deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merged PR 12930: 11/19 AM Publish

Browse Source
This commit is contained in:
Huaping Yu (Beyondsoft Consulting Inc) 2018-11-19 18:28:47 +00:00
commit 10cd9fb495
44 changed files with 566 additions and 188 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
devices/surface/TOC.md
View File

@ -25,6 +25,9 @@
### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
### [Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md)
## [Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md)
### [Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md)
### [Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md)
## [Surface Data Eraser](microsoft-surface-data-eraser.md)
## [Top support solutions for Surface devices](support-solutions-surface.md)
## [Change history for Surface documentation](change-history-for-surface.md)

3
devices/surface/change-history-for-surface.md
View File

@ -19,6 +19,9 @@ This topic lists new and updated topics in the Surface documentation library.
New or changed topic | Description
--- | ---
|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface Pro 6 |
[Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md) | New
[Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md) | New
[Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md) | New
## October 2018

BIN
devices/surface/images/sdt-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 110 KiB

BIN
devices/surface/images/sdt-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 52 KiB

BIN
devices/surface/images/sdt-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 92 KiB

BIN
devices/surface/images/sdt-4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 74 KiB

BIN
devices/surface/images/sdt-5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 81 KiB

BIN
devices/surface/images/sdt-6.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 63 KiB

BIN
devices/surface/images/sdt-7.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 64 KiB

BIN
devices/surface/images/sdt-desk-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 686 KiB

BIN
devices/surface/images/sdt-desk-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 68 KiB

BIN
devices/surface/images/sdt-desk-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

BIN
devices/surface/images/sdt-desk-4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 31 KiB

BIN
devices/surface/images/sdt-desk-5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

BIN
devices/surface/images/sdt-desk-6.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 62 KiB

165
devices/surface/surface-diagnostic-toolkit-business.md Normal file
View File

@ -0,0 +1,165 @@
---
title: Surface Diagnostic Toolkit for Business
description: This topic explains how to use the Surface Diagnostic Toolkit for Business.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.date: 11/15/2018
---
# Surface Diagnostic Toolkit for Business
The Microsoft Surface Diagnostic Toolkit for Business (SDT) enables IT administrators to quickly investigate, troubleshoot, and resolve hardware, software, and firmware issues with Surface devices. You can run a range of diagnostic tests and software repairs in addition to obtaining device health insights and guidance for resolving issues.
Specifically, SDT for Business enables you to:
- [Customize the package.](#create-custom-sdt)
- [Run the app using commands.](surface-diagnostic-toolkit-command-line.md)
- [Run multiple hardware tests to troubleshoot issues.](surface-diagnostic-toolkit-desktop-mode.md#multiple)
- [Generate logs for analyzing issues.](surface-diagnostic-toolkit-desktop-mode.md#logs)
- [Obtain detailed report comparing device vs optimal configuration.](surface-diagnostic-toolkit-desktop-mode.md#detailed-report)
## Primary scenarios and download resources
To run SDT for Business, download the components listed in the following table.
>[!NOTE]
>In contrast to the way you typically install MSI packages, the SDT distributable MSI package can only be created by running Windows Installer (MSI.exe) at a command prompt and setting the custom flag `ADMINMODE = 1`. For details, see [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md).
Mode | Primary scenarios | Download | Learn more
--- | --- | --- | ---
Desktop mode | Assist users in running SDT on their Surface devices to troubleshoot issues.<br>Create a custom package to deploy on one or more Surface devices allowing users to select specific logs to collect and analyze. | SDT distributable MSI package<br>Microsoft Surface Diagnostic Toolkit for Business Installer.MSI<br>[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Use Surface Diagnostic Toolkit in desktop mode](surface-diagnostic-toolkit-desktop-mode.md)
Command line | Directly troubleshoot Surface devices remotely without user interaction, using standard tools such as Configuration Manager. It includes the following commands:<br>`-DataCollector` collects all log files<br>`-bpa` runs health diagnostics using Best Practice Analyzer.<br>`-windowsupdate` checks Windows update for missing firmware or driver updates.<br><br>**Note:** Support for the ability to confirm warranty information will be available via the command `-warranty` | SDT console app<br>Microsoft Surface Diagnostics App Console.exe<br>[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md)
## Supported devices
SDT for Business is supported on Surface 3 and later devices, including:
- Surface Pro 6
- Surface Laptop 2
- Surface Go
- Surface Go with LTE
- Surface Book 2
- Surface Pro with LTE Advanced (Model 1807)
- Surface Pro (Model 1796)
- Surface Laptop
- Surface Studio
- Surface Studio 2
- Surface Book
- Surface Pro 4
- Surface 3 LTE
- Surface 3
- Surface Pro 3
## Installing Surface Diagnostic Toolkit for Business
To create an SDT package that you can distribute to users in your organization, you first need to install SDT at a command prompt and set a custom flag to install the tool in admin mode. SDT contains the following install option flags:
- `SENDTELEMETRY` sends telemetry data to Microsoft. The flag accepts `0` for disabled or `1` for enabled. The default value is `1` to send telemetry.
- `ADMINMODE` configures the tool to be installed in admin mode. The flag accepts `0` for Business client mode or `1` for Business Administrator mode. The default value is `0`.
**To install SDT in ADMINMODE:**
1. Sign into your Surface device using the Administrator account.
2. Download SDT Windows Installer Package (.msi) from the [Surface Tools for IT download page](https://www.microsoft.com/download/details.aspx?id=46703) and copy it to a preferred location on your Surface device, such as Desktop.
3. Open a command prompt and enter:
```
msiexec.exe /i <the path of installer> ADMINMODE=1.
```
**Example:**
```
C:\Users\Administrator> msiexec.exe/I"C:\Users\Administrator\Desktop\Microsoft_Surface_Diagnostic_Toolkit_for_Business_Installer.msi" ADMINMODE=1
```
4. The SDT setup wizard appears, as shown in figure 1. Click **Next**.
>[!NOTE]
>If the setup wizard does not appear, ensure that you are signed into the Administrator account on your computer.
![welcome to the Surface Diagnostic Toolkit setup wizard](images/sdt-1.png)
*Figure 1. Surface Diagnostic Toolkit setup wizard*
5. When the SDT setup wizard appears, click **Next**, accept the End User License Agreement (EULA), and select a location to install the package.
6. Click **Next** and then click **Install**.
## Locating SDT on your Surface device
Both SDT and the SDT app console are installed at `C:\Program Files\Microsoft\Surface\Microsoft Surface Diagnostic Toolkit for Business`.
In addition to the .exe file, SDT installs a JSON file and an admin.dll file (modules\admin.dll), as shown in figure 2.
![list of SDT installed files in File Explorer](images/sdt-2.png)
*Figure 2. Files installed by SDT*
<span id="create-custom-sdt" />
## Preparing the SDT package for distribution
Creating a custom package allows you to target the tool to specific known issues.
1. Click **Start > Run**, enter **Surface** and then click **Surface Diagnostic Toolkit for Business**.
2. When the tool opens, click **Create Custom Package**, as shown in figure 3.
![Create custom package option](images/sdt-3.png)
*Figure 3. Create custom package*
### Language and telemetry page
When you start creating the custom package, youre asked whether you agree to send data to Microsoft to help improve the application. For more information,see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement). Sharing is on by default, so uncheck the box if you wish to decline.
>[!NOTE]
>This setting is limited to only sharing data generated while running packages.
![Select language and telemetry settings](images/sdt-4.png)
*Figure 4. Select language and telemetry settings*
### Windows Update page
Select the option appropriate for your organization. Most organizations with multiple users will typically select to receive updates via Windows Server Update Services (WSUS), as shown in figure 5. If using local Windows update packages or WSUS, enter the path as appropriate.
![Select Windows Update option](images/sdt-5.png)
*Figure 5. Windows Update option*
### Software repair page
This allows you to select or remove the option to run software repair updates.
![Select software repair option](images/sdt-6.png)
*Figure 6. Software repair option*
### Collecting logs and saving package page
You can select to run a wide range of logs across applications, drivers, hardware, and the operating system. Click the appropriate area and select from the menu of available logs. You can then save the package to a software distribution point or equivalent location that users can access.
![Select log options](images/sdt-7.png)
*Figure 7. Log option and save package*
## Next steps
- [Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md)
- [Use Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md)

