diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index d1c0ab596f..c93f45cfd9 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -61,7 +61,9 @@ ## [Troubleshoot HoloLens](hololens-troubleshooting.md) ## [Known issues](hololens-known-issues.md) ## [Frequently asked questions](hololens-faq.md) +## [Frequently asked security questions](hololens-faq-security.md) ## [Hololens services status](hololens-status.md) +## [SCEP Whitepaper](scep-whitepaper.md) # [Release Notes](hololens-release-notes.md) # [Give us feedback](hololens-feedback.md) diff --git a/devices/hololens/hololens-FAQ.md b/devices/hololens/hololens-FAQ.md index a183165e4a..3a194dc014 100644 --- a/devices/hololens/hololens-FAQ.md +++ b/devices/hololens/hololens-FAQ.md @@ -43,8 +43,10 @@ This FAQ addresses the following questions and issues: - [I'm having problems with the HoloLens clicker](#im-having-problems-with-the-hololens-clicker) - [I can't connect to Wi-Fi](#i-cant-connect-to-wi-fi) - [My HoloLens isn't running well, is unresponsive, or won't start](#my-hololens-isnt-running-well-is-unresponsive-or-wont-start) +- [HoloLens Management Questions](#hololens-management-questions) - [How do I delete all spaces?](#how-do-i-delete-all-spaces) - [I cannot find or use the keyboard to type in the HoloLens 2 Emulator](#i-cannot-find-or-use-the-keyboard-to-type-in-the-hololens-2-emulator) +- [I can't log in to a HoloLens because it was previously set up for someone else](#i-cant-log-in-to-a-hololens-because-it-was-previously-set-up-for-someone-else) ## My holograms don't look right or are moving around @@ -204,6 +206,30 @@ If your device isn't performing properly, see [Restart, reset, or recover HoloLe [Back to list](#list) + +## I can't log in to a HoloLens because it was previously set up for someone else + +If your device was previously set up for someone else, either a client or former employee and you don't have their password to unlock the device there are two solutions. +- If your device is MDM managed by Intune then you can remotely [Wipe](https://docs.microsoft.com/intune/remote-actions/devices-wipe) the device and it'll reflash itself. Make sure to leave **Retain enrollment state and user account** unchecked. +- If you have the device with you then you can put the device into **Flashing Mode** and use Advanced Recovery Companion to [recover](https://docs.microsoft.com/hololens/hololens-recovery) the device. + +[Back to list](#list) + +## HoloLens Management Questions + +1. **Can I use SCCM to manage the HoloLens?** + 1. No. An MDM must be used to manage the HoloLens +1. **Can I use Active Directory to manage HoloLens user accounts?** + 1. No, Azure AD must be used to manage user accounts. +1. **Is the HoloLens capable of ADCS auto enrollment?** + 1. No +1. **Can the HoloLens participate in WNA/IWA?** + 1. No +1. **Does the HoloLens support branding?** + 1. No. However, one work around is to create a custom app and enable Kiosk mode. The custom app can have branding which can then launch other apps (such as Remote Assist). Another option is to change all of the users profile pictures in AAD to your company logo. (However, this may not be desirable for all scenarios) +1. **What logging capabilities are available on HL1 and HL2?** + 1. Logging is limited to traces captured in developer/troubleshooting scenarios or telemetry sent to Microsoft servers. + ## How do I delete all spaces? *Coming soon* @@ -215,3 +241,4 @@ If your device isn't performing properly, see [Restart, reset, or recover HoloLe *Coming soon* [Back to list](#list) + diff --git a/devices/hololens/hololens-commercial-infrastructure.md b/devices/hololens/hololens-commercial-infrastructure.md index 568bbe92e5..757084bb86 100644 --- a/devices/hololens/hololens-commercial-infrastructure.md +++ b/devices/hololens/hololens-commercial-infrastructure.md @@ -10,6 +10,7 @@ ms.topic: article ms.localizationpriority: high ms.date: 1/23/2020 ms.reviewer: +audience: ITPro manager: bradke appliesto: - HoloLens (1st gen) @@ -50,12 +51,12 @@ HoloLens does support a limited set of cloud disconnected experiences. ### HoloLens Specific Network Requirements -Make sure that these ports and URLs are allowed on your network firewall. This will enable HoloLens to function properly. The latest list can be found [here](hololens-offline.md). +Make sure that [this list](hololens-offline.md) of endpoints are allowed on your network firewall. This will enable HoloLens to function properly. ### Remote Assist Specific Network Requirements 1. The recommended bandwidth for optimal performance of Remote Assist is 1.5Mbps. Detailed network requirements and additional information can be found [here](https://docs.microsoft.com/MicrosoftTeams/prepare-network). -**Please note, if you don’t network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer.** +**(Please note, if you don’t network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer).** 1. Make sure that these ports and URLs are allowed on your network firewall. This will enable Microsoft Teams to function. The latest list can be found [here](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams). ### Guides Specific Network Requirements @@ -65,17 +66,17 @@ Guides only require network access to download and use the app. ## Azure Active Directory Guidance >[!NOTE] ->This step is only necessary if your company plans on managing the HoloLens and mixed reality apps. +>This step is only necessary if your company plans on managing the HoloLens. 1. Ensure that you have an Azure AD License. -Please [HoloLens Licenses Requirements](hololens-licenses-requirements.md)for additional information. +Please [HoloLens Licenses Requirements](hololens-licenses-requirements.md) for additional information. 1. If you plan on using Auto Enrollment, you will have to [Configure Azure AD enrollment.](https://docs.microsoft.com/intune/deploy-use/.set-up-windows-device-management-with-microsoft-intune#azure-active-directory-enrollment) 1. Ensure that your company’s users are in Azure Active Directory (Azure AD). Instructions for adding users can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/add-users-azure-active-directory). -1. We suggest that users who will be need similar licenses are added to a group. +1. We suggest that users who need similar licenses are added to the same group. 1. [Create a Group](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal) 1. [Add users to groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal) @@ -100,10 +101,10 @@ These steps ensure that your company’s users (or a group of users) can add dev ### Ongoing device management >[!NOTE] ->This step is only necessary if your company plans on managing the HoloLens and mixed reality apps. +>This step is only necessary if your company plans to manage the HoloLens. Ongoing device management will depend on your mobile device management infrastructure. Most have the same general functionality but the user interface may vary widely. -1. [CSPs (Configuration Service Providers)](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices) allows you to create and deploy management settings for the devices on your network. Some CSPs are supported by HoloLens devices. (See the list of CSPs for HoloLens [here](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices)). +1. [CSPs (Configuration Service Providers)](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices) allows you to create and deploy management settings for the devices on your network. A list of CSPs for HoloLens can be found [here](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices). 1. [Compliance policies](https://docs.microsoft.com/intune/device-compliance-get-started) are rules and settings that devices must meet to be compliant in your corporate infrastructure. Use these policies with Conditional Access to block access to company resources for devices that are non-compliant. For example, you can create a policy that requires Bitlocker be enabled. @@ -144,7 +145,7 @@ Read more about [installing apps on HoloLens](https://docs.microsoft.com/hololen ### Certificates -You can distribute certifcates through your MDM provider. If your company requires certificates, Intune supports PKCS, PFX, and SCEP. It is important to understand which certificate is right for your company. Please visit [here](https://docs.microsoft.com/intune/protect/certificates-configure) to determine which cert is best for you. If you plan to use certs for HoloLens Authentication, PFX or SCEP may be right for you. +You can distribute certificates through your MDM provider. If your company requires certificates, Intune supports PKCS, PFX, and SCEP. It is important to understand which certificate is right for your company. Please visit [here](https://docs.microsoft.com/intune/protect/certificates-configure) to determine which cert is best for you. If you plan to use certificates for HoloLens Authentication, PFX or SCEP may be right for you. Steps for SCEP can be found [here](https://docs.microsoft.com/intune/protect/certificates-profile-scep). @@ -161,8 +162,8 @@ Directions for upgrading to the commercial suite can be found [here](https://doc 1. Check your app settings 1. Log into your Microsoft Store Business account - 1. **Manage** > **Products and Services** > **Apps and Software** > **Select the app you want to sync** > **Private Store Availability** > **Select “Everyone” or “Specific Groups”* - 1. If you do not see your apps in **Intune** > **Client Apps** > **Apps** , you may have to [sync your apps](https://docs.microsoft.com/intune/apps/windows-store-for-business#synchronize-apps) again. + 1. **Manage > Products and Services > Apps and Software > Select the app you want to sync > Private Store Availability > Select “Everyone” or “Specific Groups”** + 1. If you do not see your apps in **Intune > Client Apps > Apps** , you may have to [sync your apps](https://docs.microsoft.com/intune/apps/windows-store-for-business#synchronize-apps) again. 1. [Create a device profile for Kiosk mode](https://docs.microsoft.com/intune/configuration/kiosk-settings#create-the-profile) diff --git a/devices/hololens/hololens-faq-security.md b/devices/hololens/hololens-faq-security.md new file mode 100644 index 0000000000..b56e555f7d --- /dev/null +++ b/devices/hololens/hololens-faq-security.md @@ -0,0 +1,126 @@ +--- +title: Frequently Asked Security Questions +description: security questions frequently asked about the hololens +ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b +author: pawinfie +ms.author: pawinfie +ms.date: 02/19/2020 +keywords: hololens, Windows Mixed Reality, security +ms.prod: hololens +ms.sitesec: library +ms.topic: article +audience: ITPro +ms.localizationpriority: high +manager: bradke +appliesto: +- HoloLens 1 (1st gen) +- HoloLens 2 +--- + +# Frequently Asked Security Questions + +## HoloLens 1st Gen Security Questions + +1. **What type of wireless is used?** + 1. 802.11ac and Bluetooth 4.1 LE +1. **What type of architecture is incorporated? For example: point to point, mesh or something else?** + 1. Wi-Fi can be used in infrastructure mode to communicate with other wireless access points. + 1. Bluetooth can be used to talk peer to peer between multiple HoloLens if the customers application supports it or to other Bluetooth devices. +1. **What is FCC ID?** + 1. C3K1688 +1. **What frequency range and channels does the device operate on and is it configurable?** + 1. Wi-Fi: The frequency range is not user configurable and depends on the country of use. In the US Wi-Fi uses both 2.4 GHz (1-11) channels and 5 GHz (36-64, 100-165) channels. + 1. Bluetooth: Bluetooth uses the standard 2.4-2.48 GHz range. +1. **Can the device blacklist or white list specific frequencies?** + 1. This is not controllable by the user/device +1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?** + 1. Our emissions testing standards can be found [here](https://fccid.io/C3K1688). Range of operation is highly dependent on the access point and environment - but is roughly equivalent to other high-quality phones, tablets, or PCs. +1. **What is the duty cycle/lifetime for normal operation?** + 1. 2-3hrs of active use and up to 2 weeks of standby time + 1. Battery lifetime is unavailable. +1. **What is transmit and receive behavior when a tool is not in range?** + 1. HoloLens transmit/receive follows the standard Wi-Fi/Bluetooth pattern. At the edge of its range, you'll probably notice input getting choppy until it fully disconnects, but after you get back in range it should quickly reconnect. +1. **What is deployment density per square foot?** + 1. This is dependent on your network infrastructure. +1. **Can device use the infrastructure as a client?** + 1. Yes +1. **What protocol is used?** + 1. HoloLens does not use any proprietary protocols +1. **OS update frequency – What is the frequency of OS updates for the HL? Is there a set schedule? Does Microsoft release security patches as needed, etc.** + 1. Microsoft does provide OS updates to HoloLens exactly the same way it is done for Windows 10. There are normally two major updates per year, one in spring, one in fall. As HoloLens is a Windows device, the update concept is the same as with any other Windows device. Microsoft releases Security patches as needed and follows the same concept as done on any other Windows device. +1. **OS hardening – What options are there to harden the OS? Can we remove or shutdown unnecessary apps or services?** + 1. HoloLens behaves like a smartphone. It is comparable to other modern Windows devices. HoloLens can be managed by either Microsoft Intune or other Modern Device Management Solutions, like MobileIron, Airwatch, or Soti. There are Policies you can set in these Management Systems to put Security policies on the device and in order to harden the device. There is also the option in deleting any unnecessary applications if wanted. +1. **How will software applications be managed and updated? What control do we have to define what apps are loaded and app update process for apps that are living in the Microsoft store?** + 1. HoloLens gets software applications only through the Windows store. Only Appx Application Packages can be installed, which are developed for the Use of HoloLens. You can see this in the Microsoft Store with a little logo next to the application which shows the HoloLens device. Any control that you have over the management of Store applications also applies to HoloLens. You can use the concept of the official store or the store for business. Apps can either be side-loaded (manual process to load an app on a Windows device) or can be managed through an MDM so that apps are automatically pulled from the store when needed. +1. **What is the frequency of updates to apps in the store for HoloLens?** + 1. As we follow the same concept of the Microsoft Store and pull apps from there, the update cycle is determined by the developer of the Application. All management options that you have to control the update mechanism in the store apply to HoloLens as well. +1. **Is there a secure boot capability for the HoloLens?** + 1. Yes +1. **Is there an ability to disable or disconnect peripheral support from the device?** + 1. Yes +1. **Is there an ability to control or disable the use of ports on the device?** + 1. The HoloLens only contains 2 ports (one for headphones and one for charging or connecting to PCs). There is not ability to disable the port due to functionality and recovery reasons. +1. **Antivirus, end point detection, IPS, app control whitelist – Any ability to run antivirus, end point detection, IPS, app control whitelist, etc.** + 1. Windows Holographic for Business (commercial suite) does support Windows Defender Smart Screen. If an antivirus company were to create and publish their app to the Universal Windows Platform, it could be downloaded on HoloLens. At present, no companies have done this for HoloLens. + 1. Whitelisting apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device. +1. **Can we quarantine the device from prod network until we update the device if it has been offline for an extended period of time? Ex. Device has been sitting in a drawer not powered up for a period (6 months) and has not received any updates, patches, etc. When it tries to come on the network can we flag it and say you must update on another network prior to being complaint to join the network.** + 1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version. +1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?** + 1. No +1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it’s only on that device, unique to that device, and can’t be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?** + 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that’s sent to the client. + 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn’t be verified on a different device, rendering the certs/key unusable on different devices. +1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?** + 1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities. + +## HoloLens 2nd Gen Security Questions + +1. **What type of wireless is used?** + 1. 802.11ac and Bluetooth 5.0 +1. **What type of architecture is incorporated? For example: point to point, mesh or something else?** + 1. Wi-Fi can be used in infrastructure mode to communicate with other wireless access points. + 1. Bluetooth can be used to talk peer to peer between multiple HoloLens if the customers application supports it or to other Bluetooth devices. +1. **What is FCC ID?** + 1. C3K1855 +1. **What frequency range and channels does the device operate on and is it configurable?** + 1. Wi-Fi: The frequency range is not user configurable and depends on the country of use. In the US Wi-Fi uses both 2.4 GHz (1-11) channels and 5 GHz (36-64, 100-165) channels. +1. **Can the device blacklist or white list specific frequencies?** + 1. This is not controllable by the user/device +1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?** + 1. Wireless power levels depend on the channel of operation. Devices are calibrated to perform at the highest power levels allowed based on the region’s regulatory rules. +1. **What is the duty cycle/lifetime for normal operation?** + 1. *Currently unavailable.* +1. **What is transmit and receive behavior when a tool is not in range?** + 1. HoloLens transmit/receive follows the standard Wi-Fi/Bluetooth pattern. At the edge of its range, you'll probably notice input getting choppy until it fully disconnects, but after you get back in range it should quickly reconnect. +1. **What is deployment density per square foot?** + 1. This is dependent on your network infrastructure. +1. **Can device use the infrastructure as a client?** + 1. Yes +1. **What protocol is used?** + 1. HoloLens does not use any proprietary protocols +1. **OS update frequency – What is the frequency of OS updates for the HL? Is there a set schedule? Does Microsoft release security patches as needed, etc.** + 1. Microsoft does provide OS updates to HoloLens exactly the same way it is done for Windows 10. There are normally two major updates per year, one in spring, one in fall. As HoloLens is a Windows device, the update concept is the same as with any other Windows device. Microsoft releases Security patches as needed and follows the same concept as done on any other Windows device. +1. **OS hardening – What options are there to harden the OS? Can we remove or shutdown unnecessary apps or services?** + 1. HoloLens behaves like a smartphone. It is comparable to other modern Windows devices. HoloLens can be managed by either Microsoft Intune or other Modern Device Management Solutions, like MobileIron, Airwatch, or Soti. There are Policies you can set in these Management Systems to put Security policies on the device and in order to harden the device. There is also the option in deleting any unnecessary applications if wanted. +1. **How will software applications be managed and updated? What control do we have to define what apps are loaded and app update process for apps that are living in the Microsoft store?** + 1. HoloLens gets software applications only through the Windows store. Only Appx Application Packages can be installed, which are developed for the Use of HoloLens. You can see this in the Microsoft Store with a little logo next to the application which shows the HoloLens device. Any control that you have over the management of Store applications also applies to HoloLens. You can use the concept of the official store or the store for business. Apps can either be side-loaded (manual process to load an app on a Windows device) or can be managed through an MDM so that apps are automatically pulled from the store when needed. +1. **What is the frequency of updates to apps in the store for HoloLens?** + 1. As we follow the same concept of the Microsoft Store and pull apps from there, the update cycle is determined by the developer of the Application. All management options that you have to control the update mechanism in the store apply to HoloLens as well. +1. **Is there a secure boot capability for the HoloLens?** + 1. Yes +1. **Is there an ability to disable or disconnect peripheral support from the device?** + 1. Yes +1. **Is there an ability to control or disable the use of ports on the device?** + 1. The HoloLens only contains 2 ports (one for headphones and one for charging or connecting to PCs). There is not ability to disable the port due to functionality and recovery reasons. +1. **Antivirus, end point detection, IPS, app control whitelist – Any ability to run antivirus, end point detection, IPS, app control whitelist, etc.** + 1. HoloLens 2nd Gen supports Windows Defender Smart Screen. If an antivirus company were to create and publish their app to the Universal Windows Platform, it could be downloaded on HoloLens. At present, no companies have done this for HoloLens. + 1. Whitelisting apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device. +1. **Can we quarantine the device from prod network until we update the device if it has been offline for an extended period of time? Ex. Device has been sitting in a drawer not powered up for a period (6 months) and has not received any updates, patches, etc. When it tries to come on the network can we flag it and say you must update on another network prior to being complaint to join the network.** + 1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version. +1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?** + 1. No +1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it’s only on that device, unique to that device, and can’t be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?** + 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that’s sent to the client. + 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn’t be verified on a different device, rendering the certs/key unusable on different devices. +1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?** + 1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities. diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md index 633f296a3e..9e30e0d48f 100644 --- a/devices/hololens/hololens-insider.md +++ b/devices/hololens/hololens-insider.md @@ -12,7 +12,6 @@ ms.date: 1/6/2020 ms.reviewer: manager: dansimp appliesto: -- HoloLens (1st gen) - HoloLens 2 --- @@ -22,7 +21,7 @@ Welcome to the latest Insider Preview builds for HoloLens! It’s simple to get ## Start receiving Insider builds -On a device running the Windows 10 April 2018 Update, go to **Settings** -> **Update & Security** -> **Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider. +On a HoloLens 2 device go to **Settings** -> **Update & Security** -> **Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider. Then, select **Active development of Windows**, choose whether you’d like to receive **Fast** or **Slow** builds, and review the program terms. @@ -30,7 +29,7 @@ Select **Confirm -> Restart Now** to finish up. After your device has rebooted, ## Stop receiving Insider builds -If you no longer want to receive Insider builds of Windows Holographic, you can opt out when your HoloLens is running a production build, or you can [recover your device](hololens-recovery.md) using the Windows Device Recovery Tool to recover your device to a non-Insider version of Windows Holographic. +If you no longer want to receive Insider builds of Windows Holographic, you can opt out when your HoloLens is running a production build, or you can [recover your device](hololens-recovery.md) using the Advanced Recovery Companion to recover your device to a non-Insider version of Windows Holographic. To verify that your HoloLens is running a production build: @@ -52,3 +51,53 @@ Please use [the Feedback Hub app](hololens-feedback.md) on your HoloLens to prov ## Note for developers You are welcome and encouraged to try developing your applications using Insider builds of HoloLens. Check out the [HoloLens Developer Documentation](https://developer.microsoft.com/windows/mixed-reality/development) to get started. Those same instructions work with Insider builds of HoloLens. You can use the same builds of Unity and Visual Studio that you're already using for HoloLens development. + + +## Windows Insider Release Notes + +HoloLens 2 Windows Insider builds are full of new features and improvements. Sign up for Windows Insider Fast or Slow flights to test them out! +Here's a quick summary of what's new: + +- Support for FIDO2 Security Keys to enable secure and easy authentication for shared devices +- Seamlessly apply a provisioning package from a USB drive to your HoloLens +- Use a provisioning packages to enroll your HoloLens to your Mobile Device Management system +- Use Windows AutoPilot to set up and pre-configure new devices, quickly getting them ready for productive use. Send a note to hlappreview@service.microsoft.com to join the preview. +- Dark Mode - many Windows apps support both dark and light modes, and now HoloLens customers can choose the default mode for apps that support both color schemes! Based on customer feedback, with this update we are setting the default app mode to "dark," but you can easily change this setting at any time. Navigate to Settings > System > Colors to find "Choose your default app mode." +- Support for additional system voice commands +- Hand Tracking improvements to reduce the tendency to close the index finger when pointing. This should make button pressing and 2D slate usage feel more accurate +- Performance and stability improvements across the product +- More information in settings on HoloLens about the policy pushed to the device + +Once you’ve had a chance to explore these new capabilities, use the Feedback Hub app to let us know what you think. Feedback you provide in the Feedback Hub goes directly to our engineers. + +### FIDO 2 support +Many of you share a HoloLens with lots of people in a work or school environment. Whether devices are shared between students in a classroom or they're checked out from a device locker, it's important to be able to change users quickly and easily without typing long user names and passwords. FIDO lets anyone in your organization (AAD tenant) seamlessly sign in to HoloLens without entering a username or password. + +Read the [passwordless security docs](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key) to get started. + +### Provisioning package updates +Provisioning packages let you set HoloLens configuration through a config file rather than going through the HoloLens out of box experience. Previously, provisioning packages had to be copied onto HoloLens' internal memory, now they can be on a USB drive so they're easier to re-use on multiple HoloLens and so more people can provision HoloLens in parallel. + +1. To try it out, download the latest version of the Windows Configuration Designer from the Windows store onto your PC. +1. Select **Provision HoloLens Devices** > Select **Provision HoloLens 2 devices** +1. Build your configuration profile and, when you're done, copy all files created to a USB-C storage device. +1. Plug it into any freshly flashed HoloLens and press **Volume down + Power** to apply your provisioning package. + +### System voice commands +You can now can access these commands with your voice: +- "Restart device" +- "Shutdown device" +- "Brightness up" +- "Brightness down" +- "Volume up" +- "Volume down" +- "What is my IP address?" +If you're running your system with a different language, please try the appropriate commands in that language. + +### FFU download and flash directions +To test with a flight signed ffu, you first have to flight unlock your device prior to flashing the flight signed ffu. +1. On PC + 1. Download ffu to your PC from: [https://aka.ms/hololenspreviewdownload](https://aka.ms/hololenspreviewdownload) + 1. Install ARC (Advanced Recovery Companion) from the Microsoft Store: [https://www.microsoft.com/store/productId/9P74Z35SFRS8](https://www.microsoft.com/store/productId/9P74Z35SFRS8) +1. On HoloLens - Flight Unlock: Open **Settings** > **Update & Security** > **Windows Insider Program** then sign up, reboot device +1. Flash FFU - Now you can flash the flight signed FFU using ARC diff --git a/devices/hololens/hololens-licenses-requirements.md b/devices/hololens/hololens-licenses-requirements.md index 7636395a6b..c89587c100 100644 --- a/devices/hololens/hololens-licenses-requirements.md +++ b/devices/hololens/hololens-licenses-requirements.md @@ -10,6 +10,7 @@ ms.topic: article ms.localizationpriority: high ms.date: 1/23/2020 ms.reviewer: +audience: ITPro manager: bradke appliesto: - HoloLens (1st gen) @@ -35,16 +36,6 @@ You may need to upgrade your HoloLens 1st Gen Device to Windows Holographic for - Acquire a HoloLens Enterprise license XML file - Apply the XML file to the HoloLens. You can do this through a [Provisioning package](hololens-provisioning.md) or through your [Mobile Device Manager](https://docs.microsoft.com/intune/configuration/holographic-upgrade) -Some of the HoloLens configurations you can apply in a provisioning package: - -- Apply certificates to the device -- Set up a Wi-Fi connection -- Pre-configure out of box questions like language and locale -- (HoloLens 2) bulk enroll in mobile device management -- (HoloLens v1) Apply key to enable Windows Holographic for Business - -Follow [this guide](hololens-provisioning.md) to create and apply a provisioning package to HoloLens. - ### Remote Assist License Requirements Make sure you have the required licensing and device. Updated licensing and product requirements can be found [here](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/requirements). diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md index 7eefba6e17..392032737a 100644 --- a/devices/hololens/hololens-provisioning.md +++ b/devices/hololens/hololens-provisioning.md @@ -54,7 +54,7 @@ Provisioning packages can include management instructions and policies, customiz ### 1. Install Windows Configuration Designer on your PC. (There are two ways to do this). 