS Builds 19041.1202, 19042.1202, and 19043.1202) Preview](https://support.microsoft.com/help/5005101) update and it applies to Window 10, version 2004 and above and Windows 11. This policy changes the way devices determine whether to scan against a local WSUS server or Windows Update service. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 5e5a751b1b..fc82f5a509 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -6809,7 +6809,7 @@ The following fields are available: - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable @@ -6823,7 +6823,7 @@ The following fields are available: - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted @@ -6864,7 +6864,7 @@ The following fields are available: - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index bcfa0ba684..e660f2df49 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -8296,7 +8296,7 @@ The following fields are available: - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable @@ -8310,7 +8310,7 @@ The following fields are available: - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted @@ -8351,7 +8351,7 @@ The following fields are available: - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualitySucceeded @@ -9584,8 +9584,8 @@ The following fields are available: - **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU. - **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed. - **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed. -- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Wufb managed. -- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Wufb managed. +- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Windows Update for Business managed. +- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Windows Update for Business managed. - **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is. - **UnifiedInstallerPlatformType** The enum indicating the type of platform detected. - **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 6d2cc70a0c..2dd8d27ae5 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -3627,7 +3627,7 @@ The following fields are available: - **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated. - **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications. - **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services). -- **IsDeviceWUFBManaged** If device is WUfB managed. +- **IsDeviceWUFBManaged** If device is Windows Update for Business managed. - **IsDeviceZeroExhaust** Indicates whether the device subscribes to the Zero Exhaust policy to minimize connections from Windows to Microsoft. - **IsGreaterThanMaxRetry** Indicates whether the DTU (Direct to Update) service has exceeded its maximum retry count. - **IsVolumeLicensed** Indicates whether a volume license was used to authenticate the operating system or applications on the device. @@ -6257,8 +6257,8 @@ The following fields are available: - **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU. - **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed. - **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed. -- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Wufb managed. -- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Wufb managed. +- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Windows Update for Business managed. +- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Windows Update for Business managed. - **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is. - **UnifiedInstallerPlatformType** The enum indicating the type of platform detected. - **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU. @@ -6374,7 +6374,7 @@ The following fields are available: - **CV** Correlation vector. - **GlobalEventCounter** The global event counter counts the total events for the provider. - **PackageVersion** The version for the current package. -- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr** The result code returned when checking for WUFB cloud membership. +- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr** The result code returned when checking for Windows Update for Business cloud membership. ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin @@ -8457,7 +8457,7 @@ The following fields are available: - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. - **sacDevice** This is the device info. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable @@ -8472,7 +8472,7 @@ The following fields are available: - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. - **sacDevice** Represents the device info. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted @@ -8509,7 +8509,7 @@ The following fields are available: - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. - **sacDevice** Device in the General Availability Channel. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index adcfe8c9a9..3f2cf6b3ae 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -58,6 +58,11 @@ The following sections list the components that make network connections to Micr The following table lists management options for each setting, For Windows 10 (beginning with Windows 10 Enterprise version 1607) and Windows 11. + > [!IMPORTANT] +> **If you need assistance with troubleshooting issues, please refer to**:
+> - [Keep your device running smoothly](https://support.microsoft.com/topic/keep-your-device-running-smoothly-with-recommended-troubleshooting-ec76fe10-4ac8-ce9d-49c6-757770fe68f1)
+> - [CSP - Troubleshooting](/windows/client-management/mdm/policy-csp-troubleshooting) + | Setting | UI | Group Policy | Registry | | - | :-: | :-: | :-: | @@ -861,6 +866,8 @@ Use Settings > Privacy & security to configure some settings that may be importa - [18.23 Voice Activation](#bkmk-voice-act) +- [18.24 News and interests](#bkmk-priv-news) + ### 18.1 General **General** includes options that don't fall into other areas. @@ -1528,6 +1535,13 @@ To turn this Off in the UI: - Create a REG_DWORD registry setting named **LetAppsActivateWithVoiceAboveLock** in **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy** with a **value of 2 (two)** +### 18.24 News and interests + +In the **Windows Feeds** area, you can choose which apps have access to your diagnostic information. + +To turn this off: + +- Create a REG_DWORD registry setting named **EnableFeeds** in **HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Feeds** with a **value of 0 (zero)**. ### 19. Software Protection