143
devices/surface/surface-diagnostic-toolkit-command-line.md Normal file
View File

@ -0,0 +1,143 @@
---
title: Run Surface Diagnostic Toolkit for Business using commands
description: How to run Surface Diagnostic Toolkit in a command console
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.date: 11/15/2018
---
# Run Surface Diagnostic Toolkit for Business using commands
Running the Surface Diagnostic Toolkit (SDT) at a command prompt requires downloading the STD app console. After it's installed, you can run SDT at a command prompt via the Windows command console (cmd.exe) or using Windows PowerShell, including PowerShell Integrated Scripting Environment (ISE), which provides support for autocompletion of commands, copy/paste, and other features.
>[!NOTE]
>To run SDT using commands, you must be signed in to the Administrator account or signed in to an account that is a member of the Administrator group on your Surface device.
## Running SDT app console
Download and install SDT app console from the [Surface Tools for IT download page](https://www.microsoft.com/download/details.aspx?id=46703). You can use the Windows command prompt (cmd.exe) or Windows PowerShell to:
- Collect all log files.
- Run health diagnostics using Best Practice Analyzer.
- Check update for missing firmware or driver updates.
By default, output files are saved to C:\Administrator\user. Refer to the following table for a complete list of commands.
Command | Notes
--- | ---
-DataCollector "output file" | Collects system details into a zip file. "output file" is the file path to create system details zip file.<br><br>**Example**:<br>`Microsoft.Surface.Diagnostics.App.Console.exe -DataCollector SDT_DataCollection.zip`
-bpa "output file" | Checks several settings and health indicators in the device. “output file" is the file path to create the HTML report.<br><br>**Example**:<br>`Microsoft.Surface.Diagnostics.App.Console.exe -bpa BPA.html`
-windowsupdate | Checks Windows Update online servers for missing firmware and/or driver updates.<br><br>**Example**:<br>Microsoft.Surface.Diagnostics.App.Console.exe -windowsupdate
>[!NOTE]
>To run the SDT app console remotely on target devices, you can use a configuration management tool such as System Center Configuration Manager. Alternatively, you can create a .zip file containing the console app and appropriate console commands and deploy per your organizations software distribution processes.
## Running Best Practice Analyzer
You can run BPA tests across key components such as BitLocker, Secure Boot, and Trusted Platform Module (TPM) and then output the results to a shareable file. The tool generates a series of tables with color-coded headings and condition descriptors along with guidance about how to approach resolving the issue.
- Green indicates the component is running in an optimal condition (optimal).
- Orange indicates the component is not running in an optimal condition (not optimal).
- Red indicates the component is in an abnormal state.
### Sample BPA results output
<table>
<tr><th colspan="2"><font color="00ff00">BitLocker</font></th></tr>
<tr><td><strong>Description:</strong></td><td>Checks if BitLocker is enabled on the system drive.</td></tr>
<tr><td><strong>Value:</strong></td><td>Protection On</td></tr>
<tr><td><strong>Condition:</strong></td><td><font color="00ff00">Optimal</font></td></tr>
<tr><td><strong>Guidance:</strong></td><td>It is highly recommended to enable BitLocker to protect your data.</td></tr>
</table>
<table>
<tr><th colspan="2"><font color="00ff00">Secure Boot</font></th></tr>
<tr><td><strong>Description:</strong></td><td>Checks if Secure Boot is enabled.</td></tr>
<tr><td><strong>Value:</strong></td><td>True</td></tr>
<tr><td><strong>Condition:</strong></td><td><font color="00ff00">Optimal</font></td></tr>
<tr><td><strong>Guidance:</strong></td><td>It is highly recommended to enable Secure Boot to protect your PC.</td></tr>
</table>
<table>
<tr><th colspan="2"><font color="00ff00">Trusted Platform Module</font></th></tr>
<tr><td><strong>Description:</strong></td><td>Ensures that the TPM is functional.</td></tr>
<tr><td><strong>Value:</strong></td><td>True</td></tr>
<tr><td><strong>Condition:</strong></td><td><font color="00ff00">Optimal</font></td></tr>
<tr><td><strong>Guidance:</strong></td><td>Without a functional TPM, security-based functions such as BitLocker may not work properly.</td></tr>
</table>
<table>
<tr><th colspan="2"><font color="00ff00">Connected Standby</font></th></tr>
<tr><td><strong>Description:</strong></td><td>Checks if Connected Standby is enabled.</td></tr>
<tr><td><strong>Value:</strong></td><td>True</td></tr>
<tr><td><strong>Condition:</strong></td><td><font color="00ff00">Optimal</font></td></tr>
<tr><td><strong>Guidance:</strong></td><td>Connected Standby allows a Surface device to receive updates and notifications while not being used. For best experience, Connected Standby should be enabled.</td></tr>
</table>
<table>
<tr><th colspan="2"><font color="00ff00">Bluetooth</font></th></tr>
<tr><td><strong>Description:</strong></td><td>Checks if Bluetooth is enabled.</td></tr>
<tr><td><strong>Value:</strong></td><td>Enabled</td></tr>
<tr><td><strong>Condition:</strong></td><td><font color="00ff00">Optimal</font></td></tr>
<tr><td><strong>Guidance:</strong></td><td></td></tr>
</table>
<table>
<tr><th colspan="2"><font color="00ff00">Debug Mode</font></th></tr>
<tr><td><strong>Description:</strong></td><td>Checks if the operating system is in Debug mode.</td></tr>
<tr><td><strong>Value:</strong></td><td>Normal</td></tr>
<tr><td><strong>Condition:</strong></td><td><font color="00ff00">Optimal</font></td></tr>
<tr><td><strong>Guidance:</strong></td><td>The debug boot option enables or disables kernel debugging of the Windows operating system. Enabling this option can cause system instability and can prevent DRM (digital rights managemend) protected media from playing.</td></tr>
</table>
<table>
<tr><th colspan="2"><font color="00ff00">Test Signing</font></th></tr>
<tr><td><strong>Description:</strong></td><td>Checks if Test Signing is enabled.</td></tr>
<tr><td><strong>Value:</strong></td><td>Normal</td></tr>
<tr><td><strong>Condition:</strong></td><td><font color="00ff00">Optimal</font></td></tr>
<tr><td><strong>Guidance:</strong></td><td>Test Signing is a Windows startup setting that should only be used to test pre-release drivers.</td></tr>
</table>
<table>
<tr><th colspan="2"><font color="00ff00">Active Power Plan</font></th></tr>
<tr><td><strong>Description:</strong></td><td>Checks that the correct power plan is active.</td></tr>
<tr><td><strong>Value:</strong></td><td>Balanced</td></tr>
<tr><td><strong>Condition:</strong></td><td><font color="00ff00">Optimal</font></td></tr>
<tr><td><strong>Guidance:</strong></td><td>It is highly recommended to use the "Balanced" power plan to maximize productivity and battery life.</td></tr>
</table>
<table>
<tr><th colspan="2"><font color="ff9500">Windows Update</font></th></tr>
<tr><td><strong>Description:</strong></td><td>Checks if the device is up to date with Windows updates.</td></tr>
<tr><td><strong>Value:</strong></td><td>Microsoft Silverlight (KB4023307), Definition Update for Windows Defender Antivirus - KB2267602 (Definition 1.279.1433.0)</td></tr>
<tr><td><strong>Condition:</strong></td><td><font color="ff9500">Not Optimal</font></td></tr>
<tr><td><strong>Guidance:</strong></td><td>Updating to the latest windows makes sure you are on the latest firmware and drivers. It is recommended to always keep your device up to date</td></tr>
</table>
<table>
<tr><th colspan="2"><font color="00ff00">Free Hard Drive Space</font></th></tr>
<tr><td><strong>Description:</strong></td><td>Checks for low free hard drive space.</td></tr>
<tr><td><strong>Value:</strong></td><td>66%</td></tr>
<tr><td><strong>Condition:</strong></td><td><font color="00ff00">Optimal</font></td></tr>
<tr><td><strong>Guidance:</strong></td><td>For best performance, your hard drive should have at least 10% of its capacity as free space.</td></tr>
</table>
<table>
<tr><th colspan="2"><font color="00ff00">Non-Functioning Devices</font></th></tr>
<tr><td><strong>Description:</strong></td><td>List of non-functioning devices in Device Manager.</td></tr>
<tr><td><strong>Value:</strong></td><td></td></tr>
<tr><td><strong>Condition:</strong></td><td><font color="00ff00">Optimal</font></td></tr>
<tr><td><strong>Guidance:</strong></td><td>Non-functioning devices in Device Manager may cause unpredictable problems with Surface devices such as, but not limited to, no power savings for the respective hardware component.</td></tr>
</table>
<table>
<tr><th colspan="2"><font color="00ff00">External Monitor</font></th></tr>
<tr><td><strong>Description:</strong></td><td>Checks for an external monitor that may have compatibility issues.</td></tr>
<tr><td><strong>Value:</strong></td><td></td></tr>
<tr><td><strong>Condition:</strong></td><td><font color="00ff00">Optimal</font></td></tr>
<tr><td><strong>Guidance:</strong></td><td>Check with the original equipment manufacturer for compatibility with your Surface device.</td></tr>
</table>