1. **Option 1:** [From Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) -2. **Option 2:** [From the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box. +2. **Option 2:** [From the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box. ### 2. Create the Provisioning Package diff --git a/devices/hololens/hololens-recovery.md b/devices/hololens/hololens-recovery.md index b2e0d48bc7..c873f08b58 100644 --- a/devices/hololens/hololens-recovery.md +++ b/devices/hololens/hololens-recovery.md @@ -110,8 +110,8 @@ The Advanced Recovery Companion is a new app in Microsoft Store restore the oper >In the event that a HoloLens 2 gets into a state where Advanced Recovery Companion cannot recognize the device, and it does not boot, try forcing the device into Flashing Mode and recovering it with Advanced Recovery Companion: 1. Connect the HoloLens 2 to a PC with Advanced Recovery Companion installed. -1. Press and hold the **Volume Up and Power buttons** until the device reboots. Release the Power button, but continue to hold the Volume Up button until the third LED is lit. It will the the only lit LED. - 1. The device should be visible in **Device Manager** as a **Microsoft HoloLens Recovery** device: +1. Press and hold the **Volume Up and Power buttons** until the device reboots. Release the Power button, but continue to hold the Volume Up button until the third LED is lit. +1. The device should be visible in **Device Manager** as a **Microsoft HoloLens Recovery** device. 1. Launch Advanced Recovery Companion, and follow the on-screen prompts to reflash the OS to the HoloLens 2. ### HoloLens (1st gen) diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md index 9487a2f331..139648349b 100644 --- a/devices/hololens/hololens-requirements.md +++ b/devices/hololens/hololens-requirements.md @@ -6,6 +6,7 @@ ms.sitesec: library ms.assetid: 88bf50aa-0bac-4142-afa4-20b37c013001 author: scooley ms.author: scooley +audience: ITPro ms.topic: article ms.localizationpriority: medium ms.date: 07/15/2019 @@ -13,14 +14,16 @@ ms.date: 07/15/2019 # Deploy HoloLens in a commercial environment -You can deploy and configure HoloLens at scale in a commercial setting. This article provides instructions for deploying HoloLens devices in a commercial environment. This guide assumes basic familiarity with HoloLens. Follow the [get started guide](hololens1-setup.md) to set up HoloLens for the first time. +You can deploy and configure HoloLens at scale in a commercial setting. This article provides instructions for deploying HoloLens devices in a commercial environment. This guide assumes basic familiarity with HoloLens. Follow the [get started guide](hololens1-setup.md) to set up HoloLens for the first time. + +This document also assumes that the HoloLens has been evaluated by security teams as safe to use on the corporate network. Frequently asked security questions can be found [here](hololens-faq-security.md) ## Overview of Deployment Steps 1. [Determine what features you need](hololens-requirements.md#step-1-determine-what-you-need) 1. [Determine what licenses you need](hololens-licenses-requirements.md) 1. [Configure your network for HoloLens](hololens-commercial-infrastructure.md). - 1. This section includes bandwidth requirements, URL and Ports that need to be whitelisted on your firewall, Azure AD guidance, Mobile Device Management Guidance, app deployment/management guidance, and certificate guidance. + 1. This section includes bandwidth requirements, URL, and ports that need to be whitelisted on your firewall; Azure AD guidance; Mobile Device Management (MDM) Guidance; app deployment/management guidance; and certificate guidance. 1. (Optional) [Configure HoloLens using a provisioning package](hololens-provisioning.md) 1. [Enroll Device](hololens-enroll-mdm.md) 1. [Set up ring based updates for HoloLens](hololens-updates.md) @@ -28,7 +31,7 @@ You can deploy and configure HoloLens at scale in a commercial setting. This ar ## Step 1. Determine what you need -Before deploying the HoloLens in your environment, it is important to first determine what features, apps, and type of identities are needed. +Before deploying the HoloLens in your environment, it is important to first determine what features, apps, and type of identities are needed. It is also important to ensure that your security team has approved of the use of the HoloLens on the company's network. Please see [Frequently ask security questions](hololens-faq-security.md) for additional security information. ### Type of Features @@ -40,37 +43,35 @@ Kiosk mode is a way to restrict the apps that a user has access to. This means t **What Kiosk Mode do I require?** -There are two types of Kiosk Modes: Single app and multi-app. Single app kiosk mode allows user to only access one app while multi-app kiosk mode allows users to access multiple specified apps. To determine which kiosk mode is right for your corporation, the following two questions need to be answered: +There are two types of Kiosk Modes: Single app and multi-app. Single app kiosk mode allows user to only access one app while multi-app kiosk mode allows users to access multiple, specified apps. To determine which kiosk mode is right for your corporation, the following two questions need to be answered: -1. **Do different users who are require different experiences/restrictions?** Example, User A is a field service engineer who only needs access to Remote Assist. User B is a trainee who only needs access to guides… etc. +1. **Do different users require different experiences/restrictions?** Consider the following example: User A is a field service engineer who only needs access to Remote Assist. User B is a trainee who only needs access to Guides. 1. If yes, you will require the following: - 1. Azure AD Accounts as the method of signing into the devices. - 1. Multi-app kiosk mode. + 1. Azure AD Accounts as the method of signing into the device. + 1. **Multi-app** kiosk mode. 1. If no, continue to question two 1. **Do you require a multi-app experience?** - 1. If yes, Multi-app kiosk is mode is needed - 1. If your answer to question 1 and 2 are both no, Single-app kiosk mode can be used + 1. If yes, **Multi-app** kiosk is mode is needed + 1. If your answer to question 1 and 2 are both no, **single-app** kiosk mode can be used -**How to set up Kiosk Mode** +**How to Configure Kiosk Mode:** There are two main ways ([provisioning packages](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) and [MDM](hololens-kiosk.md#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803)) to deploy kiosk mode for HoloLens. These options will be discussed later in the document; however, you can use the links above to jump to the respective sections in this doc. ### Apps -This deployment guide will cover the following types of apps: +The majority of the steps found in this document will also apply to the following apps: 1. Remote Assist 2. Guides 3. Customer Apps -Each step in this document will include instructions for each specific app. - ### Type of identity Determine the type of identity that will be used to sign into the device. 1. **Local Accounts:** This account is local to the device (like a local admin account on a windows PC). This will allow only 1 user to log into the device. -2. **MSA:** This will be a personal account (like outlook, hotmail, gmail, yahoo, etc.) This will allow only 1 user to log into the device. +2. **MSA:** This is a personal account (like outlook, hotmail, gmail, yahoo, etc.) This will allow only 1 user to log into the device. 3. **Azure Active Directory (Azure AD) accounts:** This is an account created in Azure AD. This grants your corporation the ability to manage the HoloLens device. This will allow multiple users to log into the HoloLens 1st Gen Commercial Suite/the HoloLens 2 device. ### Determine your enrollment method @@ -87,17 +88,27 @@ Determine the type of identity that will be used to sign into the device. More information can be found [here](hololens-enroll-mdm.md) -### Determine if you need a provisioning package +### Determine if you need to create a provisioning package -There are two methods to configure a HoloLens device (Provisioning packages and MDMs). We suggest using your MDM to configure you HoloLens device, however, there are some scenarios where using a provisioning package is the better choice: +There are two methods to configure a HoloLens device (Provisioning packages and MDMs). We suggest using your MDM to configure you HoloLens device. However, there are some scenarios where using a provisioning package is the better choice: -1. You want to skip the Out of Box Experience (OOBE) +1. You want to configure the HoloLens to skip the Out of Box Experience (OOBE) 1. You are having trouble deploying certificate in a complex network. The majority of the time you can deploy certificates using MDM (even in complex environments). However, some scenarios require certificates to be deployed through the provisioning package. +Some of the HoloLens configurations you can apply in a provisioning package: + +- Apply certificates to the device +- Set up a Wi-Fi connection +- Pre-configure out of box questions like language and locale +- (HoloLens 2) bulk enroll in mobile device management +- (HoloLens v1) Apply key to enable Windows Holographic for Business + +If you decide to use provisioning packages, follow [this guide](hololens-provisioning.md). + ## Next Step: [Determine what licenses you need](hololens-licenses-requirements.md) ## Get support Get support through the Microsoft support site. -[File a support request](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f). \ No newline at end of file +[File a support request](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f) diff --git a/devices/hololens/images/mdm-enrollment-error.png b/devices/hololens/images/mdm-enrollment-error.png new file mode 100644 index 0000000000..77b695d1cf Binary files /dev/null and b/devices/hololens/images/mdm-enrollment-error.png differ diff --git a/devices/hololens/scep-whitepaper.md b/devices/hololens/scep-whitepaper.md new file mode 100644 index 0000000000..06b7527960 --- /dev/null +++ b/devices/hololens/scep-whitepaper.md @@ -0,0 +1,77 @@ +--- +title: SCEP Whitepaper +description: A whitepaper that describes how Microsoft mitigates the vulnerabilities of SCEP. +ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b +author: pawinfie +ms.author: pawinfie +ms.date: 02/12/2020 +keywords: hololens, Windows Mixed Reality, security +ms.prod: hololens +ms.sitesec: library +ms.topic: article +audience: ITPro +ms.localizationpriority: high +appliesto: +- HoloLens 1 (1st gen) +- HoloLens 2 +--- + +# SCEP Whitepaper + +## High Level + +### How the SCEP Challenge PW is secured + +We work around the weakness of the SCEP protocol by generating custom challenges in Intune itself. The challenge string we create is signed/encrypted, and contains the information we’ve configured in Intune for certificate issuance into the challenge blob. This means the blob used as the challenge string contains the expected CSR information like the Subject Name, Subject Alternative Name, and other attributes. + +We then pass that to the device and then the device generates it’s CSR and passes it, and the blob to the SCEP URL it received in the MDM profile. On NDES servers running the Intune SCEP module we perform a custom challenge validation that validates the signature on the blob, decrypts the challenge blob itself, compare it to the CSR received, and then determine if we should issue the cert. If any portion of this check fails then the certificate request is rejected. + +## Behind the scenes + +### Intune Connector has a number of responsibilities + +1. The connector is SCEP policy module which contains a "Certification Registration Point" component which interacts with the Intune service, and is responsible for validating, and securing the SCEP request coming into the NDES server. + +1. The connector will install an App Pool on the NDES IIS server > Microsoft Intune CRP service Pool, and a CertificateRegistrationSvc under the "Default Web Site" on IIS. + +1. **When the Intune NDES connector is first configured/setup on the NDES server, a certificate is issued from the Intune cloud service to the NDES server. This cert is used to securely communicate with the Intune cloud service - customer tenant. The cert is unique to the customers NDES server. Can be viewed in Certlm.msc issued by SC_Online_Issuing. This certs Public key is used by Intune in the cloud to encrypt the challenge blob. In addition, when the connector is configured, Intune's public key is sent to the NDES server.** + >[!NOTE] + >The connector communication with Intune is strictly outbound traffic. + +1. The Intune cloud service combined with the Intune connector/policy module addresses the SCEP protocol challenge password weakness (in the SCEP protocol) by generating a custom challenge. The challenge is generated in Intune itself. + + 1. In the challenge blob, Intune puts information that we expect in the cert request (CSR - Certificate Signing Request) coming from a mobile device like the following: what we expect the Subject and SAN (validated against AAD attributes/properties of the user/device) to be, and specifics contained in the Intune SCEP profile that is created by an Intune admin, i.e., Request Handling, EKU, Renewal, validity period, key size, renewal period. + >[!NOTE] + >The Challenge blob is Encrypted with the Connectors Public Key, and Signed with Intune's (cloud service) Private Key. The device cannot decrypt the challenge + + 1. When an Intune admin creates a SCEP profile in their tenant, Intune will send the SCEP profile payload along with the Encrypted and Signed Challenge to the targeted device. The device generates a CSR, and reaches out to NDES URL (contained in the SCEP profile). The device cert request payload contains the CSR, and the encrypted, signed challenge blob. + + 1. When the device reaches out to the NDES server (via the NDES/SCEP URL provided in the SCEP Profile payload), the SCEP cert request validation is performed by the policy module running on the NDES server. The challenge signature is verified using Intune's public key (which is on the NDES server, when the connector was installed and configured) and decrypted using the connectors private key. The policy module compares the CSR details against the decrypted challenge and determines if a cert should be issued. If the CSR passes validation, the NDES server requests a certificate from the CA on behalf of the user/device. + >[!NOTE] + >The above process takes place on the NDES server running the Policy Module. No interaction with the Intune cloud service takes place. + + 1. The NDES connector notification/reporting of cert delivery takes place after NDES sends the issued cert to the device. This is performed as a separate operation outside the cert request flow. Meaning that once NDES sends the cert to the device via the AAD app proxy (or other publishing firewall/proxy, a log is written with the cert delivery details on the NDES server by the connector (file location \Program Files\Microsoft Intune\CertificateRequestStatus\Succeed\ folder. The connector will look here, and send updates to Intune. + + 1. The mobile device must be enrolled in Intune. If not, we reject the request as well + + 1. The Intune connector disables the standard NDES challenge password request URL on the NDES server. + + 1. The NDES server SCEP URI in most customer deployments is made available to the internet via Azure App Proxy, or an on-prem reverse proxy, i.e. F5. + >[!NOTE] + >The Azure App Proxy is an outbound-only connection over Port 443, from the customers onprem network where the App Proxy connector is running on a server. The AAD app proxy can also be hosted on the NDES server. No inbound ports required when using Azure App Proxy. + + 1. The mobile device talks only to the NDES URI + + 1. Side note: AAD app proxy's role is to make onprem resources (like NDES and other customer onprem web services) securely available to the internet. + + 1. The Intune connector must communicate with the Intune cloud service. The connector communication will not go through the Azure App Proxy. The connector will talk with the Intune cloud service via whatever mechanism a customer has onprem to allow outbound traffic to the internet, i.e. Internal proxy service. + >[!NOTE] + > if a proxy is used by the customer, no SSL packet inspection can take place for the NDES/Connector server going out. + +1. Connector traffic with Intune cloud service consists of the following operations: + + 1. 1st time configuration of the connector: Authentication to AAD during the initial connector setup. + + 1. Connector checks in with Intune, and will process and any cert revocation transactions (i.e, if the Intune tenant admin issues a remote wipe – full or partial, also If a user unenrolls their device from Intune), reporting on issued certs, renewing the connectors’ SC_Online_Issuing certificate from Intune. Also note: the NDES Intune connector has shared PKCS cert functionality (if you decide to issue PKCS/PFX based certs) so the connector checks to Intune for PKCS cert requests even though there won’t be any requests to process. We are splitting that functionality out, so this connector just handles SCEP, but no ETA yet. + +1. [Here](https://docs.microsoft.com/intune/intune-endpoints#microsoft-intune-certificate-connector) is a reference for Intune NDES connector network communications. diff --git a/devices/surface-hub/surface-hub-2s-recover-reset.md b/devices/surface-hub/surface-hub-2s-recover-reset.md index af763b9e26..1f0e98f92b 100644 --- a/devices/surface-hub/surface-hub-2s-recover-reset.md +++ b/devices/surface-hub/surface-hub-2s-recover-reset.md @@ -23,8 +23,10 @@ To begin, sign in to Surface Hub 2S with admin credentials, open the **Settings* 1. To reset the device, select **Get Started**. 2. When the **Ready to reset this device** window appears, select **Reset**. + >[!NOTE] >Surface Hub 2S reinstalls the operating system from the recovery partition. This may take up to one hour to complete. + 3. To reconfigure the device, run the first-time Setup program. 4. If you manage the device using Microsoft Intune or another mobile device management solution, retire and delete the previous record, and then re-enroll the new device. For more information, see [Remove devices by using wipe, retire, or manually unenrolling the device](https://docs.microsoft.com/intune/devices-wipe). diff --git a/devices/surface/images/config-mgr-semm-fig3.png b/devices/surface/images/config-mgr-semm-fig3.png index c844b60531..e699359552 100644 Binary files a/devices/surface/images/config-mgr-semm-fig3.png and b/devices/surface/images/config-mgr-semm-fig3.png differ diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md index d205908048..9932a573bc 100644 --- a/devices/surface/manage-surface-uefi-settings.md +++ b/devices/surface/manage-surface-uefi-settings.md @@ -39,7 +39,7 @@ The PC information page includes detailed information about your Surface device: - **UUID** – This Universally Unique Identification number is specific to your device and is used to identify the device during deployment or management. - **Serial Number** – This number is used to identify this specific Surface device for asset tagging and support scenarios. -- **Asset Tag** – The asset tag is assigned to the Surface device with the [Asset Tag Tool](https://www.microsoft.com/download/details.aspx?id=44076). +- **Asset Tag** – The asset tag is assigned to the Surface device with the [Asset Tag Tool](https://docs.microsoft.com/surface/assettag). You will also find detailed information about the firmware of your Surface device. Surface devices have several internal components that each run different versions of firmware. The firmware version of each of the following devices is displayed on the **PC information** page (as shown in Figure 1): @@ -214,4 +214,4 @@ When you update Surface device firmware, by using either Windows Update or manua - [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md) -- [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) \ No newline at end of file +- [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index ad38fb9081..aac758fa29 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -21,7 +21,7 @@ Microsoft Surface Dock Firmware Update supersedes the earlier Microsoft Surface > [!IMPORTANT] >Microsoft periodically releases new versions of Surface Dock Firmware Update. The MSI file is not self-updating. If you have deployed the MSI to Surface devices and a new version of the firmware is released, you will need to deploy the new version. -## Monitor the Surface Dock Firmare Update +## Monitor the Surface Dock Firmware Update This section is optional and provides an overview of how to monitor installation of the firmware update. When you are ready to install the update, see [Install the Surface Dock Firmware Update](#install-the-surface-dock-firmware-update) below. For more detailed information about monitoring the update process, see the following sections in this article: - [How to verify completion of firmware update](#how-to-verify-completion-of-the-firmware-update) diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md index 0cf1ab9bda..1ac8eb8aa2 100644 --- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md +++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md @@ -75,10 +75,9 @@ To create a new application and deploy it to a collection that contains your Sur * **Import Information** – The Create Application Wizard will parse the .msi file and read the **Application Name** and **Product Code**. SurfaceUEFIManagerSetup.msi should be listed as the only file under the line **Content Files**, as shown in Figure 1. Select **Next** to proceed. - - ![Information from Surface UEFI Manager setup is automatically parsed](images/config-mgr-semm-fig1.png "Information from Surface UEFI Manager setup is automatically parsed") - - *Figure 1. Information from Microsoft Surface UEFI Manager setup is automatically parsed* + ![Information from Surface UEFI Manager setup is automatically parsed](images/config-mgr-semm-fig1.png "Information from Surface UEFI Manager setup is automatically parsed") + + *Figure 1. Information from Microsoft Surface UEFI Manager setup is automatically parsed* * **General Information** – You can modify the name of the application and information about the publisher and version, or add comments on this page. The installation command for Microsoft Surface UEFI Manager is displayed in the Installation Program field. The default installation behavior of Install for system will allow Microsoft Surface UEFI Manager to install the required assemblies for SEMM even if a user is not logged on to the Surface device. Select **Next** to proceed. * **Summary** – The information that was parsed in the **Import Information** step and your selections from the **General Information** step is displayed on this page. Select **Next** to confirm your selections and create the application. @@ -107,7 +106,7 @@ The sample scripts include examples of how to set Surface UEFI settings and how The first region of the script that you need to modify is the portion that specifies and loads the SEMM certificate, and also indicates SurfaceUEFIManager version, and the names for the SEMM configuration package and SEMM reset package. The certificate name and SurfaceUEFIManager version are specified on lines 56 through 73 in the ConfigureSEMM.ps1 script. - ``` + ```powershell 56 $WorkingDirPath = split-path -parent $MyInvocation.MyCommand.Definition 57 $packageRoot = "$WorkingDirPath\Config" 58 $certName = "FabrikamSEMMSample.pfx" @@ -137,7 +136,7 @@ On line 73, replace the value of the **$password** variable, from **1234** to th > [!Note] > The last two characters of the certificate thumbprint are required to enroll a device in SEMM. This script will display these digits to the user, which allows the user or technician to record these digits before the system reboots to enroll the device in SEMM. The script uses the following code, found on lines 150-155, to accomplish this. -``` +```powershell 150 # Device owners will need the last two characters of the thumbprint to accept SEMM ownership. 