Platform diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index b9a121fa15..f6b2a11c6d 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -164,6 +164,10 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper ## Certificates +Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. + +If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. + The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It's possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that isn't recommended because when root certificates are updated over time, applications and websites may stop working because they didn't receive an updated root certificate the application uses. Additionally, it's used to download certificates that are publicly known to be fraudulent. diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md index 7c2bf27999..928db39861 100644 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -68,7 +68,9 @@ The following methodology was used to derive these network endpoints: |Azure |The following endpoints are related to Azure. |HTTPS|wd-prod-*fe*.cloudapp.azure.com| |||HTTPS|ris-prod-atm.trafficmanager.net| |||HTTPS|validation-v2.sls.trafficmanager.net| -|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. + +If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||HTTP|ctldl.windowsupdate.com| |Cortana and Search|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| ||The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions.|HTTPS|store-images.*microsoft.com| diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md index da29e4f457..ddbd16d9ab 100644 --- a/windows/privacy/manage-windows-1909-endpoints.md +++ b/windows/privacy/manage-windows-1909-endpoints.md @@ -55,7 +55,9 @@ The following methodology was used to derive these network endpoints: |||HTTP|tile-service.weather.microsoft.com/en-us/livetile/preinstall| ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/*| ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|evoke-windowsservices-tas.msedge.net -|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. + +If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||HTTP|ctldl.windowsupdate.com| |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com*| diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md index 48879ed467..5537e7c00a 100644 --- a/windows/privacy/manage-windows-2004-endpoints.md +++ b/windows/privacy/manage-windows-2004-endpoints.md @@ -55,7 +55,9 @@ The following methodology was used to derive these network endpoints: |||HTTP|tile-service.weather.microsoft.com| ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/* ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2|evoke-windowsservices-tas.msedge.net| -|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. + +If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||HTTP|ctldl.windowsupdate.com| |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2|www.bing.com*| diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md index 8035ebc8d5..527aed3376 100644 --- a/windows/privacy/manage-windows-20H2-endpoints.md +++ b/windows/privacy/manage-windows-20H2-endpoints.md @@ -55,7 +55,8 @@ The following methodology was used to derive these network endpoints: ||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com| ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net| ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net -|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. +If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com| |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*| diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md index 940115bae8..4ed1236f98 100644 --- a/windows/privacy/manage-windows-21H1-endpoints.md +++ b/windows/privacy/manage-windows-21H1-endpoints.md @@ -52,10 +52,11 @@ The following methodology was used to derive these network endpoints: |Area|Description|Protocol|Destination| |----------------|----------|----------|------------| |Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| -||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com| -||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net| -||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net -|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com| +||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. +If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com| |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*| @@ -66,9 +67,11 @@ The following methodology was used to derive these network endpoints: ||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| |Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)| |||HTTP|dmd.metaservices.microsoft.com| -|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| |||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com| -||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com| +|||HTTP|www.microsoft.com| +||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: **Administrative Templates** > **Windows Components** > **Windows Error Reporting** > **Disable Windows Error Reporting**. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com| |||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com| |Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)| |||HTTPS|fs.microsoft.com| @@ -81,7 +84,7 @@ The following methodology was used to derive these network endpoints: |Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)| ||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com| ||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com| -|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com| +|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead, disable the traffic that's getting forwarded.