99
devices/surface/surface-diagnostic-toolkit-desktop-mode.md Normal file
View File

@ -0,0 +1,99 @@
---
title: Use Surface Diagnostic Toolkit for Business in desktop mode
description: How to use SDT to help users in your organization run the tool to identify and diagnose issues with the Surface device.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.date: 11/15/2018
---
# Use Surface Diagnostic Toolkit for Business in desktop mode
This topic explains how to use the Surface Diagnostic Toolkit (SDT) to help users in your organization run the tool to identify and diagnose issues with the Surface device. Successfully running SDT can quickly determine if a reported issue is caused by failed hardware or user error.
1. Direct the user to install [the SDT package](surface-diagnostic-toolkit-business.md#create-custom-sdt) from a software distribution point or network share. After it is installed, youre ready to guide the user through a series of tests.
2. Begin at the home page, which allows users to enter a description of the issue, and click **Continue**, as shown in figure 1.
![Start SDT in desktop mode](images/sdt-desk-1.png)
*Figure 1. SDT in desktop mode*
3. When SDT indicates the device has the latest updates, click **Continue** to advance to the catalog of available tests, as shown in figure 2.
![Select from SDT options](images/sdt-desk-2.png)
*Figure 2. Select from SDT options*
4. You can choose to run all the diagnostic tests. Or, if you already suspect a particular issue such as a faulty display or a power supply problem, click **Select** to choose from the available tests and click **Run Selected**, as shown in figure 3. See the following table for details of each test.
![Select hardware tests](images/sdt-desk-3.png)
*Figure 3. Select hardware tests*
Hardware test | Description
--- | ---
Power Supply and Battery | Checks Power supply is functioning optimally
Display and Sound | Checks brightness, stuck or dead pixels, speaker and microphone functioning
Ports and Accessories | Checks accessories, screen attach and USB functioning
Connectivity | Checks Bluetooth, wireless and LTE connectivity
Security | Checks security related issues
Touch | Checks touch related issues
Keyboard and touch | Checks integrated keyboard connection and type cover
Sensors | Checks functioning of different sensors in the device
Hardware | Checks issues with different hardware components such as graphics card and camera
<span id="multiple" />
## Running multiple hardware tests to troubleshoot issues
SDT is designed as an interactive tool that runs a series of tests. For each test, SDT provides instructions summarizing the nature of the test and what users should expect or look for in order for the test to be successful. For example, to diagnose if the display brightness is working properly, SDT starts at zero and increases the brightness to 100 percent, asking users to confirm by answering **Yes** or **No** -- that brightness is functioning as expected, as shown in figure 4.
For each test, if functionality does not work as expected and the user clicks **No**, SDT generates a report of the possible causes and ways to troubleshoot it.
![Running hardware diagnostics](images/sdt-desk-4.png)
*Figure 4. Running hardware diagnostics*
1. If the brightness successfully adjusts from 0-100 percent as expected, direct the user to click **Yes** and then click **Continue**.
2. If the brightness fails to adjust from 0-100 percent as expected, direct the user to click **No** and then click **Continue**.
3. Guide users through remaining tests as appropriate. When finished, SDT automatically provides a high-level summary of the report of the possible causes of any hardware issues along with guidance for resolution.
### Repairing applications
SDT enables you to diagnose and repair applications that may be causing issues, as shown in figure 5.
![Running repairs](images/sdt-desk-5.png)
*Figure 5. Running repairs*
<span id="logs" />
### Generating logs for analyzing issues
SDT provides extensive log-enabled diagnosis support across applications, drivers, hardware, and operating system issues, as shown in figure 6.
![Generating logs](images/sdt-desk-6.png)
*Figure 6. Generating logs*
<span id="detailed-report" />
### Generating detailed report comparing device vs. optimal configuration
Based on the logs, SDT generates a report for software- and firmware-based issues that you can save to a preferred location.
## Related topics
- [Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md)