151 # For convenience we get the thumbprint here and present to the user. 152 $pw = ConvertTo-SecureString $password -AsPlainText -Force @@ -163,7 +162,7 @@ Administrators with access to the certificate file (.pfx) can read the thumbprin The first region of the script where you will specify the configuration for Surface UEFI is the **Configure Permissions** region. This region begins at line 210 in the sample script with the comment **# Configure Permissions** and continues to line 247. The following code fragment first sets permissions to all Surface UEFI settings so that they may be modified by SEMM only, then adds explicit permissions to allow the local user to modify the Surface UEFI password, TPM, and front and rear cameras. -``` +```powershell 210 # Configure Permissions 211 foreach ($uefiV2 IN $surfaceDevices.Values) { 212 if ($uefiV2.SurfaceUefiFamily -eq $Device.Model) { @@ -215,7 +214,7 @@ You can find information about the available settings names and IDs for Surface The second region of the script where you will specify the configuration for Surface UEFI is the **Configure Settings** region of the ConfigureSEMM.ps1 script, which configures whether each setting is enabled or disabled. The sample script includes instructions to set all settings to their default values. The script then provides explicit instructions to disable IPv6 for PXE Boot and to leave the Surface UEFI Administrator password unchanged. You can find this region beginning with the **# Configure Settings** comment at line 291 through line 335 in the sample script. The region appears as follows. -``` +```powershell 291 # Configure Settings 292 foreach ($uefiV2 IN $surfaceDevices.Values) { 293 if ($uefiV2.SurfaceUefiFamily -eq $Device.Model) { @@ -277,7 +276,7 @@ To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 sc The following code fragment, found on lines 380-477, is used to write these registry keys. -``` +```powershell 380 # For Endpoint Configuration Manager or other management solutions that wish to know what version is applied, tattoo the LSV and current DateTime (in UTC) to the registry: 381 $UTCDate = (Get-Date).ToUniversalTime().ToString() 382 $certIssuer = $certPrint.Issuer @@ -480,10 +479,10 @@ To add the SEMM Configuration Manager scripts to Configuration Manager as an app - Select **Registry** from the **Setting Type** drop-down menu. - Select **HKEY_LOCAL_MACHINE** from the **Hive** drop-down menu. - Enter **SOFTWARE\Microsoft\Surface\SEMM** in the **Key** field. - - Enter **Enabled_Version1000** in the **Value** field. + - Enter **CertName** in the **Value** field. - Select **String** from the **Data Type** drop-down menu. - Select the **This registry setting must satisfy the following rule to indicate the presence of this application** button. - - Enter **1** in the **Value** field. + - Enter the name of the certificate you entered in line 58 of the script in the **Value** field. - Select **OK** to close the **Detection Rule** window. ![Use a registry key to identify devices enrolled in SEMM](images/config-mgr-semm-fig3.png "Use a registry key to identify devices enrolled in SEMM") diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md index 1c8eaa3c06..1fbdba19cf 100644 --- a/devices/surface/windows-autopilot-and-surface-devices.md +++ b/devices/surface/windows-autopilot-and-surface-devices.md @@ -13,7 +13,7 @@ ms.author: dansimp ms.topic: article ms.localizationpriority: medium ms.audience: itpro -ms.date: 02/06/2020 +ms.date: 02/14/2020 --- # Windows Autopilot and Surface devices @@ -25,15 +25,24 @@ Windows Autopilot-registered devices are identified over the Internet at first s You can register Surface devices at the time of purchase from a Surface partner that's enabled for Windows Autopilot. These partners can ship new devices directly to your users. The devices will be automatically enrolled and configured when they are first turned on. This process eliminates reimaging during deployment, which lets you implement new, agile methods of device management and distribution. ## Modern management + Autopilot is the recommended deployment option for Surface devices, including Surface Pro 7, Surface Laptop 3, and Surface Pro X, which is specifically designed for deployment through Autopilot. It's best to enroll your Surface devices with the help of a Microsoft Cloud Solution Provider. This step allows you to manage UEFI firmware settings on Surface directly from Intune. It eliminates the need to physically touch devices for certificate management. See [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md) for details. ## Windows version considerations + Broad deployment of Surface devices through Windows Autopilot, including enrollment by Surface partners at the time of purchase, requires Windows 10 Version 1709 (Fall Creators Update) or later. These Windows versions support a 4,000-byte (4k) hash value that uniquely identifies devices for Windows Autopilot, which is necessary for deployments at scale. All new Surface devices, including Surface Pro 7, Surface Pro X, and Surface Laptop 3, ship with Windows 10 Version 1903 or later. +## Exchange experience on Surface devices in need of repair or replacement + +Microsoft automatically checks every Surface for Autopilot enrollment and will deregister the device from the customer’s tenant. Microsoft ensures the replacement device is enrolled into Windows Autopilot once a replacement is shipped back to the customer. This service is available on all device exchange service orders directly with Microsoft. + +> [!NOTE] +> When customers use a Partner to return devices, the Partner is responsible for managing the exchange process including deregistering and enrolling devices into Windows Autopilot. + ## Surface partners enabled for Windows Autopilot Select Surface partners can enroll Surface devices in Windows Autopilot for you at the time of purchase. They can also ship enrolled devices directly to your users. The devices can be configured entirely through a zero-touch process by using Windows Autopilot, Azure AD, and mobile device management. @@ -42,7 +51,7 @@ Surface partners that are enabled for Windows Autopilot include: - [ALSO](https://www.also.com/ec/cms5/de_1010/1010_anbieter/microsoft/windows-autopilot/index.jsp) - [Atea](https://www.atea.com/) -- [Bechtle](https://www.bechtle.com/backend/cms/marken/microsoft/microsoft-windows-autopilot) +- [Bechtle](https://www.bechtle.com/marken/microsoft/microsoft-windows-autopilot) - [Cancom](https://www.cancom.de/) - [CDW](https://www.cdw.com/) - [Computacenter](https://www.computacenter.com/uk) @@ -53,6 +62,7 @@ Surface partners that are enabled for Windows Autopilot include: - [Techdata](https://www.techdata.com/) ## Learn more + For more information about Windows Autopilot, see: - [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot) - [Windows Autopilot requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-requirements) \ No newline at end of file diff --git a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md index 3ed2c2c111..cd77d39b06 100644 --- a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md +++ b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md @@ -19,7 +19,10 @@ author: shortpatti This topic describes the process for applying the hotfixes for Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1 ### Before you begin, download the latest hotfix of Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1 -[Desktop Optimization Pack](https://www.microsoft.com/download/details.aspx?id=58345) +[Desktop Optimization Pack](https://www.microsoft.com/download/details.aspx?id=57157) + +> [!NOTE] +> For more information about the hotfix releases, see the [MBAM version chart](https://docs.microsoft.com/archive/blogs/dubaisec/mbam-version-chart). #### Steps to update the MBAM Server for existing MBAM environment 1. Remove MBAM server feature (do this by opening the MBAM Server Configuration Tool, then selecting Remove Features). diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index 267386adc6..124846eb32 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -59,7 +59,7 @@ First, validate the type of EAP method being used: ![eap authentication type comparison](images/comparisontable.png) -If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu: +If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Right click on the policy and select **Properties**. In the pop-up window, go to the **Constraints** tab and select the **Authentication Methods** section. ![Constraints tab of the secure wireless connections properties](images/eappropertymenu.png) @@ -118,4 +118,3 @@ Even if audit policy appears to be fully enabled, it sometimes helps to disable [Troubleshooting Windows Vista 802.11 Wireless Connections](https://technet.microsoft.com/library/cc766215%28v=ws.10%29.aspx)
[Troubleshooting Windows Vista Secure 802.3 Wired Connections](https://technet.microsoft.com/library/cc749352%28v=ws.10%29.aspx) - diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index a7c0f2f152..3afcb4da3f 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -65,7 +65,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu ## Supported configurations -In organizations that have integrated Active Directory and Azure AD, you can connect from a domain-joined PC to an Azure AD-joined PC using: +In organizations that have integrated Active Directory and Azure AD, you can connect from a Hybrid-joined PC to an Azure AD-joined PC using: - Password - Smartcards diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 4ced3aefe8..36ba902151 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -120,9 +120,6 @@ Requirements: > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have the Windows 10, version 1903 feature update installed. The default behavior for older releases is to revert to **User Credential**. -> [!NOTE] -> Device credential group policy setting is not supported for enrolling into Microsoft Intune. - When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). @@ -174,7 +171,7 @@ Requirements: > 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or > 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) or > 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all) -> 2. Install the package on the Primary Domain Controller (PDC). +> 2. Install the package on the Domain Controller. > 3. Navigate, depending on the version to the folder: > 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or > 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**, or @@ -182,14 +179,13 @@ Requirements: > 4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**. > 5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**. > (If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain). -> 6. Restart the Primary Domain Controller for the policy to be available. +> 6. Restart the Domain Controller for the policy to be available. > This procedure will work for any future version as well. 1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**. 2. Create a Security Group for the PCs. 3. Link the GPO. 4. Filter using Security Groups. -5. Enforce a GPO link. ## Troubleshoot auto-enrollment of devices diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index ee975458ee..6704ebd00c 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -3333,6 +3333,23 @@ The following diagram shows the Policy configuration service provider in tree fo
Storage/AllowDiskHealthModelUpdates
+
+ Storage/AllowStorageSenseGlobal +
+
+ Storage/AllowStorageSenseTemporaryFilesCleanup +
+
+ Storage/ConfigStorageSenseCloudContentDehydrationThreshold +
+
+ Storage/ConfigStorageSenseDownloadsCleanupThreshold +
+
+ Storage/ConfigStorageSenseGlobalCadence +
+
+ Storage/ConfigStorageSenseRecycleBinCleanupThreshold
Storage/EnhancedStorageDevices
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index e978cc82da..f097cc7b37 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -232,6 +232,9 @@ Added in Windows 10, version 1703. Allows IT Admins the ability to disable the " > [!NOTE] > If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). +> [!NOTE] +> If the MSA service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the MSA ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app. + The following list shows the supported values: diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md index dd82298d1b..1c13aa99ad 100644 --- a/windows/client-management/mdm/vpnv2-profile-xsd.md +++ b/windows/client-management/mdm/vpnv2-profile-xsd.md @@ -194,7 +194,6 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro IKEv2 Eap - Eap diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md index 8ca269aefe..1239cdfc7a 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md @@ -18,6 +18,9 @@ manager: dansimp - Windows 10, version 1703 - Windows 10 Mobile, version 1703 +>[!IMPORTANT] +>Cortana for Power BI is deprecated and will not be available in future releases. This topic is provided as a reference for previous versions only. + Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana “answers” using the full capabilities of Power BI Desktop. >[!Note] @@ -35,6 +38,7 @@ To use this walkthrough, you’ll need: - **Azure Active Directory (Azure AD)/Work or School account**. You can use the account that you created for Office 365, or you can create a new one while you’re establishing your Power BI account. If you choose to use Azure AD, you must connect your Azure AD account to your Windows account. **To connect your account to Windows** + a. Open **Windows Settings**, click **Accounts**, click **Access work or school**, and then in the **Connect to work or school** section, click **Connect**. b. Follow the instructions to add your Azure Active Directory (Azure AD) account to Windows. diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 812e47c937..cd447823e3 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -118,7 +118,7 @@ When Microsoft officially releases a feature update for Windows 10, it is made a Organizations are expected to initiate targeted deployment on Semi-Annual Channel releases. All customers, independent software vendors (ISVs), and partners should use this time for testing and piloting within their environments. After 2-4 months, we will transition to broad deployment and encourage customers and partners to expand and accelerate the deployment of the release. For customers using Windows Update for Business, the Semi-Annual Channel provides three months of additional total deployment time before being required to update to the next release. > [!NOTE] -> All releases of Windows 10 have 18 months of servicing for all editions--these updates provide security and feature updates for the release. Customers running Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release. These versions include Enterprise and Education editions for Windows 10, versions 1607 and later. Starting in October 2018, all Semi-Annual Channel releases in the September/October timeframe will also have the additional 12 months of servicing for a total of 30 months from the initial release. The Semi-Annual Channel versions released in March/April timeframe will continue to have an 18-month lifecycle. +> All releases of Windows 10 have **18 months of servicing for all editions**--these updates provide security and feature updates for the release. However, fall releases of the **Enterprise and Education editions** will have an **additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release**. This extended servicing window applies to Enterprise and Education editions starting with Windows 10, version 1607. > > > [!NOTE] diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md index ba68d36951..b58c711dbf 100644 --- a/windows/deployment/usmt/usmt-identify-users.md +++ b/windows/deployment/usmt/usmt-identify-users.md @@ -1,65 +1,66 @@ ---- -title: Identify Users (Windows 10) -description: Identify Users -ms.assetid: 957a4fe9-79fd-44a2-8c26-33e50f71f9de -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro -author: greg-lindsay -ms.topic: article ---- - -# Identify Users - -It is important to carefully consider how you plan to migrate users. By default, all users are migrated by User State Migration Tool (USMT) 5.0. You must specify which users to include by using the command line. You cannot specify users in the .xml files. For instructions on how to migrate users, see [Migrate User Accounts](usmt-migrate-user-accounts.md). - -## In This Topic - -- [Migrating Local Accounts](#bkmk-8) -- [Migrating Domain Accounts](#bkmk-9) -- [Command-Line Options](#bkmk-7) - -## Migrating Local Accounts - -Before migrating local accounts, note the following: - -- [You must explicitly specify that local accounts that are not on the destination computer should be migrated.](#bkmk-8) If you are migrating local accounts and the local account does not exist on the destination computer, you must use the **/lac** option when using the LoadState command. If the **/lac** option is not specified, no local user accounts will be migrated. - -- [Consider whether to enable user accounts that are new to the destination computer.](#bkmk-8) The **/lae** option enables the account that was created with the **/lac** option. However, if you create a disabled local account by using only the **/lac** option, a local administrator must enable the account on the destination computer. - -- [Be careful when specifying a password for local accounts.](#bkmk-8) If you create the local account with a blank password, anyone could log on to that account on the destination computer. If you create the local account with a password, the password is available to anyone with access to the USMT command-line tools. - ->[!NOTE] ->If there are multiple users on a computer, and you specify a password with the **/lac** option, all migrated users will have the same password. - -## Migrating Domain Accounts - -The source and destination computers do not need to be connected to the domain for domain user profiles to be migrated. - -## Command-Line Options - -USMT provides several options to migrate multiple users on a single computer. The following command-line options specify which users to migrate. - -- [Specifying users.](#bkmk-8) You can specify which users to migrate with the **/all**, **/ui**, **/uel**, and **/ue** options with both the ScanState and LoadState command-line tools. - - >[!IMPORTANT]   - >The **/uel** option excludes users based on the **LastModified** date of the Ntuser.dat file. The **/uel** option is not valid in offline migrations. - -- [Moving users to another domain.](#bkmk-8) You can move user accounts to another domain using the **/md** option with the LoadState command-line tool. - -- [Creating local accounts.](#bkmk-8) You can create and enable local accounts using the **/lac** and **/lae** options with the LoadState command-line tool. - -- [Renaming user accounts.](#bkmk-8) You can rename user accounts using the **/mu** option. - - >[!NOTE] - >By default, if a user name is not specified in any of the command-line options, the user will be migrated. - -## Related topics - -[Determine What to Migrate](usmt-determine-what-to-migrate.md)
-[ScanState Syntax](usmt-scanstate-syntax.md)
-[LoadState Syntax](usmt-loadstate-syntax.md) +--- +title: Identify Users (Windows 10) +description: Identify Users +ms.assetid: 957a4fe9-79fd-44a2-8c26-33e50f71f9de +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.topic: article +ms.localizationpriority: medium +--- + +# Identify Users + +It is important to carefully consider how you plan to migrate users. By default, all users are migrated by User State Migration Tool (USMT) 5.0. You must specify which users to include by using the command line. You cannot specify users in the .xml files. For instructions on how to migrate users, see [Migrate User Accounts](usmt-migrate-user-accounts.md). + +## In This Topic + +- [Migrating Local Accounts](#bkmk-8) +- [Migrating Domain Accounts](#bkmk-9) +- [Command-Line Options](#bkmk-7) + +## Migrating Local Accounts + +Before migrating local accounts, note the following: + +- [You must explicitly specify that local accounts that are not on the destination computer should be migrated.](#bkmk-8) If you are migrating local accounts and the local account does not exist on the destination computer, you must use the **/lac** option when using the LoadState command. If the **/lac** option is not specified, no local user accounts will be migrated. + +- [Consider whether to enable user accounts that are new to the destination computer.](#bkmk-8) The **/lae** option enables the account that was created with the **/lac** option. However, if you create a disabled local account by using only the **/lac** option, a local administrator must enable the account on the destination computer. + +- [Be careful when specifying a password for local accounts.](#bkmk-8) If you create the local account with a blank password, anyone could log on to that account on the destination computer. If you create the local account with a password, the password is available to anyone with access to the USMT command-line tools. + +>[!NOTE] +>If there are multiple users on a computer, and you specify a password with the **/lac** option, all migrated users will have the same password. + +## Migrating Domain Accounts + +The source and destination computers do not need to be connected to the domain for domain user profiles to be migrated. + +## Command-Line Options + +USMT provides several options to migrate multiple users on a single computer. The following command-line options specify which users to migrate. + +- [Specifying users.](#bkmk-8) You can specify which users to migrate with the **/all**, **/ui**, **/uel**, and **/ue** options with both the ScanState and LoadState command-line tools. + + >[!IMPORTANT] + >The **/uel** option excludes users based on the **LastModified** date of the Ntuser.dat file. The **/uel** option is not valid in offline migrations. + +- [Moving users to another domain.](#bkmk-8) You can move user accounts to another domain using the **/md** option with the LoadState command-line tool. + +- [Creating local accounts.](#bkmk-8) You can create and enable local accounts using the **/lac** and **/lae** options with the LoadState command-line tool. + +- [Renaming user accounts.](#bkmk-8) You can rename user accounts using the **/mu** option. + + >[!NOTE] + >By default, if a user name is not specified in any of the command-line options, the user will be migrated. + +## Related topics + +[Determine What to Migrate](usmt-determine-what-to-migrate.md)
+[ScanState Syntax](usmt-scanstate-syntax.md)
+[LoadState Syntax](usmt-loadstate-syntax.md) diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md index 9a229185cc..fa6196d4f9 100644 --- a/windows/deployment/volume-activation/install-vamt.md +++ b/windows/deployment/volume-activation/install-vamt.md @@ -9,7 +9,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay ms.localizationpriority: medium ms.date: 03/11/2019 ms.topic: article @@ -31,11 +32,12 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for ### Requirements -- [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access and all updates applied -- [Windows 10, version 1809 ADK](https://go.microsoft.com/fwlink/?linkid=2026036) +- [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied +- [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) - [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) +- alternatively any full SQL instance e.g. SQL Server 2014 or newer incl. CU / SP -### Install SQL Server 2017 Express +### Install SQL Server 2017 Express / alternatively use any Full SQL instance e.g. SQL Server 2014 or newer 1. Download and open the [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package. 2. Select **Basic**. @@ -46,20 +48,23 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for ### Install VAMT using the ADK -1. Download and open the [Windows 10, version 1809 ADK](https://go.microsoft.com/fwlink/?linkid=2026036) package. +1. Download and open the [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) package. +Reminder: There won't be new ADK release for 1909. 2. Enter an install location or use the default path, and then select **Next**. 3. Select a privacy setting, and then select **Next**. 4. Accept the license terms. 5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.) 6. On the completion page, select **Close**. -### Configure VAMT to connect to SQL Server 2017 Express +### Configure VAMT to connect to SQL Server 2017 Express or full SQL Server 1. Open **Volume Active Management Tool 3.1** from the Start menu. -2. Enter the server instance name and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example. +2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL. ![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png) +for remote SQL Server use +servername.yourdomain.com diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md index e674b3196e..cb55dd325b 100644 --- a/windows/deployment/windows-autopilot/add-devices.md +++ b/windows/deployment/windows-autopilot/add-devices.md @@ -135,7 +135,7 @@ A summary of each platform's capabilities is provided below.
-Microsoft Store for Business4 +Microsoft Store for Business YES - 1000 at a time max YES4 4K HH @@ -153,7 +153,8 @@ A summary of each platform's capabilities is provided below.
>1Microsoft recommended platform to use
>2Intune license required
>3Feature capabilities are limited
->4To be retired
+>4Device profile assignment will be retired from MSfB and Partner Center in the coming months
+ Also see the following topics for more information about device IDs: - [Device identification](#device-identification) diff --git a/windows/deployment/windows-autopilot/white-glove.md b/windows/deployment/windows-autopilot/white-glove.md index 9fd9e87869..a0bef4bb0b 100644 --- a/windows/deployment/windows-autopilot/white-glove.md +++ b/windows/deployment/windows-autopilot/white-glove.md @@ -59,7 +59,7 @@ To enable white glove deployment, an additional Autopilot profile setting must b ![allow white glove](images/allow-white-glove-oobe.png) -The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune. That includes certificates, security templates, settings, apps, and more – anything targeting the device. Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed. +The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune. That includes certificates, security templates, settings, apps, and more – anything targeting the device. Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed. Please make sure not to target both win32 and LOB apps to the same device. >[!NOTE] >Other user-targeted policies will not apply until the user signs into the device. To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users. diff --git a/windows/release-information/resolved-issues-windows-10-1507.yml b/windows/release-information/resolved-issues-windows-10-1507.yml index 1edda2c7ba..7df978985d 100644 --- a/windows/release-information/resolved-issues-windows-10-1507.yml +++ b/windows/release-information/resolved-issues-windows-10-1507.yml @@ -33,7 +33,6 @@ sections: text: " -
SummaryOriginating updateStatusDate resolved
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		OS Build 10240.18334