|HTTP|go.microsoft.com| |Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| ||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net| ||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com| @@ -107,10 +110,10 @@ The following methodology was used to derive these network endpoints: |Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| |||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com| |||HTTPS|settings.data.microsoft.com| -|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| +|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| |||HTTPS/HTTP|*.pipe.aria.microsoft.com| |||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| -|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| |||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com| |Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)| |||HTTPS/TLSv1.2|wdcp.microsoft.com| @@ -124,7 +127,7 @@ The following methodology was used to derive these network endpoints: |||HTTP|emdl.ws.microsoft.com| ||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com| |||HTTP|*.windowsupdate.com| -||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Microsoft Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| |||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com| ||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com| ||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com| @@ -137,6 +140,7 @@ The following methodology was used to derive these network endpoints: To view endpoints for other versions of Windows 10 Enterprise, see: - [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md) +- [Manage connection endpoints for Windows 10, version 20H2](manage-windows-20H2-endpoints.md) - [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md) - [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md) - [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) @@ -145,6 +149,7 @@ To view endpoints for other versions of Windows 10 Enterprise, see: To view endpoints for non-Enterprise Windows 10 editions, see: - [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md) +- [Windows 10, version 20H2, connection endpoints for non-Enterprise editions](windows-endpoints-20H2-non-enterprise-editions.md) - [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md) - [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md) - [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) @@ -153,4 +158,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see: ## Related links - [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) -- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints) \ No newline at end of file +- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints) diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md index ee4c6b4726..084f8f8a9e 100644 --- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md +++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md @@ -6328,7 +6328,7 @@ The following fields are available: - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. - **sacDevice** This is the device info. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable @@ -6343,7 +6343,7 @@ The following fields are available: - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. - **sacDevice** Represents the device info. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted @@ -6380,7 +6380,7 @@ The following fields are available: - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. - **sacDevice** Device in the General Availability Channel. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index 6a226268c2..b37678708d 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -5789,8 +5789,8 @@ The following fields are available: - **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU. - **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed. - **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed. -- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Wufb managed. -- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Wufb managed. +- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Windows Update for Business managed. +- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Windows Update for Business managed. - **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is. - **UnifiedInstallerPlatformType** The enum indicating the type of platform detected. - **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU. @@ -5917,7 +5917,7 @@ The following fields are available: - **CV** Correlation vector. - **GlobalEventCounter** The global event counter for counting total events for the provider. - **PackageVersion** The version for the current package. -- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr** The result code returned when checking for WUFB cloud membership. +- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr** The result code returned when checking for Windows Update for Business cloud membership. ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin @@ -7212,7 +7212,7 @@ The following fields are available: - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. - **sacDevice** This is the device info. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable @@ -7227,7 +7227,7 @@ The following fields are available: - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. - **sacDevice** Represents the device info. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted @@ -7270,7 +7270,7 @@ The following fields are available: - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. - **sacDevice** Device in the General Availability Channel. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md index 9a30c84314..8564378d9c 100644 --- a/windows/security/identity-protection/access-control/security-identifiers.md +++ b/windows/security/identity-protection/access-control/security-identifiers.md @@ -21,7 +21,9 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 +- Windows 11 - Windows Server 2016 +- Windows Server 2019 This topic for the IT professional describes security identifiers and how they work in regards to accounts and groups in the Windows operating system. @@ -208,7 +210,7 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID | S-1-5-13 | Terminal Server User| A group that includes all users who sign in to a server with Remote Desktop Services enabled.| | S-1-5-14 | Remote Interactive Logon| A group that includes all users who log on to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.| | S-1-5-15| This Organization| A group that includes all users from the same organization. Only included with Active Directory accounts and only added by a domain controller.| -| S-1-5-17 | IIS_USRS| An account that is used by the default Internet Information Services (IIS) user.| +| S-1-5-17 | IUSR| An account that is used by the default Internet Information Services (IIS) user.| | S-1-5-18 | System (or LocalSystem)| An identity that is used locally by the operating system and by services that are configured to sign in as LocalSystem.
System is a hidden member of Administrators. That is, any process running as System has the SID for the built-in Administrators group in its access token.