164
windows/deployment/update/waas-configure-wufb.md
View File

@ -7,7 +7,7 @@ ms.sitesec: library
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.date: 06/01/2018
ms.date: 11/16/2018
---
# Configure Windows Update for Business
@ -20,10 +20,6 @@ ms.date: 06/01/2018
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
>[!IMPORTANT]
>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB, and LTSB might still appear in some of our products.
>
>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
@ -40,83 +36,77 @@ By grouping devices with similar deferral periods, administrators are able to cl
>In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsofts design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/).
<span id="configure-devices-for-current-branch-or-current-branch-for-business"/>
## Configure devices for Current Branch (CB) or Current Branch for Business (CBB)
With Windows Update for Business, you can set a device to be on either the Current Branch (CB) (now called Semi-Annual Channel (Targeted)) or the Current Branch for Business (CBB) (now called Semi-Annual Channel) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels).
## Configure devices for the appropriate service channel
With Windows Update for Business, you can set a device to be on either Windows Insider Preview or the Semi-Annual Channel servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels).
**Release branch policies**
| Policy | Sets registry key under **HKLM\Software** |
| --- | --- |
| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel |
| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade |
| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel |
| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**RequireDeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
| GPO for Windows 10, version 1607 or later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel |
| GPO for Windows 10, version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade |
| MDM for Windows 10, version 1607 or later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel |
| MDM for Windows 10, version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**RequireDeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
Starting with version 1703, users are able to configure their device's branch readiness level, by going to **Settings > Update & security > Windows Update > Advanced options**.
Starting with Windows 10, version 1703, users can configure the branch readiness level for their device by using **Settings > Update & security > Windows Update > Advanced options**.
![Branch readiness level setting](images/waas-wufb-settings-branch.jpg)
>[!NOTE]
>Users will not be able to change this setting if it was configured by policy.
>[!IMPORTANT]
>Devices on the Semi-Annual Channel (formerly called Current Branch for Business) must have their diagnostic data set to **1 (Basic)** or higher, in order to ensure that the service is performing at the expected quality. If diagnostic data is set to **0**, the device will be treated as if it were in the Semi-Annual Channel (Targeted)(formerly called Current Branch or CB) branch. For instructions to set the diagnostic data level, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
## Configure when devices receive Feature Updates
## Configure when devices receive feature updates
After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.
After you configure the servicing branch (Windows Insider Preview or Semi-Annual Channel), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.
>[!IMPORTANT]
>This policy does not apply to Windows 10 Mobile Enterprise.
>
>You can only defer up to 180 days prior to version 1703.
>You can only defer up to 180 days on devices running Windows 10, version 1703.
**Examples**
For example, a device on the Semi-Annual Channel with `DeferFeatureUpdatesPeriodinDays=30` will not install a feature update that is first publicly available on Windows Update in September until 30 days later, in October.
| Settings | Scenario and behavior |
| --- | --- |
| Device is on CB</br>DeferFeatureUpdatesPeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Device will not receive update until February, 30 days later. |
| Device is on CBB</br>DeferFeatureUpdatesPeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Four months later, in April, Feature Update X is released to CBB. Device will receive the Feature Update 30 days following this CBB release and will update in May. |
</br></br>
**Defer Feature Updates policies**
**Policy settings for deferring feature updates**
| Policy | Sets registry key under **HKLM\Software** |
| --- | --- |
| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates</br>\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays |
| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod |
| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays |
| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
| GPO for Windows 10, version 1607 later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates</br>\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays |
| GPO for Windows 10, version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod |
| MDM for Windows 10, version 1607 and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays |
| MDM for Windows 10, version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
>[!NOTE]
>If not configured by policy, users can defer feature updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
>If not configured by policy, individual users can defer feature updates by using **Settings > Update & security > Windows Update > Advanced options**.
## Pause Feature Updates
## Pause feature updates
You can also pause a device from receiving Feature Updates by a period of up to 35 days from when the value is set. After 35 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again.
You can also pause a device from receiving Feature Updates by a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, you can then pause Feature Updates for the device again.
Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 35 days to the start date.
Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date.
In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date.
In cases where the pause policy is first applied after the configured start date has passed, you can extend the pause period up to a total of 35 days by configuring a later start date.
>[!IMPORTANT]
>This policy does not apply to Windows 10 Mobile Enterprise.
>
>Prior to Windows 10, version 1703, feature updates could be paused by up to 60 days. This number has been changed to 35, similar to the number of days for quality updates.
>In Windows 10, version 1703 and later versions, you can pause feature updates to 35 days, similar to the number of days for quality updates.
**Pause Feature Updates policies**
**Policy settings for pausing feature updates**
| Policy | Sets registry key under **HKLM\Software** |
| --- | --- |
| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates</br>**1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartDate |
| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates</br> **1703:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartDate |
| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
| GPO for Windows 10, version 1607 and later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates</br>**1703 and later:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartDate |
| GPO for Windows 10, version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
| MDM for Windows 10, version 1607 and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates</br> **1703 and later:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartDate |
| MDM for Windows 10, version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
You can check the date Feature Updates were paused at by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
You can check the date that Feature Updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
The local group policy editor (GPEdit.msc) will not reflect whether the Feature Update pause period has expired. Although the device will resume Feature Updates after 35 days automatically, the pause checkbox will remain selected in the policy editor. To check whether a device has automatically resumed taking Feature Updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
| Value | Status|
| --- | --- |
@ -125,58 +115,58 @@ The local group policy editor (GPEdit.msc) will not reflect if your Feature Upda
| 2 | Feature Updates have auto-resumed after being paused |
>[!NOTE]
>If not configured by policy, users can pause feature updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
>If not configured by policy, individual users can pause feature updates by using **Settings > Update & security > Windows Update > Advanced options**.
With version 1703, pausing through the settings app will provide a more consistent experience:
- Any active restart notification are cleared or closed
- Any pending restarts are canceled
- Any pending update installations are canceled
- Any update installation running when pause is activated will attempt to rollback
Starting with Windows 10, version 1703, using Settings to control the pause behavior provides a more consistent experience, specifically:
- Any active restart notification are cleared or closed.
- Any pending restarts are canceled.
- Any pending update installations are canceled.
- Any update installation running when pause is activated will attempt to roll back.
## Configure when devices receive Quality Updates
Quality Updates are typically published the first Tuesday of every month, though can be released at any time by Microsoft. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value.
Quality Updates are typically published on the first Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value.
You can set your system to receive updates for other Microsoft products—known as Microsoft Updates (such as Microsoft Office, Visual Studio)—along with Windows Updates by setting the **AllowMUUpdateService** policy. When this is done, these Microsoft Updates will follow the same deferral and pause rules as all other Quality Updates.
You can set your system to receive updates for other Microsoft products—known as Microsoft Updates (such as Microsoft Office, Visual Studio)—along with Windows Updates by setting the **AllowMUUpdateService** policy. When you do this, these Microsoft Updates will follow the same deferral and pause rules as all other Quality Updates.
>[!IMPORTANT]
>This policy defers both Feature and Quality Updates on Windows 10 Mobile Enterprise.
**Defer Quality Updates policies**
**Policy settings for deferring quality updates**
| Policy | Sets registry key under **HKLM\Software** |
| --- | --- |
| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates</br>\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays |
| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod |
| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferQualityUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays |
| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpdate |
| GPO for Windows 10, version 1607 and later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates</br>\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays |
| GPO for Windows 10, version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod |
| MDM for Windows 10, version 1607 and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferQualityUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays |
| MDM for Windows 10, version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpdate |
>[!NOTE]
>If not configured by policy, users can defer quality updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