September 23, 2019
KB4522009		Resolved
KB4520011		October 08, 2019
10:00 AM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >		OS Build 10240.18305

August 13, 2019
KB4512497		Resolved
KB4517276		August 17, 2019
02:00 PM PT
" @@ -52,12 +51,3 @@ sections:
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520011.

Back to topOS Build 10240.18334

September 23, 2019
KB4522009Resolved
KB4520011Resolved:
October 08, 2019
10:00 AM PT

Opened:
September 30, 2019
06:26 PM PT " - -- title: August 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512497, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517276. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4517276 and install. For instructions, see Update Windows 10.

Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).

Back to top		OS Build 10240.18305

August 13, 2019
KB4512497		Resolved
KB4517276		Resolved:
August 17, 2019
02:00 PM PT

Opened:
August 14, 2019
03:34 PM PT
- " diff --git a/windows/release-information/resolved-issues-windows-10-1607.yml b/windows/release-information/resolved-issues-windows-10-1607.yml index 343f302b6c..5585df19da 100644 --- a/windows/release-information/resolved-issues-windows-10-1607.yml +++ b/windows/release-information/resolved-issues-windows-10-1607.yml @@ -36,10 +36,6 @@ sections:
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >OS Build 14393.3206

September 23, 2019
KB4522010Resolved
KB4519998October 08, 2019
10:00 AM PT
IME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.

See details >OS Build 14393.3204

September 10, 2019
KB4516044Resolved
September 17, 2019
04:47 PM PT
Apps and scripts using the NetQueryDisplayInformation API may fail with error
Applications and scripts that call NetQueryDisplayInformation may fail to return results after the first page of data.

See details >OS Build 14393.3053

June 18, 2019
KB4503294Resolved
KB4516044September 10, 2019
10:00 AM PT -
Domain connected devices that use MIT Kerberos realms will not start up
Devices may not start after updating when connected to a domain that is configured to use MIT Kerberos realms.

See details >OS Build 14393.3115

July 16, 2019
KB4507459Resolved
KB4512517August 13, 2019
10:00 AM PT -
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >OS Build 14393.3025

June 11, 2019
KB4503267Resolved
KB4512495August 17, 2019
02:00 PM PT -
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >OS Build 14393.3144

August 13, 2019
KB4512517Resolved
KB4512495August 17, 2019
02:00 PM PT -
Internet Explorer 11 and apps using the WebBrowser control may fail to render
JavaScript may fail to render as expected in IE11 and in apps using JavaScript or the WebBrowser control.

See details >OS Build 14393.3085

July 09, 2019
KB4507460Resolved
KB4512517August 13, 2019
10:00 AM PT " @@ -66,19 +62,6 @@ sections: text: " - -
DetailsOriginating updateStatusHistory
Apps and scripts using the NetQueryDisplayInformation API may fail with error
 Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.”

Affected platforms:
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4516044.

Back to top		OS Build 14393.3053

June 18, 2019
KB4503294		Resolved
KB4516044		Resolved:
September 10, 2019
10:00 AM PT

Opened:
August 01, 2019
05:00 PM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512517, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512495. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512495 and install. For instructions, see Update Windows 10.

Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).

Back to top		OS Build 14393.3144

August 13, 2019
KB4512517		Resolved
KB4512495		Resolved:
August 17, 2019
02:00 PM PT

Opened:
August 14, 2019
03:34 PM PT
- " - -- title: July 2019 -- items: - - type: markdown - text: " - - - -
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507459. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
-

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512517 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903.