When a process that is running locally as System accesses network resources, it does so by using the computer's domain identity. Its access token on the remote computer includes the SID for the local computer's domain account plus SIDs for security groups that the computer is a member of, such as Domain Computers and Authenticated Users.| | S-1-5-19 | NT Authority (LocalService)| An identity that is used by services that are local to the computer, have no need for extensive local access, and do not need authenticated network access. Services that run as LocalService access local resources as ordinary users, and they access network resources as anonymous users. As a result, a service that runs as LocalService has significantly less authority than a service that runs as LocalSystem locally and on the network.| | S-1-5-20 | Network Service| An identity that is used by services that have no need for extensive local access but do need authenticated network access. Services running as NetworkService access local resources as ordinary users and access network resources by using the computer's identity. As a result, a service that runs as NetworkService has the same network access as a service that runs as LocalSystem, but it has significantly reduced local access.| @@ -243,6 +245,7 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID |S-1-5-32-560|Builtin\Windows Authorization Access Group|An alias. Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects.| |S-1-5-32-561|Builtin\Terminal Server License Servers|An alias. A group for Terminal Server License Servers. When Windows Server 2003 Service Pack 1 is installed, a new local group is created.| |S-1-5-32-562|Builtin\Distributed COM Users|An alias. A group for COM to provide computer-wide access controls that govern access to all call, activation, or launch requests on the computer.| +|S-1-5-32-568|Builtin\IIS_IUSRS|An alias. A built-in group account for IIS users.| |S-1-5-32-569|Builtin\Cryptographic Operators|A built-in local group. Members are authorized to perform cryptographic operations.| |S-1-5-32-573|Builtin\Event Log Readers|A built-in local group. Members of this group can read event logs from local computer.| |S-1-5-32-574|Builtin\Certificate Service DCOM Access|A built-in local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.| @@ -314,6 +317,19 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCache All Capability SIDs are prefixed by S-1-15-3 +## Examples of registry keys taken from Windows 11, version 21H2, 64-bit Enterprise edition + +You may see the following registry keys under AllCachedCapabilities: + +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock_Internal +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Enterprise +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_General +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Restricted +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Windows + +All Capability SIDs are prefixed by S-1-15-3 + ## See also - [Access Control Overview](access-control.md) diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index 1cc41effde..bb8984236d 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -24,7 +24,7 @@ ms.reviewer: - Windows 11 **Requirements:** -* Windows Hello for Business deployment (Hybrid or On-premises) +* Windows Hello for Business deployment (Cloud, Hybrid or On-premises) * Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments) * Windows 10, version 1709 or newer, or Windows 11 * Bluetooth, Bluetooth capable phone - optional @@ -396,4 +396,4 @@ Multi-factor unlock writes events to event log under **Application and Services |5520|Unlock policy not configured| |6520|Warning event| |7520|Error event| -|8520|Success event| \ No newline at end of file +|8520|Success event| diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md index fdd927d52e..d24f5dbfd0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -33,18 +33,27 @@ You are ready to configure device registration for your hybrid environment. Hybr > * Azure AD joined devices > * Hybrid Azure AD joined devices > -> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](/azure/active-directory/device-management-introduction) +> You can learn about this and more by reading [What is a device identity](/azure/active-directory/devices/overview) -## Configure Azure for Device Registration +## Configure Hybrid Azure AD join Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. -To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](/azure/active-directory/devices/device-management-azure-portal). +Follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](/azure/active-directory/devices/hybrid-azuread-join-plan) page. In the **Select your scenario based on your identity infrastructure** section, identify your configuration (either **Managed environment** or **Federated environment**) and perform only the steps applicable to your environment. -Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](/azure/active-directory/devices/hybrid-azuread-join-manual) page. In the **Configuration steps** section, identify your configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark. +
+ +If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps: +- Configure Azure AD Connect to sync the user's on-premises UPN to the onPremisesUserPrincipalName attribute in Azure AD. +- Add the domain name of the on-premises UPN as a [verified domain](/azure/active-directory/fundamentals/add-custom-domain) in Azure AD. + +You can learn more about this scenario by reading [Review on-premises UPN support for Hybrid Azure Ad join](azure/active-directory/devices/hybrid-azuread-join-plan#review-on-premises-ad-users-upn-support-for-hybrid-azure-ad-join). + +> [!NOTE] +> Windows Hello for Business Hybrid key trust is not supported if your users' on-premises domain cannot be added as a verified domain in Azure AD. -

+
@@ -56,4 +65,4 @@ Next, follow the guidance on the [How to configure hybrid Azure Active Directory 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. Configure Azure Device Registration (*You are here*) 6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md index 28c80840a2..705b84df66 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md @@ -36,6 +36,13 @@ Next, you need to synchronize the on-premises Active Directory with Azure Active
+If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps: +- Configure Azure AD Connect to sync the user's on-premises UPN to the onPremisesUserPrincipalName attribute in Azure AD. +- Add the domain name of the on-premises UPN as a [verified domain](/azure/active-directory/fundamentals/add-custom-domain) in Azure AD. + +> [!NOTE] +> Windows Hello for Business Hybrid key trust is not supported if your users' on-premises domain cannot be added as a verified domain in Azure AD. +