>If not configured by policy, individual users can defer quality updates by using **Settings > Update & security > Windows Update > Advanced options**.
## Pause Quality Updates
## Pause quality updates
You can also pause a system from receiving Quality Updates for a period of up to 35 days from when the value is set. After 35 days has passed, pause functionality will automatically expire and the system will scan Windows Updates for applicable Quality Updates. Following this scan, Quality Updates for the device can then be paused again.
You can also pause a system from receiving Quality Updates for a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable quality Updates. Following this scan, you can then pause quality Updates for the device again.
Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 35 days to the start date.
Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date.
In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date.
In cases where the pause policy is first applied after the configured start date has passed, you can extend the pause period up to a total of 35 days by configuring a later start date.
>[!IMPORTANT]
>This policy pauses both Feature and Quality Updates on Windows 10 Mobile Enterprise.
>[!NOTE]
>Starting with Windows 10, version 1809, IT administrators can prevent individual users from pausing updates.
**Pause Quality Updates policies**
**Policy settings for pausing quality updates**
| Policy | Sets registry key under **HKLM\Software** |
| --- | --- |
| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |**1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates</br>**1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdatesStartTime |
| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**PauseQualityUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdates</br>**1703:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime |
| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
| GPO for Windows 10, version 1607 and later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |**1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates</br>**1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdatesStartTime |
| GPO for Windows 10, version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
| MDM for Windows 10, version 1607 and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**PauseQualityUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdates</br>**1703:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime |
| MDM for Windows 10, version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
You can check the date that Quality Updates were paused at by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
You can check the date that quality Updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
The local group policy editor (GPEdit.msc) will not reflect if your Quality Update Pause period has expired. Although the device will resume Quality Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Quality Updates, you can check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
The local group policy editor (GPEdit.msc) will not reflect whether the quality Update pause period has expired. Although the device will resume quality Updates after 35 days automatically, the pause checkbox will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
| Value | Status|
| --- | --- |
@ -185,21 +175,22 @@ The local group policy editor (GPEdit.msc) will not reflect if your Quality Upda
| 2 | Quality Updates have auto-resumed after being paused |
>[!NOTE]
>If not configured by policy, users can pause quality updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
>If not configured by policy, individual users can pause quality updates by using **Settings > Update & security > Windows Update > Advanced options**.
With version 1703, pausing through the settings app will provide a more consistent experience:
Starting with Windows 10, version 1703, using Settings to control the pause behavior provides a more consistent experience, specifically:
- Any active restart notification are cleared or closed
- Any pending restarts are canceled
- Any pending update installations are canceled
- Any update installation running when pause is activated will attempt to rollback
## Configure when devices receive Windows Insider preview builds
## Configure when devices receive Windows Insider Preview builds
Starting with Windows 10, version 1709, you can set policies to manage preview builds and their delivery:
The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public.
* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*
* MDM: **Update/ManagePreviewBuilds**
* System Center Configuration Manager: **Enable dual scan, manage through Windows Update for Business policy**
>[!IMPORTANT]
>This policy replaces the "Toggle user control over Insider builds" policy under that is only supported up to Windows 10, version 1703. You can find the older policy here:
@ -212,18 +203,18 @@ The policy settings to **Select when Feature Updates are received** allows you t
## Exclude drivers from Quality Updates
In Windows 10, starting with version 1607, you can selectively option out of receiving driver update packages as part of your normal quality update cycle. This policy will not pertain to updates to inbox drivers (which will be packaged within a security or critical update) or to Feature Updates, where drivers may be dynamically installed to ensure the Feature Update process can complete.
Starting with Windows 10, version 1607, you can selectively opt out of receiving driver update packages as part of your normal quality update cycle. This policy will not apply to updates to drivers provided with the operating system (which will be packaged within a security or critical update) or to Feature Updates, where drivers might be dynamically installed to ensure the Feature Update process can complete.
**Exclude driver policies**
**Policy settings to exclude drivers**
| Policy | Sets registry key under **HKLM\Software** |
| --- | --- |
| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
| GPO for Windows 10, version 1607 and later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
| MDM for Windows 10, version 1607 and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
## Summary: MDM and Group Policy for version 1703
## Summary: MDM and Group Policy settings for Windows 10, version 1703 and later
Below are quick-reference tables of the supported Windows Update for Business policy values for Windows 10, version 1607 and above.
The following are quick-reference tables of the supported policy values for Windows Update for Business in Windows 10, version 1607 and later.
**GPO: HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate**
@ -252,25 +243,14 @@ Below are quick-reference tables of the supported Windows Update for Business po
## Update devices to newer versions
Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511. Windows 10, version 1703, also uses a few GPO and MDM keys that are different to what's available in version 1607. However, Windows Update for Business clients running version older versions will still see their policies honored after they update to a newer version; the old policy keys will continue to exist with their values ported forward during the update. Following the update to a newer version, it should be noted that only the old keys will be populated and not the new version keys, until the newer keys are explicitly defined on the device by the administrator.
Due to the changes in Windows Update for Business, Windows 10, version 1607 uses different GPO and MDM keys than those available in version 1511. Windows 10, version 1703 also uses a few GPO and MDM keys that are different from those available in version 1607. However, Windows Update for Business devices running older versions will still see their policies honored after they update to a newer version; the old policy keys will continue to exist with their values ported forward during the update. Following the update to a newer version, only the old keys will be populated and not the new version keys, until the newer keys are explicitly defined on the device by the administrator.
### How older version policies are respected on newer versions
When a client running a newer version sees an update available on Windows Update, the client will first evaluate and execute against the Windows Updates for Business policy keys for it's version. If these are not present, it will then check to see if any of the older version keys are set and defer accordingly. Update keys for newer versions will always supersede the older equivalent.
When a device running a newer version sees an update available on Windows Update, the device first evaluates and executes the Windows Updates for Business policy keys for its current (newer) version. If these are not present, it then checks whether any of the older version keys are set and defer accordingly. Update keys for newer versions will always supersede the older equivalent.
### Comparing the version 1511 keys to the version 1607 keys
In the Windows Update for Business policies in version 1511, all the deferral rules were grouped under a single policy where pausing affected both upgrades and updates. In Windows 10, version 1607, this functionality has been broken out into separate polices: deferral of Feature and Quality Updates can be enabled and paused independently of one other.
<table><caption>Group Policy keys</caption><thead><th>Version 1511 GPO keys</th><th>Version 1607 GPO keys</th></thead>
<tbody><tr><td valign="top">**DeferUpgrade**: *enable/disable*</br>Enabling allows user to set deferral periods for upgrades and updates. It also puts the device on CBB (no ability to defer updates while on the CB branch).</br></br>**DeferUpgradePeriod**: *0 - 8 months*</br></br>**DeferUpdatePeriod**: *1 4 weeks*</br></br>**Pause**: *enable/disable*</br>Enabling will pause both upgrades and updates for a max of 35 days</br></td><td>**DeferFeatureUpdates**: *enable/disable*</br></br>**BranchReadinessLevel**</br>Set device on CB or CBB</br></br>**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*</br></br>**PauseFeatureUpdates**: *enable/disable*</br>Enabling will pause Feature updates for a max of 60 days</br></br>**DeferQualityUpdates**: *Enable/disable*</br></br>**DeferQualityUpdatesPeriodinDays**: *0 - 35 days*</br></br>**PauseQualityUpdates**: *enable/disable*</br>Enabling will pause Quality updates for a max of 35 days</br></br>**ExcludeWUDrivers**: *enable/disable*</br></td></tr>
</table>
<table><caption>MDM keys</caption><thead><th>Version 1511 MDM keys</th><th>Version 1607 MDM keys</th></thead>
<tbody><tr><td valign="top">**RequireDeferUpgade**: *bool*</br>Puts the device on CBB (no ability to defer updates while on the CB branch).</br></br>**DeferUpgradePeriod**: *0 - 8 months*</br></br>**DeferUpdatePeriod**: *1 4 weeks*</br></br>**PauseDeferrals**: *bool*</br>Enabling will pause both upgrades and updates for a max of 35 days</br></td><td>**BranchReadinessLevel**</br>Set system on CB or CBB</br></br>**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*</br></br>**PauseFeatureUpdates**: *enable/disable*</br>Enabling will pause Feature updates for a max of 60 days</br></br>**DeferQualityUpdatesPeriodinDays**: *0 - 35 days*</br></br>**PauseQualityUpdates**: *enable/disable*</br>Enabling will pause Quality updates for a max of 35 days</br></br>**ExcludeWUDriversInQualityUpdate**: *enable/disable*</br></td></tr>
</tbody></table>
### Comparing the version 1607 keys to the version 1703 keys
### Comparing keys in Windows 10, version 1607 to Windows 10, version 1703
| Version 1607 key | Version 1703 key |
| --- | --- |