Back to top		OS Build 14393.3115

July 16, 2019
KB4507459		Resolved
KB4512517		Resolved:
August 13, 2019
10:00 AM PT

Opened:
July 25, 2019
06:10 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503267 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Resolution: This issue was resolved in KB4512495.

Back to top		OS Build 14393.3025

June 11, 2019
KB4503267		Resolved
KB4512495		Resolved:
August 17, 2019
02:00 PM PT

Opened:
July 10, 2019
02:51 PM PT
Internet Explorer 11 and apps using the WebBrowser control may fail to render
Internet Explorer 11 may fail to render some JavaScript after installing KB4507460. You may also have issues with apps using JavaScript or the WebBrowser control, such as the present PowerPoint feature of Skype Meeting Broadcast.

Affected platforms:
  • Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server 2016
Resolution: This issue was resolved in KB4512517.

Back to top		OS Build 14393.3085

July 09, 2019
KB4507460		Resolved
KB4512517		Resolved:
August 13, 2019
10:00 AM PT

Opened:
July 26, 2019
04:58 PM PT
" diff --git a/windows/release-information/resolved-issues-windows-10-1709.yml b/windows/release-information/resolved-issues-windows-10-1709.yml index 3141761298..c85bdd82e9 100644 --- a/windows/release-information/resolved-issues-windows-10-1709.yml +++ b/windows/release-information/resolved-issues-windows-10-1709.yml @@ -35,9 +35,6 @@ sections:
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

See details >OS Build 16299.1387

September 10, 2019
KB4516066Resolved
KB4534318January 23, 2020
02:00 PM PT
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >OS Build 16299.1392

September 23, 2019
KB4522012Resolved
KB4520004October 08, 2019
10:00 AM PT
IME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.

See details >OS Build 16299.1387

September 10, 2019
KB4516066Resolved
September 19, 2019
04:08 PM PT -
Domain connected devices that use MIT Kerberos realms will not start up
Devices may not start after updating when connected to a domain that is configured to use MIT Kerberos realms.

See details >OS Build 16299.1296

July 16, 2019
KB4507465Resolved
KB4512516August 13, 2019
10:00 AM PT -
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >OS Build 16299.1217

June 11, 2019
KB4503284Resolved
KB4512494August 16, 2019
02:00 PM PT -
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >OS Build 16299.1331

August 13, 2019
KB4512516Resolved
KB4512494August 16, 2019
02:00 PM PT " @@ -66,23 +63,3 @@ sections:
IME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard.


Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016

Resolution: Due to security related changes in KB4516066, this issue may occur when Touch Keyboard and Handwriting Panel Service is not configured to its default startup type of Manual. To resolve the issue, perform the following steps:
  1. Select the Start button and type Services.
  2. Locate Touch Keyboard and Handwriting Panel Service and double click on it or long press and select Properties.
  3. Locate Startup type: and change it to Manual
  4. Select Ok
  5. The TabletInputService service is now in the default configuration and IME should work as expected.

Back to topOS Build 16299.1387

September 10, 2019
KB4516066Resolved
Resolved:
September 19, 2019
04:08 PM PT

Opened:
September 13, 2019
05:25 PM PT " - -- title: August 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512516, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512494. The ‘optional’ update will be available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512494 and install. For instructions, see Update Windows 10.

Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).

Back to top		OS Build 16299.1331

August 13, 2019
KB4512516		Resolved
KB4512494		Resolved:
August 16, 2019
02:00 PM PT

Opened:
August 14, 2019
03:34 PM PT
- " - -- title: July 2019 -- items: - - type: markdown - text: " - - - -
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507465. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
-

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512516 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903.

Back to top		OS Build 16299.1296

July 16, 2019
KB4507465		Resolved
KB4512516		Resolved:
August 13, 2019
10:00 AM PT

Opened:
July 25, 2019
06:10 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503284 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Resolution: This issue was resolved in KB4512494.

Back to top		OS Build 16299.1217

June 11, 2019
KB4503284		Resolved
KB4512494		Resolved:
August 16, 2019
02:00 PM PT

Opened:
July 10, 2019
02:51 PM PT
- " diff --git a/windows/release-information/resolved-issues-windows-10-1803.yml b/windows/release-information/resolved-issues-windows-10-1803.yml index 37a0f56eab..c5f045f610 100644 --- a/windows/release-information/resolved-issues-windows-10-1803.yml +++ b/windows/release-information/resolved-issues-windows-10-1803.yml @@ -37,7 +37,6 @@ sections:
Startup to a black screen after installing updates
Your device may startup to a black screen during the first logon after installing updates.

See details >OS Build 17134.829

June 11, 2019
KB4503286Resolved
KB4519978October 15, 2019
10:00 AM PT
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >OS Build 17134.1009

September 23, 2019
KB4522014Resolved
KB4520008October 08, 2019
10:00 AM PT
IME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.

See details >OS Build 17134.1006

September 10, 2019
KB4516058Resolved
September 19, 2019
04:08 PM PT -
Domain connected devices that use MIT Kerberos realms will not start up
Devices may not start after updating when connected to a domain that is configured to use MIT Kerberos realms.

See details >OS Build 17134.915

July 16, 2019
KB4507466Resolved
KB4512501August 13, 2019
10:00 AM PT
Notification issue: \"Your device is missing important security and quality fixes.\"
Some users may have incorrectly received the notification \"Your device is missing important security and quality fixes.\"

See details >N/A

Resolved
September 03, 2019
12:32 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >OS Build 17134.829

June 11, 2019
KB4503286Resolved
KB4512509August 19, 2019
02:00 PM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >OS Build 17134.950

August 13, 2019
KB4512501Resolved
KB4512509August 19, 2019
02:00 PM PT @@ -86,8 +85,6 @@ sections: - type: markdown text: " -
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507466. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
-

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512501 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903.

Back to top		OS Build 17134.915

July 16, 2019
KB4507466		Resolved
KB4512501		Resolved:
August 13, 2019
10:00 AM PT

Opened:
July 25, 2019
06:10 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503286 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Resolution: This issue was resolved in KB4512509.

Back to top		OS Build 17134.829

June 11, 2019
KB4503286		Resolved
KB4512509		Resolved:
August 19, 2019
02:00 PM PT

Opened:
July 10, 2019
02:51 PM PT
" diff --git a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml index fe9b47b46b..2eb42f02b4 100644 --- a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml @@ -39,9 +39,6 @@ sections:
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >OS Build 17763.740

September 23, 2019
KB4522015Resolved
KB4519338October 08, 2019
10:00 AM PT
Apps and scripts using the NetQueryDisplayInformation API may fail with error
Applications and scripts that call NetQueryDisplayInformation may fail to return results after the first page of data.

See details >OS Build 17763.55

October 09, 2018
KB4464330Resolved
KB4516077September 24, 2019
10:00 AM PT
IME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.

See details >OS Build 17763.737

September 10, 2019
KB4512578Resolved
September 19, 2019
04:08 PM PT -
Domain connected devices that use MIT Kerberos realms will not start up
Devices may not start after updating when connected to a domain that is configured to use MIT Kerberos realms.

See details >OS Build 17763.652

July 22, 2019
KB4505658Resolved
KB4511553August 13, 2019
10:00 AM PT -
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >OS Build 17763.557

June 11, 2019
KB4503327Resolved
KB4512534August 17, 2019
02:00 PM PT -
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >OS Build 17763.678

August 13, 2019
KB4511553Resolved
KB4512534August 17, 2019
02:00 PM PT " @@ -79,18 +76,6 @@ sections: text: " - -
DetailsOriginating updateStatusHistory
Apps and scripts using the NetQueryDisplayInformation API may fail with error
 Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.”

Affected platforms:
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4516077.

Back to top		OS Build 17763.55

October 09, 2018
KB4464330		Resolved
KB4516077		Resolved:
September 24, 2019
10:00 AM PT

Opened:
August 01, 2019
05:00 PM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4511553, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512534. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512534 and install. For instructions, see Update Windows 10.

Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).

Back to top		OS Build 17763.678

August 13, 2019
KB4511553		Resolved
KB4512534		Resolved:
August 17, 2019
02:00 PM PT

Opened:
August 14, 2019
03:34 PM PT
- " - -- title: July 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4505658. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
-

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4511553 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903.

Back to top		OS Build 17763.652

July 22, 2019
KB4505658		Resolved
KB4511553		Resolved:
August 13, 2019
10:00 AM PT

Opened:
July 25, 2019
06:10 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503327 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Resolution: This issue was resolved in KB4512534.

Back to top		OS Build 17763.557

June 11, 2019
KB4503327		Resolved
KB4512534		Resolved:
August 17, 2019
02:00 PM PT

Opened:
July 10, 2019
02:51 PM PT
" diff --git a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml index 76a98fa268..3e723fd5a0 100644 --- a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml @@ -32,14 +32,12 @@ sections: - type: markdown text: " + - - -
SummaryOriginating updateStatusDate resolved
After installing an update and restarting, you might receive an error
You might receive the error, “Failure to configure Windows updates. Reverting Changes.” or \"Failed\" in Update History.

See details >		February 11, 2020
KB4537820		Resolved
February 12, 2020
05:37 PM PT
Custom wallpaper displays as black
Using a custom image set to \"Stretch\" might not display as expected.

See details >		January 14, 2020
KB4534310		Resolved
KB4539601		February 07, 2020
10:00 AM PT
MSRT might fail to install and be re-offered from Windows Update or WSUS
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.

See details >
Resolved
January 23, 2020
02:08 PM PT
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		September 24, 2019
KB4516048		Resolved
KB4519976		October 08, 2019
10:00 AM PT
You may receive an error when opening or using the Toshiba Qosmio AV Center
Toshiba Qosmio AV Center may error when opening and you may also receive an error in Event Log related to cryptnet.dll.

See details >		August 13, 2019
KB4512506		Resolved
KB4516048		September 24, 2019
10:00 AM PT
Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Windows updates that are SHA-2 signed are not available with Symantec or Norton antivirus program installed

See details >		August 13, 2019
KB4512506		Resolved External
August 27, 2019
02:29 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		June 11, 2019
KB4503292		Resolved
KB4512514		August 17, 2019
02:00 PM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >		August 13, 2019
KB4512506		Resolved
KB4517297		August 16, 2019
02:00 PM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices running certain McAfee Endpoint security applications may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493472		Resolved External
August 13, 2019
06:59 PM PT
" @@ -50,6 +48,15 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
After installing an update and restarting, you might receive an error
After installing KB4537820 and restarting your device, you might receive the error, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer,” and the update might show as Failed in Update History.

Affected platforms:
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This is expected in the following circumstances:
  • If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see KB4497181.
  • If you do not have an ESU MAK add-on key installed and activated. 
If you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this blog post. For information on the prerequisites, see the \"How to get this update\" section of this article.

Back to top		February 11, 2020
KB4537820		Resolved
Resolved:
February 12, 2020
05:37 PM PT

Opened:
February 12, 2020
03:47 PM PT
+ " + - title: January 2020 - items: - type: markdown @@ -73,7 +80,7 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4519976. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.

Back to top		September 24, 2019
KB4516048		Resolved
KB4519976		Resolved:
October 08, 2019
10:00 AM PT

Opened:
September 30, 2019
06:26 PM PT
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4519976. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.

Back to top		September 24, 2019
KB4516048		Resolved
KB4519976		Resolved:
October 08, 2019
10:00 AM PT

Opened:
September 30, 2019
06:26 PM PT
You may receive an error when opening or using the Toshiba Qosmio AV Center
After installing KB4512506, you may receive an error when opening or using the Toshiba Qosmio AV Center. You may also receive an error in Event Log related to cryptnet.dll.

Affected platforms:
  • Client: Windows 7 SP1
Resolution: This issue was resolved in KB4516048.

Back to top		August 13, 2019
KB4512506		Resolved
KB4516048		Resolved:
September 24, 2019
10:00 AM PT

Opened:
September 10, 2019
09:48 AM PT
" @@ -84,24 +91,5 @@ sections: text: " - -
DetailsOriginating updateStatusHistory
Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Symantec identified the potential for a negative interaction that may occur after Windows Updates code signed with SHA-2 only certificates are installed on devices with Symantec or Norton antivirus programs installed. The software may not correctly identify files included in the update as code signed by Microsoft, putting the device at risk for a delayed or incomplete update.

Affected platforms:
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1
Resolution: The safeguard hold has been removed. Symantec has completed its evaluation of the impact of this update and future updates to Windows 7/Windows 2008 R2 and has determined that there is no increased risk of a false positive detection for all in-field versions of Symantec Endpoint Protection and Norton antivirus programs. See the Symantec support article for additional detail and please reach out to Symantec or Norton support if you encounter any issues.

Back to top		August 13, 2019
KB4512506		Resolved External
Last updated:
August 27, 2019
02:29 PM PT

Opened:
August 13, 2019
10:05 AM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512506, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517297. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).

Back to top		August 13, 2019
KB4512506		Resolved
KB4517297		Resolved:
August 16, 2019
02:00 PM PT

Opened:
August 14, 2019
03:34 PM PT
- " - -- title: July 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503292 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Resolution: This issue was resolved in KB4512514.

Back to top		June 11, 2019
KB4503292		Resolved
KB4512514		Resolved:
August 17, 2019
02:00 PM PT

Opened:
July 10, 2019
02:51 PM PT
- " - -- title: April 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles: 

Back to top		April 09, 2019
KB4493472		Resolved External
Last updated:
August 13, 2019
06:59 PM PT

Opened:
April 09, 2019
10:00 AM PT
" diff --git a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml index 14837c1dae..bcebc8ddb6 100644 --- a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml +++ b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml @@ -35,9 +35,6 @@ sections:
Printing from 32-bit apps might fail on a 64-bit OS
When attempting to print, you may receive an error or the application may stop responding or close.

See details >August 13, 2019
KB4512489Resolved
KB4525250November 12, 2019
10:00 AM PT
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >September 24, 2019
KB4516041Resolved
KB4520005October 08, 2019
10:00 AM PT
Windows RT 8.1 devices may have issues opening Internet Explorer 11
On Windows RT 8.1 devices, Internet Explorer 11 may not open and you may receive an error.

See details >September 10, 2019
KB4516067Resolved
KB4516041September 24, 2019
10:00 AM PT -
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >June 11, 2019
KB4503276Resolved
KB4512478August 17, 2019
02:00 PM PT -
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >August 13, 2019
KB4512488Resolved
KB4517298August 16, 2019
02:00 PM PT -
System may be unresponsive after restart with certain McAfee antivirus products
Devices running certain McAfee Endpoint security applications may be slow or unresponsive at startup.

See details >April 09, 2019
KB4493446Resolved External
August 13, 2019
06:59 PM PT " @@ -62,34 +59,7 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520005. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.

Back to top		September 24, 2019
KB4516041		Resolved
KB4520005		Resolved:
October 08, 2019
10:00 AM PT

Opened:
September 30, 2019
06:26 PM PT
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520005. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.

Back to top		September 24, 2019
KB4516041		Resolved
KB4520005		Resolved:
October 08, 2019
10:00 AM PT

Opened:
September 30, 2019
06:26 PM PT
Windows RT 8.1 devices may have issues opening Internet Explorer 11
On Windows 8.1 RT devices, Internet Explorer 11 may not open and you may receive the error, \"C:\\Program Files\\Internet Explorer\\iexplore.exe: A certificate was explicitly revoked by its issuer.\"


Affected platforms:
  • Client: Windows RT 8.1
Resolution: This issue was resolved in KB4516041.

Back to top		September 10, 2019
KB4516067		Resolved
KB4516041		Resolved:
September 24, 2019
10:00 AM PT

Opened:
September 13, 2019
05:25 PM PT
" - -- title: August 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512488, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517298. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).

Back to top		August 13, 2019
KB4512488		Resolved
KB4517298		Resolved:
August 16, 2019
02:00 PM PT

Opened:
August 14, 2019
03:34 PM PT
- " - -- title: July 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503276 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Resolution: This issue was resolved in KB4512478.

Back to top		June 11, 2019
KB4503276		Resolved
KB4512478		Resolved:
August 17, 2019
02:00 PM PT

Opened:
July 10, 2019
02:51 PM PT
- " - -- title: April 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:  

Back to top		April 09, 2019
KB4493446		Resolved External
Last updated:
August 13, 2019
06:59 PM PT

Opened:
April 09, 2019
10:00 AM PT
- " diff --git a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml index 475eb994f9..8c0739bd8e 100644 --- a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml +++ b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml @@ -32,11 +32,10 @@ sections: - type: markdown text: " + - -
SummaryOriginating updateStatusDate resolved
After installing an update and restarting, you might receive an error
You might receive the error, “Failure to configure Windows updates. Reverting Changes.” or \"Failed\" in Update History.

See details >		February 11, 2020
KB4537810		Resolved
February 12, 2020
05:37 PM PT
MSRT might fail to install and be re-offered from Windows Update or WSUS
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.

See details >
Resolved
January 23, 2020
02:08 PM PT
Issues manually installing updates by double-clicking the .msu file
You may encounter issues manually installing updates by double-clicking the .msu file and may receive an error.

See details >		September 10, 2019
KB4474419		Resolved
KB4474419		September 23, 2019
10:00 AM PT
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		September 24, 2019
KB4516030		Resolved
KB4520002		October 08, 2019
10:00 AM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		June 11, 2019
KB4503273		Resolved
KB4512499		August 17, 2019
02:00 PM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >		August 13, 2019
KB4512476		Resolved
KB4517301		August 16, 2019
02:00 PM PT
" @@ -47,6 +46,15 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
After installing an update and restarting, you might receive an error
After installing KB4537810 and restarting your device, you might receive the error, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer,” and the update might show as Failed in Update History.