## Follow the Windows Hello for Business hybrid key trust deployment guide @@ -46,4 +53,4 @@ Next, you need to synchronize the on-premises Active Directory with Azure Active 4. Configure Directory Synchronization (*You are here*) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) 6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md index b1e9071045..bbc7256c6d 100644 --- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md +++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md @@ -60,7 +60,7 @@ With UAC enabled, Windows 10 or Windows 11 prompts for consent or prompts for The consent prompt is presented when a user attempts to perform a task that requires a user's administrative access token. The following is an example of the UAC consent prompt. -![uac consent prompt.](images/uacconsentprompt.gif) +:::image type="content" source="images/uacconsentprompt.png" alt-text="UAC consent prompt."::: **The credential prompt** @@ -68,7 +68,7 @@ The credential prompt is presented when a standard user attempts to perform a ta The following is an example of the UAC credential prompt. -![uac credential prompt.](images/uaccredentialprompt.gif) +:::image type="content" source="images/uaccredentialprompt.png" alt-text="UAC credential prompt."::: **UAC elevation prompts** @@ -85,7 +85,7 @@ The elevation prompt color-coding is as follows: Some Control Panel items, such as **Date and Time Properties**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screen shot of the **Date and Time Properties** Control Panel item. -![uac shield icon.](images/uacshieldicon.png) +:::image type="content" source="images/uacshieldicon.png" alt-text="UAC Shield Icon in Date and Time Properties"::: The shield icon on the **Change date and time** button indicates that the process requires a full administrator access token and will display a UAC elevation prompt. diff --git a/windows/security/identity-protection/user-account-control/images/uacconsentprompt.gif b/windows/security/identity-protection/user-account-control/images/uacconsentprompt.gif deleted file mode 100644 index ec65e67586..0000000000 Binary files a/windows/security/identity-protection/user-account-control/images/uacconsentprompt.gif and /dev/null differ diff --git a/windows/security/identity-protection/user-account-control/images/uacconsentprompt.png b/windows/security/identity-protection/user-account-control/images/uacconsentprompt.png new file mode 100644 index 0000000000..1a84a4cfd7 Binary files /dev/null and b/windows/security/identity-protection/user-account-control/images/uacconsentprompt.png differ diff --git a/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.gif b/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.gif deleted file mode 100644 index 86374d118b..0000000000 Binary files a/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.gif and /dev/null differ diff --git a/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.png b/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.png new file mode 100644 index 0000000000..df0077b91b Binary files /dev/null and b/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.png differ diff --git a/windows/security/identity-protection/user-account-control/images/uacshieldicon.png b/windows/security/identity-protection/user-account-control/images/uacshieldicon.png index 8df37f2c12..5c9e4de2f7 100644 Binary files a/windows/security/identity-protection/user-account-control/images/uacshieldicon.png and b/windows/security/identity-protection/user-account-control/images/uacshieldicon.png differ diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md index 59a725fa26..441d05936f 100644 --- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md +++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md @@ -77,7 +77,7 @@ Should a management tool remove or add the same profile name back and set **Alwa ## Trusted network detection -This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffices. The VPN stack will look at the DNS suffix on the physical interface and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered. +This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffixes. The VPN stack will look at the network name of the physical interface connection profile and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered. Trusted network detection can be configured using the VPNv2/*ProfileName*/TrustedNetworkDetection setting in the [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp). diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index dfac592fab..1e29149153 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -1,5 +1,5 @@ --- -title: BitLocker basic deployment (Windows 10) +title: BitLocker basic deployment description: This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. ms.assetid: 97c646cb-9e53-4236-9678-354af41151c4 ms.reviewer: @@ -32,9 +32,9 @@ This article for the IT professional explains how BitLocker features can be used ## Using BitLocker to encrypt volumes -BitLocker provides full volume encryption (FVE) for operating system volumes, as well as fixed and removable data drives. To support fully encrypted operating system drives, BitLocker uses an unencrypted system partition for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems. +BitLocker provides full volume encryption (FVE) for operating system volumes, and fixed and removable data drives. To support fully encrypted operating system drives, BitLocker uses an unencrypted system partition for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems. -In the event that the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes. +If the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes. > [!NOTE] > For more info about using this tool, see [Bdehdcfg](/windows-server/administration/windows-commands/bdehdcfg) in the Command-Line Reference. @@ -43,43 +43,43 @@ BitLocker encryption can be done using the following methods: - BitLocker control panel - Windows Explorer -- manage-bde command-line interface +- `manage-bde` command-line interface - BitLocker Windows PowerShell cmdlets ### Encrypting volumes using the BitLocker control panel -Encrypting volumes with the BitLocker control panel (select **Start**, type *bitlocker*, select **Manage BitLocker**) is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet. +Encrypting volumes with the BitLocker control panel (select **Start**, type *Bitlocker*, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet. To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume). ### Operating system volume -Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are: +When the BitLocker Drive Encryption Wizard launches, it verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are: |Requirement|Description| |--- |--- | |Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.| |Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.| -|Hardware TPM|TPM version 1.2 or 2.0.