96
windows/deployment/update/waas-manage-updates-wufb.md
View File

@ -7,7 +7,7 @@ ms.sitesec: library
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.date: 06/01/2018
ms.date: 11/16/2018
---
# Deploy updates using Windows Update for Business
@ -20,12 +20,9 @@ ms.date: 06/01/2018
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
>[!IMPORTANT]
>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB, and LTSB might still apear in some of our products.
>
>In the following settings, CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices.
Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined devices. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices.
Specifically, Windows Update for Business allows for:
@ -35,7 +32,7 @@ Specifically, Windows Update for Business allows for:
- Peer-to-peer delivery for Microsoft updates, which optimizes bandwidth efficiency and reduces the need for an on-site server caching solution.
- Control over diagnostic data level to provide reporting and insights in Windows Analytics.
Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro Education, and Education.
Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro Education, and Education editions.
>[!NOTE]
>See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to learn more about deployment rings in Windows 10.
@ -48,79 +45,70 @@ Windows Update for Business provides three types of updates to Windows 10 device
- **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates.
- **Non-deferrable updates**: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred.
Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded range of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business.
Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded range of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device (if you set a deferral period of 365 days, the update will not be offered until 365 days after that update was released).
| Category | Maximum deferral | Deferral increments | Example | Classification GUID |
| Category | Maximum deferral | Deferral increments | Example | WSUS classification GUID |
| --- | --- | --- | --- | --- |
| Feature Updates | 365 days | Days | From Windows 10, version 1511 to version 1607 maximum was 180 days</br>In Windows 10, version 1703 maximum is 365 | 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 |
| Quality Updates | 30 days | Days | Security updates</br>Drivers (optional)</br>Non-security updates</br>Microsoft updates (Office,Visual Studio, etc.) | 0FA1201D-4330-4FA8-8AE9-B877473B6441</br>EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0</br>CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83</br>varies |
| Feature Updates | 365 days | Days | From Windows 10, version 1511 to version 1607 maximum was 180 days.</br>From Windows 10, version 1703 to version 1809, the maximum is 365 days. | 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 |
| Quality Updates | 30 days | Days | Security updates</br>Drivers (optional)</br>Non-security updates</br>Microsoft updates (Office,Visual Studio, etc.) | 0FA1201D-4330-4FA8-8AE9-B877473B6441</br></br>EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0</br></br>CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83</br></br>varies |
| Non-deferrable | No deferral | No deferral | Definition updates | E0789628-CE08-4437-BE74-2495B842F43B |
>[!NOTE]
>For information about classification GUIDs, see [WSUS Classification GUIDs](https://msdn.microsoft.com/library/ff357803.aspx).
## Changes to Windows Update for Business in Windows 10, version 1709
## Windows Update for Business in various Windows 10 versions
The group policy path for Windows Update for Business was changed to correctly reflect its association to Windows Update for Business.
Windows Update for Business was first available in Windows 10, version 1511. This diagram lists new or changed capabilities and updated behavior in subsequent versions.
| Prior to Windows 10, version 1709 | Windows 10, version 1709 |
| --- | --- |
| Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Update | Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business |
We have added the ability to manage Windows Insider preview builds and their delivery:
| Windows 10, version 1511 | 1607 | 1703 | 1709 | 1803 | 1809 |
| --- | --- | --- | --- | --- | --- |
| Defer quality updates</br>Defer feature updates</br>Pause updates | All 1511 features, plus: **WSUS integration** | All 1607 features, plus **Settings controls** | All 1703 features, plus **Ability to set slow vs. fast Insider Preview branch** | All 1709 features, plus **Uninstall updates remotely** | All 1803 features, plus **Option to use default automatic updates**</br>**Ability to set separate deadlines for feature vs. quality updates**</br>**Admins can prevent users from pausing updates**
## Managing Windows Update for Business with Group Policy
The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public.
* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*
* MDM: **Update/ManagePreviewBuilds**
The group policy path for Windows Update for Business has changed to correctly reflect its association to Windows Update for Business and provide the ability to easily manage pre-release Windows Insider Preview builds in Windows 10, version 1709.
>[!IMPORTANT]
>This policy replaces the "Toggle user control over Insider builds" policy under that is only supported up to Windows 10, version 1703. You can find the older policy here:
>* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Toggle user control over Insider builds**
>* MDM: **System/AllowBuildPreview**
| Action | Windows 10 versions prior to 1709 | Windows 10 versions after 1709 |
| --- | --- | --- |
| Set Windows Update for Business Policies | Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Update | Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business |
| Manage Windows Insider Preview builds | Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Toggle user control over Insider builds | Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business - *Manage preview builds* |
| Manage when updates are received | Select when Feature Updates are received | Select when Preview Builds and Feature Updates are received </br> (Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business - **Select when Preview Builds and Feature Updates are received**) |