Affected platforms:
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This is expected in the following circumstances:
  • If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see KB4497181.
  • If you do not have an ESU MAK add-on key installed and activated. 
If you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this blog post. For information on the prerequisites, see the \"How to get this update\" section of this article.

Back to top		February 11, 2020
KB4537810		Resolved
Resolved:
February 12, 2020
05:37 PM PT

Opened:
February 12, 2020
03:47 PM PT
+ " + - title: November 2019 - items: - type: markdown @@ -62,24 +70,6 @@ sections: text: " - -
DetailsOriginating updateStatusHistory
Issues manually installing updates by double-clicking the .msu file
After installing the SHA-2 update (KB4474419) released on September 10, 2019, you may encounter issues manually installing updates by double-clicking on the .msu file and may receive the error, \"Installer encountered an error: 0x80073afc. The resource loader failed to find MUI file.\"

Affected platforms:
  • Server: Windows Server 2008 SP2
Workaround: Open a command prompt and use the following command (replacing <msu location> with the actual location and filename of the update): wusa.exe <msu location> /quiet

Resolution: This issue is resolved in KB4474419 released October 8, 2019. It will install automatically from Windows Update and Windows Server Update Services (WSUS). If you need to install this update manually, you will need to use the workaround above.

Note If you previously installed KB4474419 released September 23, 2019, then you already have the latest version of this update and do not need to reinstall.

Back to top		September 10, 2019
KB4474419		Resolved
KB4474419		Resolved:
September 23, 2019
10:00 AM PT

Opened:
September 20, 2019
04:57 PM PT
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520002. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.

Back to top		September 24, 2019
KB4516030		Resolved
KB4520002		Resolved:
October 08, 2019
10:00 AM PT

Opened:
September 30, 2019
06:26 PM PT
- " - -- title: August 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512476, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517301. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).

Back to top		August 13, 2019
KB4512476		Resolved
KB4517301		Resolved:
August 16, 2019
02:00 PM PT

Opened:
August 14, 2019
03:34 PM PT
- " - -- title: July 2019 -- items: - - type: markdown - text: " - - +
DetailsOriginating updateStatusHistory
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503273 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Resolution: This issue was resolved in KB4512499.

Back to top		June 11, 2019
KB4503273		Resolved
KB4512499		Resolved:
August 17, 2019
02:00 PM PT

Opened:
July 10, 2019
02:51 PM PT
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520002. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.

Back to top		September 24, 2019
KB4516030		Resolved
KB4520002		Resolved:
October 08, 2019
10:00 AM PT

Opened:
September 30, 2019
06:26 PM PT
" diff --git a/windows/release-information/resolved-issues-windows-server-2012.yml b/windows/release-information/resolved-issues-windows-server-2012.yml index fe6611a3e4..87c57cef75 100644 --- a/windows/release-information/resolved-issues-windows-server-2012.yml +++ b/windows/release-information/resolved-issues-windows-server-2012.yml @@ -34,8 +34,6 @@ sections: - -
SummaryOriginating updateStatusDate resolved
Printing from 32-bit apps might fail on a 64-bit OS
When attempting to print, you may receive an error or the application may stop responding or close.

See details >		August 13, 2019
KB4512482		Resolved
KB4525253		November 12, 2019
10:00 AM PT
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		September 24, 2019
KB4516069		Resolved
KB4520007		October 08, 2019
10:00 AM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		June 11, 2019
KB4503285		Resolved
KB4512512		August 17, 2019
02:00 PM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >		August 13, 2019
KB4512518		Resolved
KB4517302		August 16, 2019
02:00 PM PT
" @@ -60,24 +58,6 @@ sections: - type: markdown text: " - -
DetailsOriginating updateStatusHistory
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520007. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.

Back to top		September 24, 2019
KB4516069		Resolved
KB4520007		Resolved:
October 08, 2019
10:00 AM PT

Opened:
September 30, 2019
06:26 PM PT
- " - -- title: August 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512518, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517302. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).

Back to top		August 13, 2019
KB4512518		Resolved
KB4517302		Resolved:
August 16, 2019
02:00 PM PT

Opened:
August 14, 2019
03:34 PM PT
- " - -- title: July 2019 -- items: - - type: markdown - text: " - - +
DetailsOriginating updateStatusHistory
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503285 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Resolution: This issue was resolved in KB4512512.

Back to top		June 11, 2019
KB4503285		Resolved
KB4512512		Resolved:
August 17, 2019
02:00 PM PT

Opened:
July 10, 2019
02:51 PM PT
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520007. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.

Back to top		September 24, 2019
KB4516069		Resolved
KB4520007		Resolved:
October 08, 2019
10:00 AM PT

Opened:
September 30, 2019
06:26 PM PT
" diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml index df76e08bd1..50e384face 100644 --- a/windows/release-information/status-windows-10-1507.yml +++ b/windows/release-information/status-windows-10-1507.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+
SummaryOriginating updateStatusLast updated
You might encounter issues with KB4502496
You might encounter issues trying to install or after installing KB4502496

See details >		N/A
February 11, 2019
KB4502496		Mitigated
February 15, 2020
01:22 AM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		OS Build 10240.18368

October 08, 2019
KB4520011		Mitigated External
November 05, 2019
03:36 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

See details >		OS Build 10240.18094

January 08, 2019
KB4480962		Mitigated
April 25, 2019
02:00 PM PT
@@ -72,6 +73,15 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
You might encounter issues with KB4502496
You might encounter issues trying to install or after installing KB4502496.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4502496) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.

If this update is installed and you are experiencing issues, you can uninstall this update.
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4502496 and select the Uninstall button.
  4. Restart your device.
 
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2019
KB4502496		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
+ " + - title: November 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml index 349276ccd7..ad5f5d081d 100644 --- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml +++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml @@ -60,6 +60,8 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ + @@ -74,6 +76,16 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " +
SummaryOriginating updateStatusLast updated
“Reset this PC” feature might fail
“Reset this PC” feature is also called “Push Button Reset” or PBR.

See details >		N/A
February 11, 2019
KB4524244		Mitigated
February 15, 2020
01:22 AM PT
You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244

See details >		N/A
February 11, 2019
KB4524244		Mitigated
February 15, 2020
01:22 AM PT
Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM
Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.

See details >		OS Build 14393.2608

November 13, 2018
KB4467691		Resolved External
January 23, 2020
02:08 PM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		OS Build 14393.3274

October 08, 2019
KB4519998		Mitigated External
November 05, 2019
03:36 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

See details >		OS Build 14393.2724

January 08, 2019
KB4480961		Mitigated
April 25, 2019
02:00 PM PT
+ + +
DetailsOriginating updateStatusHistory
“Reset this PC” feature might fail
Using the “Reset this PC” feature, also called “Push Button Reset” or PBR, might fail. You might restart into recovery with “Choose an option” at the top of the screen with various options or you might restart to your desktop and receive the error “There was a problem resetting your PC”.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Workaround: The standalone security update, KB4524244 has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update.

If you have installed this update and are experiencing this issue, the following steps should allow you to reset your device:
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
  4. Restart your device.
  5. Upon restart use the “Reset this PC” feature and you should not encounter this issue.

Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2019
KB4524244		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4524244) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.

If this update is installed and you are experiencing issues, you can uninstall this update.
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
  4. Restart your device.
 
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2019
KB4524244		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
+ " + - title: November 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml index 68f5967f84..b0ee5c7ec5 100644 --- a/windows/release-information/status-windows-10-1709.yml +++ b/windows/release-information/status-windows-10-1709.yml @@ -60,6 +60,8 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ + @@ -73,6 +75,16 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " +
SummaryOriginating updateStatusLast updated
“Reset this PC” feature might fail
“Reset this PC” feature is also called “Push Button Reset” or PBR.

See details >		N/A
February 11, 2019
KB4524244		Mitigated
February 15, 2020
01:22 AM PT
You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244

See details >		N/A
February 11, 2019
KB4524244		Mitigated
February 15, 2020
01:22 AM PT
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

See details >		OS Build 16299.1387

September 10, 2019
KB4516066		Resolved
KB4534318		January 23, 2020
02:00 PM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		OS Build 16299.1451

October 08, 2019
KB4520004		Mitigated External
November 05, 2019
03:36 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

See details >		OS Build 16299.904

January 08, 2019
KB4480978		Mitigated
April 25, 2019
02:00 PM PT
+ + +
DetailsOriginating updateStatusHistory
“Reset this PC” feature might fail
Using the “Reset this PC” feature, also called “Push Button Reset” or PBR, might fail. You might restart into recovery with “Choose an option” at the top of the screen with various options or you might restart to your desktop and receive the error “There was a problem resetting your PC”.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Workaround: The standalone security update, KB4524244 has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update.

If you have installed this update and are experiencing this issue, the following steps should allow you to reset your device:
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
  4. Restart your device.
  5. Upon restart use the “Reset this PC” feature and you should not encounter this issue.

Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2019
KB4524244		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4524244) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.

If this update is installed and you are experiencing issues, you can uninstall this update.
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
  4. Restart your device.
 
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2019
KB4524244		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
+ " + - title: November 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml index d5408f495b..f390bca9da 100644 --- a/windows/release-information/status-windows-10-1803.yml +++ b/windows/release-information/status-windows-10-1803.yml @@ -64,6 +64,8 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ + @@ -77,6 +79,16 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " +
SummaryOriginating updateStatusLast updated
“Reset this PC” feature might fail
“Reset this PC” feature is also called “Push Button Reset” or PBR.

See details >		N/A
February 11, 2019
KB4524244		Mitigated
February 15, 2020
01:22 AM PT
You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244

See details >		N/A
February 11, 2019
KB4524244		Mitigated
February 15, 2020
01:22 AM PT
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

See details >		OS Build 17134.1006

September 10, 2019
KB4516058		Resolved
KB4534308		January 23, 2020
02:00 PM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		OS Build 17134.1069

October 08, 2019
KB4520008		Mitigated External
November 05, 2019
03:36 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

See details >		OS Build 17134.523

January 08, 2019
KB4480966		Mitigated
April 25, 2019
02:00 PM PT
+ + +
DetailsOriginating updateStatusHistory
“Reset this PC” feature might fail
Using the “Reset this PC” feature, also called “Push Button Reset” or PBR, might fail. You might restart into recovery with “Choose an option” at the top of the screen with various options or you might restart to your desktop and receive the error “There was a problem resetting your PC”.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Workaround: The standalone security update, KB4524244 has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update.

If you have installed this update and are experiencing this issue, the following steps should allow you to reset your device:
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
  4. Restart your device.
  5. Upon restart use the “Reset this PC” feature and you should not encounter this issue.

Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2019
KB4524244		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4524244) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.

If this update is installed and you are experiencing issues, you can uninstall this update.
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
  4. Restart your device.
 
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2019
KB4524244		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
+ " + - title: November 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml index 7beb2e9c30..da6e037493 100644 --- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml @@ -64,6 +64,8 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ + @@ -78,6 +80,16 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " +
SummaryOriginating updateStatusLast updated
“Reset this PC” feature might fail
“Reset this PC” feature is also called “Push Button Reset” or PBR.

See details >		N/A
February 11, 2019
KB4524244		Mitigated
February 15, 2020
01:22 AM PT
You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244

See details >		N/A
February 11, 2019
KB4524244		Mitigated
February 15, 2020
01:22 AM PT
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

See details >		OS Build 17763.737

September 10, 2019
KB4512578		Resolved
KB4534321		January 23, 2020
02:00 PM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		OS Build 17763.805

October 08, 2019
KB4519338		Mitigated External
November 05, 2019
03:36 PM PT
Devices with some Asian language packs installed may receive an error
Devices with Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"

See details >		OS Build 17763.437

April 09, 2019
KB4493509		Mitigated
May 03, 2019
10:59 AM PT
+ + +
DetailsOriginating updateStatusHistory
“Reset this PC” feature might fail
Using the “Reset this PC” feature, also called “Push Button Reset” or PBR, might fail. You might restart into recovery with “Choose an option” at the top of the screen with various options or you might restart to your desktop and receive the error “There was a problem resetting your PC”.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Workaround: The standalone security update, KB4524244 has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update.

If you have installed this update and are experiencing this issue, the following steps should allow you to reset your device:
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
  4. Restart your device.
  5. Upon restart use the “Reset this PC” feature and you should not encounter this issue.

Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2019
KB4524244		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4524244) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.

If this update is installed and you are experiencing issues, you can uninstall this update.
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
  4. Restart your device.
 
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2019
KB4524244		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
+ " + - title: November 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml index c37a9ca547..4b98890fff 100644 --- a/windows/release-information/status-windows-10-1903.yml +++ b/windows/release-information/status-windows-10-1903.yml @@ -64,6 +64,8 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ +
SummaryOriginating updateStatusLast updated
“Reset this PC” feature might fail
“Reset this PC” feature is also called “Push Button Reset” or PBR.

See details >		N/A
February 11, 2019
KB4524244		Mitigated
February 15, 2020
01:22 AM PT
You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244

See details >		N/A
February 11, 2019
KB4524244		Mitigated
February 15, 2020
01:22 AM PT
Issues with some older versions of Avast and AVG anti-virus products
Microsoft and Avast has identified compatibility issues with some versions of Avast and AVG Antivirus.

See details >		N/A

Mitigated External
November 25, 2019
05:25 PM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		OS Build 18362.418

October 08, 2019
KB4517389		Mitigated External
November 05, 2019
03:36 PM PT
@@ -76,6 +78,16 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " + + + +
DetailsOriginating updateStatusHistory
“Reset this PC” feature might fail
Using the “Reset this PC” feature, also called “Push Button Reset” or PBR, might fail. You might restart into recovery with “Choose an option” at the top of the screen with various options or you might restart to your desktop and receive the error “There was a problem resetting your PC”.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Workaround: The standalone security update, KB4524244 has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update.

If you have installed this update and are experiencing this issue, the following steps should allow you to reset your device:
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
  4. Restart your device.
  5. Upon restart use the “Reset this PC” feature and you should not encounter this issue.

Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2019
KB4524244		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4524244) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.

If this update is installed and you are experiencing issues, you can uninstall this update.
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
  4. Restart your device.
 
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2019
KB4524244		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
+ " + - title: November 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1909.yml b/windows/release-information/status-windows-10-1909.yml index 5d5aa24d52..355ff2a8c2 100644 --- a/windows/release-information/status-windows-10-1909.yml +++ b/windows/release-information/status-windows-10-1909.yml @@ -64,6 +64,8 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ +
SummaryOriginating updateStatusLast updated
“Reset this PC” feature might fail
“Reset this PC” feature is also called “Push Button Reset” or PBR.

See details >		N/A
February 11, 2019
KB4524244		Mitigated
February 15, 2020
01:22 AM PT
You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244

See details >		N/A
February 11, 2019
KB4524244		Mitigated
February 15, 2020
01:22 AM PT
Issues with some older versions of Avast and AVG anti-virus products
Microsoft and Avast has identified compatibility issues with some versions of Avast and AVG Antivirus.

See details >		N/A

Mitigated External
November 25, 2019
05:25 PM PT
" @@ -75,6 +77,16 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " + + + +
DetailsOriginating updateStatusHistory
“Reset this PC” feature might fail
Using the “Reset this PC” feature, also called “Push Button Reset” or PBR, might fail. You might restart into recovery with “Choose an option” at the top of the screen with various options or you might restart to your desktop and receive the error “There was a problem resetting your PC”.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Workaround: The standalone security update, KB4524244 has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update.

If you have installed this update and are experiencing this issue, the following steps should allow you to reset your device:
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
  4. Restart your device.
  5. Upon restart use the “Reset this PC” feature and you should not encounter this issue.

Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2019
KB4524244		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4524244) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.

If this update is installed and you are experiencing issues, you can uninstall this update.
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
  4. Restart your device.
 
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2019
KB4524244		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
+ " + - title: November 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml index 594303eec5..d47c63c516 100644 --- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ @@ -74,6 +75,15 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " +
SummaryOriginating updateStatusLast updated
After installing an update and restarting, you might receive an error
You might receive the error, “Failure to configure Windows updates. Reverting Changes.” or \"Failed\" in Update History.

See details >		February 11, 2020
KB4537820		Resolved
February 12, 2020
05:37 PM PT
Custom wallpaper displays as black
Using a custom image set to \"Stretch\" might not display as expected.

See details >		January 14, 2020
KB4534310		Resolved
KB4539601		February 07, 2020
10:00 AM PT
MSRT might fail to install and be re-offered from Windows Update or WSUS
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.

See details >
Resolved
January 23, 2020
02:08 PM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		October 08, 2019
KB4519976		Mitigated External
November 05, 2019
03:36 PM PT
+ +
DetailsOriginating updateStatusHistory
After installing an update and restarting, you might receive an error
After installing KB4537820 and restarting your device, you might receive the error, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer,” and the update might show as Failed in Update History.

Affected platforms:
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This is expected in the following circumstances:
  • If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see KB4497181.
  • If you do not have an ESU MAK add-on key installed and activated. 
If you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this blog post. For information on the prerequisites, see the \"How to get this update\" section of this article.

Back to top		February 11, 2020
KB4537820		Resolved
Resolved:
February 12, 2020
05:37 PM PT

Opened:
February 12, 2020
03:47 PM PT
+ " + - title: January 2020 - items: - type: markdown diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml index 596f76e9d2..1d522d681a 100644 --- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml +++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ @@ -73,6 +74,15 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " +
SummaryOriginating updateStatusLast updated
You might encounter issues with KB4502496
You might encounter issues trying to install or after installing KB4502496

See details >		February 11, 2020
KB4502496		Mitigated
February 15, 2020
01:22 AM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		October 08, 2019
KB4520005		Mitigated External
November 05, 2019
03:36 PM PT
Japanese IME doesn't show the new Japanese Era name as a text input option
With previous dictionary updates installed, the Japanese IME doesn't show the new Japanese Era name as an input option.

See details >		April 25, 2019
KB4493443		Mitigated
May 15, 2019
05:53 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

See details >		January 08, 2019
KB4480963		Mitigated
April 25, 2019
02:00 PM PT
+ +
DetailsOriginating updateStatusHistory
You might encounter issues with KB4502496
You might encounter issues trying to install or after installing KB4502496.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4502496) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.

If this update is installed and you are experiencing issues, you can uninstall this update.
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4502496 and select the Uninstall button.
  4. Restart your device.
 
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		February 11, 2020
KB4502496		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
+ " + - title: November 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-server-2008-sp2.yml b/windows/release-information/status-windows-server-2008-sp2.yml index 122a392439..44b16a1a5e 100644 --- a/windows/release-information/status-windows-server-2008-sp2.yml +++ b/windows/release-information/status-windows-server-2008-sp2.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+
SummaryOriginating updateStatusLast updated
After installing an update and restarting, you might receive an error
You might receive the error, “Failure to configure Windows updates. Reverting Changes.” or \"Failed\" in Update History.

See details >		February 11, 2020
KB4537810		Resolved
February 12, 2020
05:37 PM PT
MSRT might fail to install and be re-offered from Windows Update or WSUS
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.

See details >
Resolved
January 23, 2020
02:08 PM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		October 08, 2019
KB4520002		Mitigated External
November 05, 2019
03:36 PM PT
@@ -72,6 +73,15 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
After installing an update and restarting, you might receive an error
After installing KB4537810 and restarting your device, you might receive the error, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer,” and the update might show as Failed in Update History.

Affected platforms:
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This is expected in the following circumstances:
  • If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see KB4497181.
  • If you do not have an ESU MAK add-on key installed and activated. 
If you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this blog post. For information on the prerequisites, see the \"How to get this update\" section of this article.

Back to top		February 11, 2020
KB4537810		Resolved
Resolved:
February 12, 2020
05:37 PM PT

Opened:
February 12, 2020
03:47 PM PT
+ " + - title: November 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml index c83ea0923f..cba7737955 100644 --- a/windows/release-information/status-windows-server-2012.yml +++ b/windows/release-information/status-windows-server-2012.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ @@ -73,6 +74,15 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " +
SummaryOriginating updateStatusLast updated
You might encounter issues with KB4502496
You might encounter issues trying to install or after installing KB4502496

See details >		February 11, 2020
KB4502496		Mitigated
February 15, 2020
01:22 AM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		October 08, 2019
KB4520007		Mitigated External
November 05, 2019
03:36 PM PT
Japanese IME doesn't show the new Japanese Era name as a text input option
With previous dictionary updates installed, the Japanese IME doesn't show the new Japanese Era name as an input option.

See details >		April 25, 2019
KB4493462		Mitigated
May 15, 2019
05:53 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

See details >		January 08, 2019
KB4480975		Mitigated
April 25, 2019
02:00 PM PT
+ +
DetailsOriginating updateStatusHistory
You might encounter issues with KB4502496
You might encounter issues trying to install or after installing KB4502496.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4502496) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.

If this update is installed and you are experiencing issues, you can uninstall this update.
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4502496 and select the Uninstall button.
  4. Restart your device.
 
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		February 11, 2020
KB4502496		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
+ " + - title: November 2019 - items: - type: markdown diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml index 1177033b2d..ba231e5da7 100644 --- a/windows/release-information/windows-message-center.yml +++ b/windows/release-information/windows-message-center.yml @@ -50,9 +50,10 @@ sections: text: " + - + @@ -82,11 +83,6 @@ sections: - - - - -
MessageDate
Compatibility issue with some Windows Server container images
If you are encountering issues with Windows Server container images, please see KB4542617.
February 13, 2020
03:21 PM PT
Take action: February 2020 security update available for all supported versions of Windows
The February 2020 security update release, referred to as our “B” release, is now available for Windows 10, version 1909 and all supported versions of Windows. We recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
February 11, 2020
08:00 AM PT
Take action: ESU security updates available for Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2
Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2 reached end of support on January 14, 2020. For customers who have purchased Extended Security Updates (ESU), the first monthly ESU security updates are now available. If your organization has not yet been able to complete your transition to Windows 10, Windows Server 2016, or Windows Server 2019 and want to continue to receive security updates for your current version of Windows, you will need to purchase Extended Security Updates. For information on how to do so, please see How to get Extended Security Updates for eligible Windows devices, Windows 7 ESU frequently ask questions, and Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 ESU frequently asked questions.

We recommend ESU customers review the applicable KB article below for prerequisites and other important information you will need to deploy these updates.

The following updates were released today for Windows Server 2008 SP2:
The following updates were released today for Windows 7 SP1 and Windows Server 2008 R2 SP1:
February 11, 2020
08:00 AM PT
Resolved: Windows Search shows blank box
We are aware of a temporary server-side issue causing Windows search to show a blank box. This issue has been resolved for most users and in some cases, you might need to restart your device. We are working diligently to fully resolve the issue and will provide an update once resolved. 

This issue was resolved at 12:00 PM PST. If you are still experiencing issues, please restart your device. In rare cases, you may need to manually end the SearchUI.exe or SearchApp.exe process via Task Manager. (To locate these processes, select CTRL + Shift + Esc then select the Details tab.)
February 05, 2020
12:00 PM PT
Resolved: Windows Search shows blank box
We are aware of a temporary server-side issue causing Windows search to show a blank box. This issue has been resolved for most users and in some cases, you might need to restart your device. We are working diligently to fully resolve the issue and will provide an update once resolved. 

This issue was resolved at 12:00 PM PST. If you are still experiencing issues, please restart your device. In rare cases, to mitigate this issue you may need to manually end the SearchUI.exe or SearchApp.exe process via Task Manager. (To locate these processes, select CTRL + Shift + Esc then select the Details tab.) If you have restarted and tried the previous mitigations and are still encountering issues with Windows Search, you are not experiencing the issue described here. Please see Fix problems in Windows Search for other mitigations.
February 05, 2020
12:00 PM PT
January 2020 Windows 10, version 1909 \"D\" optional release is available.
The January 2020 optional monthly “D” release for Windows 10, version 1909 and Windows 10, version 1903 is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
January 28, 2020
08:00 AM PT
January 2020 Windows \"C\" optional release is available.
The January 2020 optional monthly “C” release for all supported versions of Windows is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
January 23, 2020
12:00 PM PT
Windows 7 has reached end of support
Windows 7 reached end of support on January 14, 2020. If your organization has not yet been able to complete your transition from Windows 7 to Windows 10, and want to continue to receive security updates while you complete your upgrade projects, please read How to get Extended Security Updates for eligible Windows devices. For more information on end of service dates for currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
January 15, 2020
10:00 AM PT
Take Action: Internet Explorer 11 now available on Windows Update/WSUS for Windows Server 2012 and Windows Embedded 8 Standard
Internet Explorer 11 (KB 4492872) is now available via Windows Update (WU) and Windows Server Update Services (WSUS) for commercial customers running Windows Server 2012 and Windows Embedded 8 Standard. For details about these changes and end of support for IE10, please refer to the IT Pro blog
August 29, 2019
08:00 AM PT
Take action: SHA-2 code signing support guidance for Windows 7 SP1 and Windows Server 2008 RS2 SP1
Windows 7 SP1 and Windows Server 2008 R2 SP1 update signatures are now SHA-2 based signatures and requires that SHA-2 support to be installed. For important customer guidance on installation and troubleshooting tips, please read the knowledge base article 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.
August 23, 2019
03:35 PM PT
Take action: Windows 10, version 1703 (the Windows 10 Creators Update) reaches end of life on October 9, 2019
The Enterprise and Education editions of Windows 10, version 1703 (the Windows 10 Creators Update) will reach end of life on October 9, 2019. The Home, Pro, Pro for Workstations, and IoT Core editions reached end of service on October 8, 2018.

There is no extended support available for any edition of Windows 10, version 1703. Therefore, it will no longer be supported after October 9, 2019 and will not receive monthly security and quality updates containing protections from the latest security threats.

To continue receiving security and quality updates, Microsoft recommends that you update your devices to the latest version of Windows 10. For more information on end of service dates and currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
August 23, 2019
02:17 PM PT
Resolved: Delays starting Internet Explorer 11
On August 16, 2019 at 7:16 AM a server required for downloading the Internet Explorer 11 (IE11) startup page, went down. As a result of the server outage, IE 11 became unresponsive for some customers who had not yet installed the August 2019 security updates. Customers who had the August 2019 security update installed were not affected. In order to ensure your devices remain in a serviced and secure state, we recommend you install the latest monthly update.

This issue was resolved on the server side at 1:00 pm PST. 
August 16, 2019
04:00 PM PT
August 2019 security update now available for Windows 10, version 1903 and all supported versions of Windows
The August 2019 security update release, referred to as our “B” release, is now available for Windows 10, version 1903 and all supported versions of Windows. A “B” release is the primary, regular update event for each month and is the only regular release that contains security fixes. As a result, we recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
August 13, 2019
10:00 AM PT
Advisory: Bluetooth encryption key size vulnerability disclosed (CVE-2019-9506)
On August 13, 2019, Microsoft released security updates to address a Bluetooth key length encryption vulnerability. To exploit this vulnerability, an attacker would need specialized hardware and would be limited by the signal range of the Bluetooth devices in use. For more information about this industry-wide issue, see CVE-2019-9506 | Bluetooth Encryption Key Size Vulnerability in the Microsoft Security Update Guide and important guidance for IT pros in KB4514157. (Note: we are documenting this vulnerability together with guidance for IT admins as part of a coordinated industry disclosure effort.)
August 13, 2019
10:00 AM PT
Advisory: Windows Advanced Local Procedure Call Elevation of Privilege vulnerability disclosed (CVE-2019-1162)
On August 13, 2019, Google Project Zero (GPZ) disclosed an Elevation of Privilege (EoP) vulnerability in how Windows handles calls to Advanced Local Procedure Call (ALPC) that affects Windows operating systems, versions 8.1 and higher. An attacker must already have code execution on the target system to leverage these vulnerabilities. Microsoft released security updates on August 13, 2019 that partially address this issue. Other items disclosed by GPZ require more time to address and we are working to release a resolution in mid-September. For more information, see CVE-2019-1162 | Windows ALPC Elevation of Privilege Vulnerability
August 13, 2019
10:00 AM PT
Take action: Windows 10, version 1803 (the April 2018 Update) reaches end of service on November 12, 2019
Windows 10, version 1803 (the April 2018 Update) will reach end of service on November 12, 2019 for Home and Pro editions. We will begin updating devices running Windows 10, version 1803 to Windows 10, version 1903 (the May 2019 Update) starting July 16, 2019 to help ensure that these devices remain in a serviced and secure state. For more information, see the Windows 10, version 1903 section of the Windows release health dashboard.
August 13, 2019
10:00 AM PT
Windows 10, version 1903 rollout begins
The Windows 10 May 2019 Update (Windows 10, version 1903) is available today to commercial customers via Windows Server Update Services (WSUS), Windows Update for Business, and the Volume Licensing Service Center (VLSC)—and to end users who manually select “Check for updates.” We are slowly throttling up availability while we carefully monitor data and feedback.		May 21, 2019
10:00 AM PT
" diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index 33ef3a0add..2c744d7f98 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -73,7 +73,7 @@ The Administrator account has full control of the files, directories, services, The default Administrator account cannot be deleted or locked out, but it can be renamed or disabled. -In Windows 10 and Windows Server 20016, Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. Members of the Administrators groups can run apps with elevated permissions without using the **Run as Administrator** option. Fast User Switching is more secure than using Runas or different-user elevation. +In Windows 10 and Windows Server 2016, Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. Members of the Administrators groups can run apps with elevated permissions without using the **Run as Administrator** option. Fast User Switching is more secure than using Runas or different-user elevation. **Account group membership** diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 69155363d3..a7532b9ecf 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -141,7 +141,7 @@ You can also check that Windows Defender Credential Guard is running by using th DG_Readiness_Tool_v3.6.ps1 -Ready ``` > [!IMPORTANT] -> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSAch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. +> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. > This is a known issue. > [!NOTE] diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index d0124ff8cf..5aef81711f 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -31,7 +31,7 @@ For Windows Defender Credential Guard to provide protection, the computers you a To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses: - Support for Virtualization-based security (required) - Secure boot (required) -- TPM 1.2 or 2.0, either discrete or firmware (preferred - provides binding to hardware) +- TPM 1.2 or 2.0 (preferred - provides binding to hardware), either discrete or firmware - UEFI lock (preferred - prevents attacker from disabling with a simple registry key change) The Virtualization-based security requires: @@ -48,9 +48,9 @@ Credential Guard can protect secrets in a Hyper-V virtual machine, just as it wo - The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607. - The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and be running at least Windows Server 2016 or Windows 10. -For information about other host platforms, see [Enabling Windows Server 2016 and Hyper-V virtualization based security features on other platforms](https://blogs.technet.microsoft.com/windowsserver/2016/09/29/enabling-windows-server-2016-and-hyper-v-virtualization-based-security-features-on-other-platforms/) +For information about other host platforms, see [Enabling Windows Server 2016 and Hyper-V virtualization based security features on other platforms](https://blogs.technet.microsoft.com/windowsserver/2016/09/29/enabling-windows-server-2016-and-hyper-v-virtualization-based-security-features-on-other-platforms/). -For information about Windows Defender Remote Credential Guard hardware and software requirements, see [Windows Defender Remote Credential Guard requirements](https://docs.microsoft.com/windows/access-protection/remote-credential-guard#hardware-and-software-requirements) +For information about Windows Defender Remote Credential Guard hardware and software requirements, see [Windows Defender Remote Credential Guard requirements](https://docs.microsoft.com/windows/access-protection/remote-credential-guard#hardware-and-software-requirements). ## Application requirements @@ -85,8 +85,9 @@ Computers that meet additional qualifications can provide additional protections The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. > [!NOTE] -> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers.
-> If you are an OEM, see [PC OEM requirements for Windows Defender Device Guard and Windows Defender Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
+> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers. +> +> If you are an OEM, see [PC OEM requirements for Windows Defender Device Guard and Windows Defender Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx). ### Baseline protections diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index 57b0ea0add..07be2bbf3d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -31,7 +31,7 @@ Microsoft is committed to its vision of a world without passwords. We rec RDP currently does not support key based authentication and does not support self signed certificates. RDP with Windows Hello for Business is currently only supported with certificate based deployments. ## Can I deploy Windows Hello for Business using Microsoft Endpoint Configuration Manager? -Windows Hello for Business deployments using Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using Configuration Manager will no longer be supported after November 2018. +Windows Hello for Business deployments using Configuration Manager should use the hybrid deployment model that uses Active Directory Federation Services. Starting in Configuration Manager version 1910, certificate-based authentication with Windows Hello for Business settings isn't supported. Key-based authentication is still valid with Configuration Manager. For more information, see [Windows Hello for Business settings in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-hello-for-business-settings). ## How many users can enroll for Windows Hello for Business on a single Windows 10 computer? The maximum number of supported enrollments on a single Windows 10 computer is 10. That enables 10 users to each enroll their face and up to 10 fingerprints. While we support 10 enrollments, we will strongly encourage the use of Windows Hello security keys for the shared computer scenario when they become available. @@ -51,7 +51,7 @@ It is currently possible to set a convenience PIN on Azure Active Directory Join No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further. ## What is the password-less strategy? -Watch Principal Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less** +Watch Principal Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**. [Microsoft's password-less strategy](hello-videos.md#microsofts-passwordless-strategy) @@ -93,7 +93,7 @@ The **key trust** model authenticates to Active Directory using a raw key. Wind The **certificate trust** model authenticates to Active Directory using a certificate. Because this authentication uses a certificate, domain controllers running previous versions of Windows Server can authenticate the user. Therefore, you need to issue certificates to your end users, but you do not need Windows Server 2016 domain controllers. The certificate used in certificate trust uses the TPM protected private key to request a certificate from your enterprise's issuing certificate authority. ## Do I need Windows Server 2016 domain controllers? -There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you have deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment +There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you have deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment. ## What attributes are synchronized by Azure AD Connect with Windows Hello for Business? Review [Azure AD Connect sync: Attributes synchronized to Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that are sync based on scenarios. The base scenarios that include Windows Hello for Business are [Windows 10](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include additional attributes. @@ -111,7 +111,7 @@ Starting in Windows 10, version 1709, you can use multi-factor unlock to require Windows Hello represents the biometric framework provided in Windows 10. Windows Hello enables users to use biometrics to sign into their devices by securely storing their user name and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate. ## Why can't I enroll biometrics for my local built-in Administrator? -Windows 10 does not allow the local administrator to enroll biometric gestures(face or fingerprint). +Windows 10 does not allow the local administrator to enroll biometric gestures (face or fingerprint). ## I have extended Active Directory to Azure Active Directory. Can I use the on-premises deployment model? No. If your organization is federated or using on-line services, such as Azure AD Connect, Office 365, or OneDrive, then you must use a hybrid deployment model. On-premises deployments are exclusive to organization who need more time before moving to the cloud and exclusively use Active Directory. @@ -144,7 +144,7 @@ The smart card emulation feature of Windows Hello for Business verifies the PIN No. The movement away from passwords is accomplished by gradually reducing the use of the password. In the occurrence where you cannot authenticate with biometrics, you need a fall back mechanism that is not a password. The PIN is the fall back mechanism. Disabling or hiding the PIN credential provider disabled the use of biometrics. ## How are keys protected? -Wherever possible, Windows Hello for Business takes advantage of trusted platform module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business does not require a TPM. Administrators can choose to allow key operations in software +Wherever possible, Windows Hello for Business takes advantage of trusted platform module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business does not require a TPM. Administrators can choose to allow key operations in software. Whenever possible, Microsoft strongly recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to re-authenticate to the IDP before the IDP allows him or her to re-register). @@ -155,7 +155,7 @@ Yes. You can use the on-premises Windows Hello for Business deployment and comb Yes, if you are federated hybrid deployment, you can use any third-party that provides an Active Directory Federation Services (AD FS) multi-factor authentication adapter. A list of third-party MFA adapters can be found [here](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods). ## Does Windows Hello for Business work with third party federation servers? -Windows Hello for Business can work with any third-party federation servers that support the protocols used during provisioning experience. Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration) +Windows Hello for Business can work with any third-party federation servers that support the protocols used during provisioning experience. Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration). | Protocol | Description | | :---: | :--- | @@ -165,5 +165,5 @@ Windows Hello for Business can work with any third-party federation servers that | [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](https://msdn.microsoft.com/library/mt766592.aspx) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define additional claims to carry information about the end user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define additional provider meta-data that enable the discovery of the issuer of access tokens and give additional information about provider capabilities. | ## Does Windows Hello for Business work with Mac and Linux clients? -Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third parties who are interested in moving these platforms away from passwords. Interested third parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration) +Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third parties who are interested in moving these platforms away from passwords. Interested third parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration). diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index aaf98a84f7..8879dec483 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -73,8 +73,8 @@ Microsoft has made a concerted effort to enlighten several of our more popular a - Microsoft Remote Desktop ->[!NOTE] ->Microsoft Visio and Microsoft Project are not enlightended apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioining. +> [!NOTE] +> Microsoft Visio, Microsoft Office Access and Microsoft Project are not enlightended apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioining. ## List of WIP-work only apps from Microsoft Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with WIP and MAM solutions. diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index ff92a6c111..8b5a188647 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -115,7 +115,7 @@ This table provides info about the most common problems you might encounter whil WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager. - Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders.