A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.| +|Hardware TPM|TPM version 1.2 or 2.0.

A TPM isn't required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.| |BIOS configuration|

  • A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.
  • The boot order must be set to start first from the hard disk, and not the USB or CD drives.
  • The firmware must be able to read from a USB flash drive during startup.
    • | |File system|For computers that boot natively with UEFI firmware, at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive.
    For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
    For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.| |Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.| -Upon passing the initial configuration, users are required to enter a password for the volume. If the volume does not pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken. -Once a strong password has been created for the volume, a recovery key will be generated. The BitLocker Drive Encryption Wizard will prompt for a location to save this key. A BitLocker recovery key is a special key that you can create when you turn on BitLocker Drive Encryption for the first time on each drive that you encrypt. You can use the recovery key to gain access to your computer if the drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption and BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. A recovery key can also be used to gain access to your files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason you forget the password or your computer cannot access the drive. +Upon passing the initial configuration, users are required to enter a password for the volume. If the volume doesn't pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken. +Once a strong password has been created for the volume, a recovery key will be generated. The BitLocker Drive Encryption Wizard will prompt for a location to save this key. A BitLocker recovery key is a special key that you can create when you turn on BitLocker Drive Encryption for the first time on each drive that you encrypt. You can use the recovery key to gain access to your computer if the drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption and BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. A recovery key can also be used to gain access to your files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason you forget the password or your computer can't access the drive. -You should store the recovery key by printing it, saving it on removable media, or saving it as a file in a network folder or on your OneDrive, or on another drive of your computer that you are not encrypting. You cannot save the recovery key to the root directory of a non-removable drive and cannot be stored on the encrypted volume. You cannot save the recovery key for a removable data drive (such as a USB flash drive) on removable media. Ideally, you should store the recovery key separate from your computer. After you create a recovery key, you can use the BitLocker control panel to make additional copies. +You should store the recovery key by printing it, saving it on removable media, or saving it as a file in a network folder or on your OneDrive, or on another drive of your computer that you aren't encrypting. You can't save the recovery key to the root directory of a non-removable drive and can't be stored on the encrypted volume. You can't save the recovery key for a removable data drive (such as a USB flash drive) on removable media. Ideally, you should store the recovery key separate from your computer. After you create a recovery key, you can use the BitLocker control panel to make additional copies. When the recovery key has been properly stored, the BitLocker Drive Encryption Wizard will prompt the user to choose how to encrypt the drive. There are two options: - Encrypt used disk space only - Encrypts only disk space that contains data - Encrypt entire drive - Encrypts the entire volume including free space -It is recommended that drives with little to no data utilize the **used disk space only** encryption option and that drives with data or an operating system utilize the **encrypt entire drive** option. +It's recommended that drives with little to no data use the **used disk space only** encryption option and that drives with data or an operating system use the **encrypt entire drive** option. > [!NOTE] -> Deleted files appear as free space to the file system, which is not encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools. +> Deleted files appear as free space to the file system, which isn't encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools. -Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. We recommend running this system check before starting the encryption process. If the system check is not run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows. +Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. We recommend running this system check before starting the encryption process. If the system check isn't run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows. After completing the system check (if selected), the BitLocker Drive Encryption Wizard will restart the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel. @@ -88,10 +88,10 @@ Until encryption is completed, the only available options for managing BitLocker ### Data volume Encrypting data volumes using the BitLocker control panel interface works in a similar fashion to encryption of the operating system volumes. Users select **Turn on BitLocker** within the control panel to begin the BitLocker Drive Encryption wizard. -Unlike for operating system volumes, data volumes are not required to pass any configuration tests for the wizard to proceed. Upon launching the wizard, a choice of authentication methods to unlock the drive appears. The available options are **password** and **smart card** and **automatically unlock this drive on this computer**. Disabled by default, the latter option will unlock the data volume without