The policy settings to **Select when Feature Updates are received** is now called **Select when Preview Builds and Feature Updates are received**. In addition to previous functionality, it now allows you to choose between preview flight rings, and allows you to defer or pause their delivery.
* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received*
* MDM: **Update/BranchReadinessLevel**
## Managing Windows Update for Business with MDM
## Changes to Windows Update for Business in Windows 10, version 1703
Starting with Windows 10, version 1709, Windows Update for Business was changed to correctly reflect its association to Windows Update for Business and provide the ability to easily manage Windows Insider Preview builds in 1709.
### Options added to Settings
| Action | Windows 10 versions prior to 1709 | Windows 10 versions after 1709 |
| --- | --- | --- |
| Manage Windows Insider Preview builds | System/AllowBuildPreview | Update/ManagePreviewBuilds |
| Manage when updates are received | Select when Feature Updates are received | Select when Preview Builds and Feature Updates are received (Update/BranchReadinessLevel) |
We have added a few controls into settings to allow users to control Windows Update for Business through an interface.
- [Configuring the device's branch readiness level](waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), through **Settings > Update & security > Windows Update > Advanced options**
- [Pausing feature updates](waas-configure-wufb.md#pause-feature-updates), through **Settings > Update & security > Window Update > Advanced options**
## Managing Windows Update for Business with Software Center Configuration Manager
### Adjusted time periods
Starting with Windows 10, version 1709, you can assign a collection of devices to have dual scan enabled and manage that collection with Windows Update for Business policies. Starting with Windows 10, version 1809, you can set a collection of devices to receive the Windows Insider Preview Feature Updates from Windows Update from within Software Center Configuration Manager.
We have adjusted the maximum pause period for both quality and feature updates to be 35 days, as opposed to 30 and 60 days previously, respectively.
| Action | Windows 10 versions between 1709 and 1809 | Windows 10 versions after 1809 |
| --- | --- | --- |
| Manage Windows Update for Business in Configuration Manager | Manage Feature or Quality Updates with Windows Update for Business via Dual Scan | Manage Insider pre-release builds with Windows Update for Business within Software Center Configuration Manager |
We have also adjusted the maximum feature update deferral period to be 365 days, as opposed to 180 days previously.
## Managing Windows Update for Business with Windows Settings options
Windows Settings includes options to control certain Windows Update for Business features:
### Additional changes
- [Configure the readiness level](waas-configure-wufb.md#configure-devices-for-the-appropriate-service-channel) for a branch by using **Settings > Update & security > Windows Update > Advanced options**
- [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) by using Settings > Update & security > Window Update > Advanced options
The pause period is now calculated starting from the set start date. For additional details, see [Pause Feature Updates](waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](waas-configure-wufb.md#pause-quality-updates). Due to that, some policy keys are now named differently. For more information, see [Comparing the version 1607 keys to the version 1703 keys](waas-configure-wufb.md#comparing-the-version-1607-keys-to-the-version-1703-keys).
## Other changes in Windows Update for Business in Windows 10, version 1703 and later releases
## Comparing Windows Update for Business in Windows 10, version 1511 and version 1607
Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior.
### Pause and deferral periods
>[!NOTE]
>For more information on Current Branch (Semi-Annual Channel (Targeted)) and Current Branch for Business (Semi-Annual Channel), see [Windows 10 servicing options](waas-overview.md#servicing-channels).
The maximum pause time period is 35 days for both quality and feature updates. The maximum deferral period for feature updates is 365 days.
<table>
<thead>
<tr><th>Capability</th><th>Windows 10, version 1511</th><th>Windows 10, version 1607</th>
</tr>
</thead>
<tbody>
<tr><td><p>Select servicing options: CB or CBB</p></td><td><p>Not available. To defer updates, all systems must be on the Current Branch for Business (CBB)</p></td><td><p>Ability to set systems on the Current Branch (CB) or Current Branch for Business (CBB).</p></td></tr>
<tr><td><p>Quality Updates</p></td><td><p>Able to defer receiving Quality Updates:</p><ul><li>Up to 4 weeks</li><li>In weekly increments</li></ul></td><td><p>Able to defer receiving Quality Updates:</p><ul><li>Up to 30 days</li><li>In daily increments</li></ul></td></tr>
<tr><td><p>Feature Updates</p></td><td><p>Able to defer receiving Feature Updates:</p><ul><li>Up to 8 months</li><li>In monthly increments</li></ul></td><td><p>Able to defer receiving Feature Updates:</p><ul><li>Up to 180 days</li><li>In daily increments</li></ul></td></tr>
<tr><td><p>Pause updates</p></td><td><ul><li>Feature Updates and Quality Updates paused together</li><li>Maximum of 35 days</li></ul></td><td><p>Features and Quality Updates can be paused separately.</p><ul><li>Feature Updates: maximum 60 days</li><li>Quality Updates: maximum 35 days</li></ul></td></tr>
<tr><td><p>Drivers</p></td><td><p>No driver-specific controls</p></td><td><p>Drivers can be selectively excluded from Windows Update for Business.</p></td></tr>
</tbody></table>
Also, the pause period is calculated from the set start date. For more details, see [Pause Feature Updates](waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](waas-configure-wufb.md#pause-quality-updates). As a result, certain policy keys have different names; see the "Comparing keys in Windows 10, version 1607 to Windows 10, version 1703" section in [Configure Windows Update for Business](waas-configure-wufb.md) for details.
## Monitor Windows Updates using Update Compliance
## Monitor Windows Updates by using Update Compliance
Update Compliance, now **available in public preview**, provides a holistic view of OS update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This new service uses diagnostic data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without additional infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated.