If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see Can't open files offline when you use Offline Files and Windows Information Protection. + Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders. You can configure this parameter, as described here.

If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see Can't open files offline when you use Offline Files and Windows Information Protection. @@ -138,5 +138,7 @@ This table provides info about the most common problems you might encounter whil > When corporate data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files. > [!NOTE] -> Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +> Chromium-based versions of Microsoft Edge (versions since 79) don't fully support WIP yet. The functionality could be partially enabled by going to the local page **edge://flags/#edge-dataprotection** and setting the **Windows Information Protection** flag to **enabled**. +> [!NOTE] +> Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 3344f60ecf..a3b27f24c3 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -26,15 +26,12 @@ This can cause devices or software to malfunction and in rare cases may result i If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. >[!NOTE] ->HVCI works with modern 7th gen CPUs or higher and its equivalent on AMD. CPU new feature is required *Mode based execution control (MBE) Virtualization*. AMD CPUs do not have MBE. - ->[!TIP] -> "The Secure Kernel relies on the Mode-Based Execution Control (MBEC) feature, if present in hardware, which enhances the SLAT with a user/kernel executable bit, or the hypervisor’s software emulation of this feature, called Restricted User Mode (RUM)." Mark Russinovich and Alex Ionescu. Windows Internals 7th Edition book +>Because it makes use of *Mode Based Execution Control*, HVCI works better with Intel Kaby Lake or AMD Zen 2 CPUs and newer. Processors without MBEC will rely on an emulation of this feature, called *Restricted User Mode*, which has a bigger impact on performance. ## HVCI Features -* HVCI protects modification of the Code Flow Guard (CFG) bitmap. -* HVCI also ensure your other Truslets, like Credential Guard have a valid certificate. +* HVCI protects modification of the Control Flow Guard (CFG) bitmap. +* HVCI also ensure your other Truslets, like Credential Guard, have a valid certificate. * Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI. ## How to turn on HVCI in Windows 10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md index 73a0af658e..5e5df96421 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md @@ -29,8 +29,12 @@ Advanced hunting is a query-based threat-hunting tool that lets you explore up t You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured machines. ## Get started with advanced hunting +Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast. +

-We recommend going through several steps to quickly get up and running with advanced hunting. +> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqo] + +You can also go through each of the following steps to ramp up your advanced hunting knowledge. | Learning goal | Description | Resource | |--|--|--| diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md index 5323e67ad0..0dcf6e3af5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md @@ -40,7 +40,7 @@ For information on other tables in the advanced hunting schema, see [the advance | `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | | `OSVersion` | string | Version of the operating system running on the machine | | `OSArchitecture` | string | Architecture of the operating system running on the machine | -| `SoftwareVendor` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape | +| `SoftwareVendor` | string | Name of the software vendor | | `SoftwareName` | string | Name of the software product | | `SoftwareVersion` | string | Version number of the software product | | `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system | diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 0da23ce0b5..49e8e3074a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -134,15 +134,15 @@ GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A ### Block Office applications from creating executable content -This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content. +This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk. -This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk. + Malware that abuse Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique. -This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710 +This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 Intune name: Office apps/macros creating executable content -Configuration Manager name: Block Office applications from creating executable content +SCCM name: Block Office applications from creating executable content GUID: 3B576869-A4EC-4529-8536-B80A7769E899 diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md index c0073ce75e..28689c33c8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md @@ -24,7 +24,7 @@ ms.custom: asr - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server 2016, version 1803. +Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server, version 1803. > [!TIP] > You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. @@ -93,7 +93,7 @@ Win32K | 260 | Untrusted Font ## Mitigation comparison -The mitigations available in EMET are included natively in Windows 10 (starting with version 1709) and Windows Server 2016 (starting with version 1803), under [Exploit protection](exploit-protection.md). +The mitigations available in EMET are included natively in Windows 10 (starting with version 1709) and Windows Server (starting with version 1803), under [Exploit protection](exploit-protection.md). The table in this section indicates the availability and support of native mitigations between EMET and exploit protection. diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md index 3c6f9f6bc7..64488a550e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md @@ -29,7 +29,9 @@ Network protection helps reduce the attack surface of your devices from Internet Network protection expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). -Network protection is supported beginning with Windows 10, version 1709. +Network protection is supported beginning with Windows 10, version 1709. + +For more details about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network. > [!TIP] > You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md index 60c0833058..2fc67b8211 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md @@ -138,16 +138,16 @@ structure required for your environment. ## Adoption Order -In many cases organizations will have existing endpoint security products in -place. The bare minimum every organization should have is an antivirus solution. But in some cases an organization might also already implanted an EDR solution. -Historically, replacing any security solution was time intensive and difficult -to achieve due to the tight hooks into the application layer and infrastructure +In many cases, organizations will have existing endpoint security products in +place. The bare minimum every organization should have is an antivirus solution. But in some cases, an organization might also have implanted an EDR solution already. +Historically, replacing any security solution used to be time intensive and difficult +to achieve, due to the tight hooks into the application layer and infrastructure dependencies. However, because Microsoft Defender ATP is built into the -operating system, replacing third-party solutions is easy to achieve. +operating system, replacing third-party solutions is now easy to achieve. -Choose which component of Microsoft Defender ATP to be used and remove the ones -that do not apply. The table below indicates the Microsoft recommendation on the -order on how the endpoint security suite should be enabled. +Choose the component of Microsoft Defender ATP to be used and remove the ones +that do not apply. The table below indicates the order Microsoft recommends for +how the endpoint security suite should be enabled. | Component | Description | Adoption Order Rank | |-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------| @@ -159,4 +159,4 @@ order on how the endpoint security suite should be enabled. | Microsoft Threat Experts (MTE) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts) | Not applicable | ## Related topic -- [Production deployment](production-deployment.md) \ No newline at end of file +- [Production deployment](production-deployment.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md index a617060626..0b3f53d6f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md @@ -63,6 +63,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w - Each event hub message in Azure Event Hubs contains list of records. - Each record contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**". - For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](advanced-hunting-overview.md). +- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the machine. Here every event will be decorated with this column as well. See [Machine Groups](machine-groups.md) for more information. ## Data types mapping: diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md index f0c242ed3a..682cc7e7d9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md @@ -64,6 +64,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w - Each blob contains multiple rows. - Each row contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties". - For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](advanced-hunting-overview.md). +- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the machine. Here every event will be decorated with this column as well. See [Machine Groups](machine-groups.md) for more information. ## Data types mapping: diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md index a1c5557fed..2ade5dcf42 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md @@ -26,6 +26,11 @@ Cyberthreats are emerging more frequently and prevalently. It is critical for or Threat analytics is a set of reports published by Microsoft security researchers as soon as emerging threats and outbreaks are identified. The reports help you assess the impact of threats to your environment and identify actions that can contain them. +Watch this short video to quickly understand how threat analytics can help you track the latest threats and stop them. +

+ +> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bw1f] + ## View the threat analytics dashboard The threat analytics dashboard is a great jump off point for getting to the reports that are most relevant to your organization. It provides several overviews about the threats covered in the reports: diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md index e49cc30afe..56a0d71130 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md @@ -73,7 +73,7 @@ You'll need to whitelist the `securitycenter.windows.com` and all sub-domains un ## Portal communication issues -If you encounter issues with accessing the portal, missing data, or restricted access to portions of the portal, you'll need to verify that the following URLs are whitelisted and open for communciation. +If you encounter issues with accessing the portal, missing data, or restricted access to portions of the portal, you'll need to verify that the following URLs are whitelisted and open for communication. - `*.blob.core.windows.net crl.microsoft.com` @@ -89,4 +89,4 @@ crl.microsoft.com` ## Related topics -- [Validate licensing provisioning and complete setup for Microsoft Defender ATP](licensing.md) \ No newline at end of file +- [Validate licensing provisioning and complete setup for Microsoft Defender ATP](licensing.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md index 5a60f9e9ae..aa2f21d63e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md @@ -26,7 +26,7 @@ ms.topic: article Web content filtering is part of [Web protection](web-protection-overview.md) in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic due to compliance regulations, bandwidth usage, or other concerns. -You can configure policies across your machine groups to block certain categories, effectively preventing users within specified machine groups from accessing URLs within that category. If a category is not blocked, all your users will be able to access the URLs without disruption. However, web content filtering will continue to gather access statistics that you can use to understand web usage and inform future policy decisions. +You can configure policies across your machine groups to block certain categories, effectively preventing users within specified machine groups from accessing URLs within that category. If a category is not blocked, all your users will be able to access the URLs without disruption. However, web content filtering will continue to gather access statistics that you can use to understand web usage and inform future policy decisions. If an element on the page you’re viewing is making calls to a resource which is blocked, you will see a block notification. Web content filtering is available on most major web browsers, with blocks performed by SmartScreen (Edge) and Network Protection (Internet Explorer, Chrome, Firefox, and all other browsers). See the prerequisites section for more information about browser support. @@ -73,7 +73,7 @@ Cyren's web content classification technology is integrated by design into Micro Learn more at https://www.cyren.com/products/url-filtering. -### Cyren permissions +### Cyren Permissions "Sign in and read user profile" allows Cyren to read your tenant info from your Microsoft Defender ATP account, such as your tenant ID, which will be tied to your Cyren license. @@ -168,4 +168,4 @@ You need to be logged in to an AAD account with either App administrator or Glob - [Web protection overview](web-protection-overview.md) - [Web threat protection](web-threat-protection.md) - [Monitor web security](web-protection-monitoring.md) -- [Respond to web threats](web-protection-response.md) \ No newline at end of file +- [Respond to web threats](web-protection-response.md) diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md index c9c8515fe5..a20693d19b 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md @@ -32,6 +32,9 @@ If smart cards are used for authentication, the device should automatically lock If you select **Force Logoff** in the property sheet for this policy setting, the user is automatically logged off when the smart card is removed. Users will have to reinsert their smart cards and reenter their PINs when they return to their workstations. +> [!NOTE] +> This policy depends on **Smart Card Removal Policy** service. The service must be running for the policy to take effect, so it is recommended to set the startup type of the service to **Automatic**. + ### Possible values - No Action diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md index c5ea9149b8..af838d196f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md @@ -50,7 +50,7 @@ Block at first sight requires a number of settings to be configured correctly or ### Confirm block at first sight is enabled with Intune -1. In Intune, navigate to **Device configuration - Profiles > *Profile name* > Device restrictions > Windows Defender Antivirus**. +1. In Intune, navigate to **Device configuration - Profiles** > *Profile name* > **Device restrictions** > **Windows Defender Antivirus**. > [!NOTE] > The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type. @@ -119,19 +119,19 @@ If you had to change any of the settings, you should re-deploy the Group Policy ### Confirm block at first sight is enabled with the Windows Security app -You can confirm that block at first sight is enabled in Windows Settings. +You can confirm that block at first sight is enabled in your Windows security settings. -Block at first sight is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on. +Block at first sight is automatically enabled as long as **Cloud-delivered protection** and **Automatic sample submission** are both turned on. ### Confirm Block at First Sight is enabled on individual clients -1. Open the Windows Security app by clicking the shield icon in the task bar. +1. Open the Windows Security app. -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Manage Settings** under **Virus & threat protection settings**: +2. Select **Virus & threat protection**, and then, under **Virus & threat protection settings**, select **Manage Settings**. ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) -3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. +3. Confirm that **Cloud-delivered protection** and **Automatic sample submission** are both turned on. > [!NOTE] > If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md index fa061b9284..59f19f11c9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 02/13/2020 ms.reviewer: manager: dansimp --- @@ -47,7 +47,7 @@ To configure these settings: 5. Deploy the Group Policy Object as usual. -Location | Setting | Configuration topic +Location | Setting | Article ---|---|---|--- MAPS | Configure local setting override for reporting to Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) @@ -67,13 +67,13 @@ Scan | Configure local setting override for the scan type to use for a scheduled ## Configure how locally and globally defined threat remediation and exclusions lists are merged -You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md) and [specified remediation lists](configure-remediation-windows-defender-antivirus.md). +You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md), [specified remediation lists](configure-remediation-windows-defender-antivirus.md), and [attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction). By default, lists that have been configured in local group policy and the Windows Security app are merged with lists that are defined by the appropriate Group Policy Object that you have deployed on your network. Where there are conflicts, the globally-defined list takes precedence. You can disable this setting to ensure that only globally-defined lists (such as those from any deployed GPOs) are used. -**Use Group Policy to disable local list merging:** +### Use Group Policy to disable local list merging 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index fc883cd71d..3fb436099a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -13,7 +13,7 @@ author: denisebmsft ms.author: deniseb ms.custom: nextgen audience: ITPro -ms.date: 01/06/2020 +ms.date: 02/12/2020 ms.reviewer: manager: dansimp --- @@ -45,11 +45,11 @@ The next major version of Microsoft Edge, which is Chromium-based, blocks potent #### Enable PUA protection in Chromium-based Microsoft Edge -Although potentially unwanted application protection in Microsoft Edge (Chromium-based) is turned off by default, it can easily be turned on from within the browser. +Although potentially unwanted application protection in Microsoft Edge (Chromium-based, version 80.0.361.50) is turned off by default, it can easily be turned on from within the browser. -1. From the tool bar, select **Settings and more** > **Settings**. +1. Select the ellipses, and then choose **Settings**. 2. Select **Privacy and services**. -3. Under the **Services** section, you can toggle **Potentially unwanted app blocking** on or off. +3. Under the **Services** section, turn on **Block potentially unwanted apps**. > [!TIP] > If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen [demo pages](https://demo.smartscreen.msft.net/). diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md index 80c59d0658..8631d5a627 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md @@ -23,27 +23,26 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/powershell/mt173057.aspx). +You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration. You can read more about it at the [PowerShell hub on MSDN](https://docs.microsoft.com/previous-versions/msdn10/mt173057(v=msdn.10)). -For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) topic. +For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender) topic. -PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software. +PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software. > [!NOTE] > PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr), [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), or [Windows Defender Antivirus Group Policy ADMX templates](https://support.microsoft.com/kb/927367). -Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell. +Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell. You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md). PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_. - ## Use Windows Defender Antivirus PowerShell cmdlets -1. Click **Start**, type **powershell**, and press **Enter**. -2. Click **Windows PowerShell** to open the interface. -3. Enter the command and parameters. +1. In the Windows search bar, type **powershell**. +2. Select **Windows PowerShell** from the results to open the interface. +3. Enter the PowerShell command and any parameters. > [!NOTE] > You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. @@ -53,6 +52,7 @@ To open online help for any of the cmdlets type the following: ```PowerShell Get-Help -Online ``` + Omit the `-online` parameter to get locally cached help. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index 6fc44116aa..d25131d06d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -43,8 +43,8 @@ Alice identifies the following key factors to arrive at the "circle-of-trust" fo - All clients are running Windows 10 version 1903 or above; - All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune; -> [!NOTE] -> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM) + > [!NOTE] + > Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM). - Some, but not all, apps are deployed using MEMCM; - Most users are local administrators on their devices; @@ -117,7 +117,7 @@ Alice follows these steps to complete this task: $PathRules += New-CIPolicyRule -FilePathRule "%windir%\*" $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*" $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*" - Merge-CIPolicy -OutputFilePath = $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules + Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules ``` 7. If appropriate, add additional signer or file rules to further customize the policy for your organization. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index ba4929c2f6..b3b52de9b2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -46,7 +46,7 @@ Windows 10 includes two technologies that can be used for application control de Windows Defender Application Control (WDAC) was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC). > [!NOTE] -> Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity policies. +> Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI) policies. WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on: - Attributes of the codesigning certificate(s) used to sign an app and its binaries; @@ -58,9 +58,8 @@ WDAC policies apply to the managed computer as a whole and affects all users of ### WDAC System Requirements -WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Windows Server 2016 and above. -They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune. -Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above. +WDAC policies can only be created on computers running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above. +WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a scripthost like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10. ## AppLocker