user input when the operating system volume is unlocked. +Unlike for operating system volumes, data volumes aren't required to pass any configuration tests for the wizard to proceed. Upon launching the wizard, a choice of authentication methods to unlock the drive appears. The available options are **password** and **smart card** and **automatically unlock this drive on this computer**. Disabled by default, the latter option will unlock the data volume without user input when the operating system volume is unlocked. After selecting the desired authentication method and choosing **Next**, the wizard presents options for storage of the recovery key. These options are the same as for operating system volumes. -With the recovery key saved, selecting **Next** in the wizard will show available options for encryption. These options are the same as for operating system volumes; **used disk space only** and **full drive encryption**. If the volume being encrypted is new or empty, it is recommended that used space only encryption is selected. +With the recovery key saved, selecting **Next** in the wizard will show available options for encryption. These options are the same as for operating system volumes; **used disk space only** and **full drive encryption**. If the volume being encrypted is new or empty, it's recommended that used space only encryption is selected. With an encryption method chosen, a final confirmation screen displays before beginning the encryption process. Selecting **Start encrypting** will begin encryption. @@ -99,7 +99,7 @@ Encryption status displays in the notification area or within the BitLocker cont ### OneDrive option -There is a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers are not members of a domain and that the user is using a Microsoft Account. Local accounts do not give the option to utilize OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that are not joined to a domain. +There is a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts don't give the option to use OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that aren't joined to a domain. Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder that is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name. @@ -152,7 +152,7 @@ manage-bde -on C: **Enabling BitLocker with a TPM only** -It is possible to encrypt the operating system volume without any defined protectors by using manage-bde. Use this command: +It's possible to encrypt the operating system volume without any defined protectors by using manage-bde. Use this command: `manage-bde -on C:` @@ -257,9 +257,9 @@ $pw = Read-Host -AsSecureString Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw ``` -### Using a SID-based protector in Windows PowerShell +### Using an SID-based protector in Windows PowerShell -The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over and be unlocked to any member computer of the cluster. +The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and be unlocked to any member computer of the cluster. > [!WARNING] > The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes. @@ -280,7 +280,7 @@ Get-ADUser -filter {samaccountname -eq "administrator"} > Use of this command requires the RSAT-AD-PowerShell feature. > [!TIP] -> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. +> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This doesn't require the use of additional features. In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command: @@ -302,11 +302,11 @@ Checking BitLocker status with the control panel is the most common method used | Status | Description | | - | - | | **On**|BitLocker is enabled for the volume | -| **Off**| BitLocker is not enabled for the volume | +| **Off**| BitLocker isn't enabled for the volume | | **Suspended** | BitLocker is suspended and not actively protecting the volume | | **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected| -If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status. +If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status. Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume. The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process. @@ -350,7 +350,7 @@ Decrypting volumes removes BitLocker and any associated protectors from the volu BitLocker decryption using the control panel is done using a Wizard. The control panel can be called from Windows Explorer or by opening the directly. After opening the BitLocker control panel, users will select the Turn off BitLocker option to begin the process. Once selected, the user chooses to continue by clicking the confirmation dialog. With Turn off BitLocker confirmed, the drive decryption process will begin and report status to the control panel. -The control panel does not report decryption progress but displays it in the notification area of the task bar. Selecting the notification area icon will open a modal dialog with progress. +The control panel doesn't report decryption progress but displays it in the notification area of the task bar. Selecting the notification area icon will open a modal dialog with progress. Once decryption is complete, the drive will update its status in the control panel and is available for encryption. @@ -370,9 +370,9 @@ manage-bde -status C: ### Decrypting volumes using the BitLocker Windows PowerShell cmdlets -Decryption with Windows PowerShell cmdlets is straightforward, similar to manage-bde. The additional advantage Windows PowerShell offers is the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt. +Decryption with Windows PowerShell cmdlets is straightforward, similar to manage-bde. Windows PowerShell offers the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt. -Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for additional commands. An example of this command is: +Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for more commands. An example of this command is: ```powershell Disable-BitLocker diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index 83d1f263d5..c3f40de8e2 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -18,11 +18,11 @@ ms.date: 02/28/2019 ms.custom: bitlocker --- -# BitLocker Management for Enterprises +# BitLocker management for enterprises -The ideal for BitLocker management is to eliminate the need for IT admins to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, Secure Boot, and other hardware improvements, for example, has helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. +The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support-call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. -Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for different types of computers. +Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers. > [!IMPORTANT] @@ -44,27 +44,26 @@ For hardware that is compliant with Modern Standby and HSTI, when using either o This is applicable to Azure Hybrid AD as well. - ## Managing workplace-joined PCs and phones -For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD. +For Windows PCs and Windows Phones that are enrolled using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD. ## Managing servers -Servers are often installed, configured, and deployed using PowerShell, so the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server, so follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC. +Servers are often installed, configured, and deployed using PowerShell; therefore, the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server; therefore, follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC. The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](/windows-server/get-started/getting-started-with-server-core/) installation, you must add the necessary GUI components first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) and [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features). If you are installing a server manually, such as a stand-alone server, then choosing [Server with Desktop Experience](/windows-server/get-started/getting-started-with-server-with-desktop-experience/) is the easiest path because you can avoid performing the steps to add a GUI to Server Core. - Additionally, lights out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). + Additionally, lights-out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#related-articles).   ## PowerShell examples -For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure Active Directory. +For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure AD. *Example: Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker* ```powershell diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index e89957070a..3463eceedc 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -87,6 +87,9 @@ If you don't set or you disable this policy, the PKU2U protocol won't be used to If you enable this policy in a hybrid environment, you allow your users to authenticate by using certificates issued by Azure AD and their online identity between the corresponding devices. This configuration allows users to share resources between such devices. Without enabling this policy, remote connections to an Azure AD joined device will not work. +### Fix/Remediation + +This vulnerability was fixed on February 9, 2021, in the [CVE-2021-25195](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-25195) Security Update. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 71779ec0d3..2b4a1c4e87 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -15,7 +15,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 08/23/2021 +ms.date: 09/29/2021 --- # Microsoft recommended block rules @@ -88,6 +88,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you | `Alex Ionescu` | `@aionescu`| | `Brock Mammen`| | | `Casey Smith` | `@subTee` | +| `James Forshaw` | `@tiraniddo` | | `Jimmy Bayne` | `@bohops` | | `Kim Oppalfens` | `@thewmiguy` | | `Lasse Trolle Borup` | `Langkjaer Cyber Defence` | @@ -1558,4 +1559,4 @@ Select the correct version of each .dll for the Windows release you plan to supp ## More information -- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) \ No newline at end of file +- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index bb97981cfe..905d4ff2dd 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -46,9 +46,9 @@ IT Pros can use Autopilot Reset to quickly remove personal files, apps, and sett ## Update -### Windows Update for Business (WUfB) +### Windows Update for Business -WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). +Windows Update for Business now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). ### Windows Insider Program for Business diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md index 0afb63e954..f2f4dc5964 100644 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -120,7 +120,7 @@ For more information, see [Windows Setup Command-Line Options](/windows-hardware SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 26 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. -### Windows Update for Business (WUfB) +### Windows Update for Business Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](/intune/windows-update-for-business-configure). diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md index 41c5c84b1f..3b33b31e96 100644 --- a/windows/whats-new/whats-new-windows-10-version-1909.md +++ b/windows/whats-new/whats-new-windows-10-version-1909.md @@ -36,9 +36,9 @@ Pre-release Windows 10 feature updates are now available to IT administrators us The Windows 10, version 1909 enablement package will be available on WSUS as [KB4517245](https://support.microsoft.com/kb/4517245), which can be deployed on existing deployments of Windows 10, version 1903. -### Windows Update for Business (WUfB) +### Windows Update for Business -If you are using WUfB, you will receive the Windows 10, version 1909 update in the same way that you have for prior feature updates, and as defined by your feature update deferral policy. +If you are using Windows Update for Business, you will receive the Windows 10, version 1909 update in the same way that you have for prior feature updates, and as defined by your feature update deferral policy. ## Security