1
windows/security/threat-protection/TOC.md
View File

@ -6,6 +6,7 @@
#### [Attack surface reduction](windows-defender-atp/overview-attack-surface-reduction.md)
##### [Hardware-based isolation](windows-defender-atp/overview-hardware-based-isolation.md)
###### [Application isolation](windows-defender-application-guard/wd-app-guard-overview.md)
####### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md)
###### [System isolation](windows-defender-atp/how-hardware-based-containers-help-protect-windows.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
##### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)

7
windows/security/threat-protection/windows-defender-application-guard/TOC.md Normal file
View File

@ -0,0 +1,7 @@
# [Windows Defender Application Guard](wd-app-guard-overview.md)
## [System requirements](reqs-wd-app-guard.md)
## [Install WDAG](install-wd-app-guard.md)
## [Configure WDAG policies](configure-wd-app-guard.md)
## [Test scenarios](test-scenarios-wd-app-guard.md)
## [FAQ](faq-wd-app-guard.md)

1
windows/security/threat-protection/windows-defender-atp/TOC.md
View File

@ -4,6 +4,7 @@
### [Attack surface reduction](overview-attack-surface-reduction.md)
#### [Hardware-based isolation](overview-hardware-based-isolation.md)
##### [Application isolation](../windows-defender-application-guard/wd-app-guard-overview.md)
###### [System requirements](../windows-defender-application-guard/reqs-wd-app-guard.md)
##### [System isolation](how-hardware-based-containers-help-protect-windows.md)
#### [Application control](../windows-defender-application-control/windows-defender-application-control.md)
#### [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md)

3
windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md
View File

@ -50,8 +50,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and alert and domain exist - 200 OK.
If alert not found or domain not found - 404 Not Found.
If successful and alert and domain exist - 200 OK. If alert not found - 404 Not Found.
## Example

3
windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md
View File

@ -50,8 +50,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and alert and files exist - 200 OK.
If alert not found or files not found - 404 Not Found.
If successful and alert and files exist - 200 OK. If alert not found - 404 Not Found.
## Example

2
windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md
View File

@ -51,7 +51,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and alert and an IP exist - 200 OK. If alert not found or IPs not found - 404 Not Found.
If successful and alert and an IP exist - 200 OK. If alert not found - 404 Not Found.
## Example

3
windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md
View File

@ -52,8 +52,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and alert and machine exist - 200 OK.
If alert not found or machine not found - 404 Not Found.
If successful and alert and machine exist - 200 OK. If alert not found or machine not found - 404 Not Found.
## Example

3
windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md
View File

@ -51,8 +51,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and alert and a user exists - 200 OK with user in the body.
If alert not found or user not found - 404 Not Found.
If successful and alert and a user exists - 200 OK with user in the body. If alert or user not found - 404 Not Found.
## Example

2
windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -58,7 +58,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful, this method returns 200 OK, and a list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) objects in the response body. If no recent alerts found - 404 Not Found.
If successful, this method returns 200 OK, and a list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) objects in the response body.
## Example

2
windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -57,7 +57,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and domain and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities. If domain or alert does not exist - 404 Not Found.
If successful and domain exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities. If domain does not exist - 404 Not Found.
## Example

2
windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -52,7 +52,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and domain and machine exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities. If domain or machines do not exist - 404 Not Found.
If successful and domain exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities. If domain do not exist - 404 Not Found.
## Example

3
windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md
View File

@ -50,8 +50,7 @@ Authorization | Bearer {token}. **Required**.
Empty
## Response
If successful and domain exists - 200 OK, with statistics object in the response body.
If domain does not exist - 404 Not Found.
If successful and domain exists - 200 OK, with statistics object in the response body. If domain does not exist - 404 Not Found.
## Example

3
windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md
View File

@ -52,8 +52,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and file exists - 200 OK with the [file](files-windows-defender-advanced-threat-protection-new.md) entity in the body.
If file does not exist - 404 Not Found.
If successful and file exists - 200 OK with the [file](files-windows-defender-advanced-threat-protection-new.md) entity in the body. If file does not exist - 404 Not Found.
## Example

3
windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -55,8 +55,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and file and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body.
If file or alerts do not exist - 404 Not Found.
If successful and file exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If file do not exist - 404 Not Found.
## Example

3
windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -53,8 +53,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and file and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body.
If file or machines do not exist - 404 Not Found.
If successful and file exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If file do not exist - 404 Not Found.
## Example

3
windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md
View File

@ -54,8 +54,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and file exists - 200 OK with statistical data in the body.
If file do not exist - 404 Not Found.
If successful and file exists - 200 OK with statistical data in the body. If file do not exist - 404 Not Found.
## Example

3
windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -53,8 +53,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and IP and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body.
If IP and alerts do not exist - 404 Not Found.
If successful and IP exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If IP do not exist - 404 Not Found.
## Example

3
windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -53,8 +53,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and IP and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body.
If IP or machines do not exist - 404 Not Found.
If successful and IP exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If IP do not exist - 404 Not Found.
## Example

3
windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md
View File

@ -51,8 +51,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and machine and user exist - 200 OK with list of [user](user-windows-defender-advanced-threat-protection-new.md) entities in the body
If no machine found or no users found - 404 Not Found.
If successful and machine exist - 200 OK with list of [user](user-windows-defender-advanced-threat-protection-new.md) entities in the body. If machine was not found - 404 Not Found.
## Example

2
windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -53,7 +53,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and machine and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If no machine or no alerts found - 404 Not Found.
If successful and machine exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If machine was not found - 404 Not Found.
## Example

6
windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md
View File

@ -21,7 +21,7 @@ ms.date: 12/08/2017
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Retrieve a User entity by key (user name or domain\user).
Retrieve a User entity by key (user name).
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@ -58,7 +58,7 @@ Here is an example of the request.
[!include[Improve request performance](improverequestperformance-new.md)]
```
GET https://api.securitycenter.windows.com/api/users/user1@contoso.com
GET https://api.securitycenter.windows.com/api/users/user1
Content-type: application/json
```
@ -72,7 +72,7 @@ HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity",
"id": "user1@contoso.com",
"id": "user1",
"firstSeen": "2018-08-02T00:00:00Z",
"lastSeen": "2018-08-04T00:00:00Z",
"mostPrevalentMachineId": null,

2
windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -54,7 +54,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and user and alert exist - 200 OK. If user or alerts do not exist - 404 Not Found.
If successful and user exist - 200 OK. If the user do not exist - 404 Not Found.
## Example

2
windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -55,7 +55,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If user or machines does not exist - 404 Not Found.
If successful and user exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If user does not exist - 404 Not Found.
## Example

16
windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 10/02/2018
ms.date: 11/16/2018
---
# Customize exploit protection
@ -53,19 +53,19 @@ Validate exception chains (SEHOP) | Ensures the integrity of an exception chain
Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
>[!IMPORTANT]
>If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: