diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 5ad808dbe7..1e5f3dcc03 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1727,6 +1727,21 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/microsoft-defender-atp/overview-secure-score.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score", +"redirect_document_id": false +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/microsoft-defender-atp/secure-score-dashboard.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score", +"redirect_document_id": false +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/microsoft-defender-atp/enable-secure-score.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score", +"redirect_document_id": false +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/partner-applications.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/partner-applications", "redirect_document_id": true @@ -15705,6 +15720,6 @@ "source_path": "windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md", "redirect_url": "https://docs.microsoft.com/configmgr/desktop-analytics/overview", "redirect_document_id": false -}, +} ] } diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index d1c0ab596f..c93f45cfd9 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -61,7 +61,9 @@ ## [Troubleshoot HoloLens](hololens-troubleshooting.md) ## [Known issues](hololens-known-issues.md) ## [Frequently asked questions](hololens-faq.md) +## [Frequently asked security questions](hololens-faq-security.md) ## [Hololens services status](hololens-status.md) +## [SCEP Whitepaper](scep-whitepaper.md) # [Release Notes](hololens-release-notes.md) # [Give us feedback](hololens-feedback.md) diff --git a/devices/hololens/hololens-FAQ.md b/devices/hololens/hololens-FAQ.md index a183165e4a..3a194dc014 100644 --- a/devices/hololens/hololens-FAQ.md +++ b/devices/hololens/hololens-FAQ.md @@ -43,8 +43,10 @@ This FAQ addresses the following questions and issues: - [I'm having problems with the HoloLens clicker](#im-having-problems-with-the-hololens-clicker) - [I can't connect to Wi-Fi](#i-cant-connect-to-wi-fi) - [My HoloLens isn't running well, is unresponsive, or won't start](#my-hololens-isnt-running-well-is-unresponsive-or-wont-start) +- [HoloLens Management Questions](#hololens-management-questions) - [How do I delete all spaces?](#how-do-i-delete-all-spaces) - [I cannot find or use the keyboard to type in the HoloLens 2 Emulator](#i-cannot-find-or-use-the-keyboard-to-type-in-the-hololens-2-emulator) +- [I can't log in to a HoloLens because it was previously set up for someone else](#i-cant-log-in-to-a-hololens-because-it-was-previously-set-up-for-someone-else) ## My holograms don't look right or are moving around @@ -204,6 +206,30 @@ If your device isn't performing properly, see [Restart, reset, or recover HoloLe [Back to list](#list) + +## I can't log in to a HoloLens because it was previously set up for someone else + +If your device was previously set up for someone else, either a client or former employee and you don't have their password to unlock the device there are two solutions. +- If your device is MDM managed by Intune then you can remotely [Wipe](https://docs.microsoft.com/intune/remote-actions/devices-wipe) the device and it'll reflash itself. Make sure to leave **Retain enrollment state and user account** unchecked. +- If you have the device with you then you can put the device into **Flashing Mode** and use Advanced Recovery Companion to [recover](https://docs.microsoft.com/hololens/hololens-recovery) the device. + +[Back to list](#list) + +## HoloLens Management Questions + +1. **Can I use SCCM to manage the HoloLens?** + 1. No. An MDM must be used to manage the HoloLens +1. **Can I use Active Directory to manage HoloLens user accounts?** + 1. No, Azure AD must be used to manage user accounts. +1. **Is the HoloLens capable of ADCS auto enrollment?** + 1. No +1. **Can the HoloLens participate in WNA/IWA?** + 1. No +1. **Does the HoloLens support branding?** + 1. No. However, one work around is to create a custom app and enable Kiosk mode. The custom app can have branding which can then launch other apps (such as Remote Assist). Another option is to change all of the users profile pictures in AAD to your company logo. (However, this may not be desirable for all scenarios) +1. **What logging capabilities are available on HL1 and HL2?** + 1. Logging is limited to traces captured in developer/troubleshooting scenarios or telemetry sent to Microsoft servers. + ## How do I delete all spaces? *Coming soon* @@ -215,3 +241,4 @@ If your device isn't performing properly, see [Restart, reset, or recover HoloLe *Coming soon* [Back to list](#list) + diff --git a/devices/hololens/hololens-commercial-infrastructure.md b/devices/hololens/hololens-commercial-infrastructure.md index ad23e185ee..757084bb86 100644 --- a/devices/hololens/hololens-commercial-infrastructure.md +++ b/devices/hololens/hololens-commercial-infrastructure.md @@ -10,104 +10,178 @@ ms.topic: article ms.localizationpriority: high ms.date: 1/23/2020 ms.reviewer: +audience: ITPro manager: bradke appliesto: - HoloLens (1st gen) - HoloLens 2 --- -# Configure Your Network +# Configure Your Network for HoloLens This portion of the document will require the following people: -1. Network Admin with permissions to make changes to the proxy/firewall -2. Azure Active Directory Admin -3. Mobile Device Manager Admin -4. Teams admin for Remote Assist only + +1. Network Admin with permissions to make changes to the proxy/firewall +2. Azure Active Directory Admin +3. Mobile Device Manager Admin ## Infrastructure Requirements +HoloLens is, at its core, a Windows mobile device integrated with Azure. It works best in commercial environments with wireless network availability (wi-fi) and access to Microsoft services. + +Critical cloud services include: + +- Azure active directory (AAD) +- Windows Update (WU) + +Commercial customers will need enterprise mobility management (EMM) or mobile device management (MDM) infrastructure to manage HoloLens devices at scale. This guide uses [Microsoft Intune](https://www.microsoft.com/enterprise-mobility-security/microsoft-intune) as an example, though any provider with full support for Microsoft Policy can support HoloLens. Ask your mobile device management provider if they support HoloLens 2. + +HoloLens does support a limited set of cloud disconnected experiences. + +### Wireless network EAP support + +- PEAP-MS-CHAPv2 +- PEAP-TLS +- TLS +- TTLS-CHAP +- TTLS-CHAPv2 +- TTLS-MS-CHAPv2 +- TTLS-PAP +- TTLS-TLS + ### HoloLens Specific Network Requirements -Make sure that these ports and URLs are allowed on your network firewall. This will enable HoloLens to function properly. The latest list can be found [here](hololens-offline.md). + +Make sure that [this list](hololens-offline.md) of endpoints are allowed on your network firewall. This will enable HoloLens to function properly. ### Remote Assist Specific Network Requirements -1. The recommended bandwidth for optimal performance of Remote Assist is 1.5Mbps. Detailed network requirements and additional information can be found [here](https://docs.microsoft.com/MicrosoftTeams/prepare-network). -**Please note, if you don’t network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer.** +1. The recommended bandwidth for optimal performance of Remote Assist is 1.5Mbps. Detailed network requirements and additional information can be found [here](https://docs.microsoft.com/MicrosoftTeams/prepare-network). +**(Please note, if you don’t network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer).** 1. Make sure that these ports and URLs are allowed on your network firewall. This will enable Microsoft Teams to function. The latest list can be found [here](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams). ### Guides Specific Network Requirements + Guides only require network access to download and use the app. ## Azure Active Directory Guidance -This step is only necessary if your company plans on managing the HoloLens and mixed reality apps. -### 1. Ensure that you have an Azure AD License. -Please [HoloLens Licenses Requirements](hololens-licenses-requirements.md)for additional information. +>[!NOTE] +>This step is only necessary if your company plans on managing the HoloLens. -### 2. Ensure that your company’s users are in Azure Active Directory (Azure AD). +1. Ensure that you have an Azure AD License. +Please [HoloLens Licenses Requirements](hololens-licenses-requirements.md) for additional information. + +1. If you plan on using Auto Enrollment, you will have to [Configure Azure AD enrollment.](https://docs.microsoft.com/intune/deploy-use/.set-up-windows-device-management-with-microsoft-intune#azure-active-directory-enrollment) + +1. Ensure that your company’s users are in Azure Active Directory (Azure AD). Instructions for adding users can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/add-users-azure-active-directory). -### 3. We suggest that users who will be need similar licenses are added to a group. -1. [Create a Group](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal) +1. We suggest that users who need similar licenses are added to the same group. + 1. [Create a Group](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal) + 1. [Add users to groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal) -2. [Add users to groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal) - -### 4. Ensure that your company’s users (or group of users) are assigned the necessary licenses. +1. Ensure that your company’s users (or group of users) are assigned the necessary licenses. Directions for assigning licenses can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/license-users-groups). -### 5. **IMPORTANT:** Only do this step if users are expected to enroll their HoloLens/Mobile device onto the network. +1. Only do this step if users are expected to enroll their HoloLens/Mobile device into you (There are three options) These steps ensure that your company’s users (or a group of users) can add devices. -1. Option 1: Give all users permission to join devices to Azure AD. + 1. **Option 1:** Give all users permission to join devices to Azure AD. **Sign in to the Azure portal as an administrator** > **Azure Active Directory** > **Devices** > **Device Settings** > **Set Users may join devices to Azure AD to *All*** -1. Option 2: Give selected users/groups permission to join devices to Azure AD + 1. **Option 2:** Give selected users/groups permission to join devices to Azure AD **Sign in to the Azure portal as an administrator** > **Azure Active Directory** > **Devices** > **Device Settings** > **Set Users may join devices to Azure AD to *Selected*** ![Image that shows Configuration of Azure AD Joined Devices](images/azure-ad-image.png) -1. Option 3: You can block all users from joining their devices to the domain. This means that all devices will need to be manually enrolled by your IT department. + 1. **Option 3:** You can block all users from joining their devices to the domain. This means that all devices will need to be manually enrolled. -## Mobile Device Manager Admin Steps +## Mobile Device Manager Guidance -### Scenario 1: Kiosk Mode -As a note, auto-launching an app does not currently work for HoloLens. +### Ongoing device management -How to Set Up Kiosk Mode Using Microsoft Intune. -#### 1. Sync Microsoft Store to Intune ([Here](https://docs.microsoft.com/intune/apps/windows-store-for-business)) +>[!NOTE] +>This step is only necessary if your company plans to manage the HoloLens. +Ongoing device management will depend on your mobile device management infrastructure. Most have the same general functionality but the user interface may vary widely. -#### 2. Check your app settings +1. [CSPs (Configuration Service Providers)](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices) allows you to create and deploy management settings for the devices on your network. A list of CSPs for HoloLens can be found [here](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices). -1. Log into your Microsoft Store Business account -1. **Manage** > **Products and Services** > **Apps and Software** > **Select the app you want to sync** > **Private Store Availability** > **Select “Everyone” or “Specific Groups”** -1. If you do not see your apps in **Intune** > **Client Apps** > **Apps** , you may have to [sync your apps](https://docs.microsoft.com/intune/apps/windows-store-for-business#synchronize-apps) again. +1. [Compliance policies](https://docs.microsoft.com/intune/device-compliance-get-started) are rules and settings that devices must meet to be compliant in your corporate infrastructure. Use these policies with Conditional Access to block access to company resources for devices that are non-compliant. For example, you can create a policy that requires Bitlocker be enabled. -#### 3. Configuring Kiosk Mode using MDM +1. [Create Compliance Policy](https://docs.microsoft.com/intune/protect/compliance-policy-create-windows). -Information on configuring Kiosk Mode in Intune can be found [here](https://docs.microsoft.com/hololens/hololens-kiosk#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803) +1. Conditional Access allows/denies mobile devices and mobile applications from accessing company resources. Two documents you may find helpful are [Plan your CA Deployment](https://docs.microsoft.com/azure/active-directory/conditional-access/plan-conditional-access) and [Best Practices](https://docs.microsoft.com/azure/active-directory/conditional-access/best-practices). - >[!NOTE] - >You can configure different users to have different Kiosk Mode experiences by using “Azure AD” as the “User logon type”. However, this option is only available in Multi-App kiosk mode. Multi-App kiosk mode will work with only one app as well as multiple apps. +1. [This article](https://docs.microsoft.com/intune/fundamentals/windows-holographic-for-business) talks about Intune's management tools for HoloLens. -![Image that shows Configuration of Kiosk Mode in Intune](images/aad-kioskmode.png) +1. [Create a device profile](https://docs.microsoft.com/intune/configuration/device-profile-create) -If you are configuring Kiosk Mode on an MDM other than Intune, please check your MDM provider's documentation. +### Manage updates -## Additional Intune Quick Links +Intune includes a feature called Update rings for Windows 10 devices, including HoloLens 2 and HoloLens v1 (with Holographic for Business). Update rings include a group of settings that determine how and when updates are installed. -1. [Create Profiles:](https://docs.microsoft.com/intune/configuration/device-profile-create) Profiles allow you to add and configure settings that will be pushed to the devices in your organization. +For example, you can create a maintenance window to install updates, or choose to restart after updates are installed. You can also choose to pause updates indefinitely until you're ready to update. -1. [CSPs (Configuration Service Providers)](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices) allows you to create and deploy management settings for the devices on your network. Some CSPs are supported by HoloLens devices. (See the list of CSPs for HoloLens [here](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices). +Read more about [configuring update rings with Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure). -1. [Create Compliance Policy](https://docs.microsoft.com/intune/protect/create-compliance-policy) +### Application management -1. Conditional Access allows/denies mobile devices and mobile applications from accessing company resources. Two documents you may find helpful are [Plan your CA Deployment](https://docs.microsoft.com/azure/active-directory/conditional-access/plan-conditional-access) and [Best Practices](https://docs.microsoft.com/azure/active-directory/conditional-access/best-practices). +Manage HoloLens applications through: -## Certificates and Authentication -### MDM Certificate Distribution -If your company requires certificates, Intune supports PKCS, PFX, and SCEP. It is important to understand which certificate is right for your company. Please visit [here](https://docs.microsoft.com/intune/protect/certificates-configure) to determine which cert is best for you. If you plan to use certs for HoloLens Authentication, PFX or SCEP may be right for you. +1. Microsoft Store + The Microsoft Store is the best way to distribute and consume applications on HoloLens. There is a great set of core HoloLens applications already available in the store or you can [publish your own](https://docs.microsoft.com/windows/uwp/publish/). + All applications in the store are available publicly to everyone, but if it isn't acceptable, checkout the Microsoft Store for Business. + +1. [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/) + Microsoft Store for Business and Education is a custom store for your corporate environment. It lets you use the Microsoft Store built into Windows 10 and HoloLens to find, acquire, distribute, and manage apps for your organization. It also lets you deploy apps that are specific to your commercial environment but not to the world. + +1. Application deployment and management via Intune or another mobile device management solution + Most mobile device management solutions, including Intune, provide a way to deploy line of business applications directly to a set of enrolled devices. See this article for [Intune app install](https://docs.microsoft.com/intune/apps-deploy). + +1. _not recommended_ Device Portal + Applications can also be installed on HoloLens directly using the Windows Device Portal. This isn't recommended since Developer Mode has to be enabled to use the device portal. + +Read more about [installing apps on HoloLens](https://docs.microsoft.com/hololens/hololens-install-apps). + +### Certificates + +You can distribute certificates through your MDM provider. If your company requires certificates, Intune supports PKCS, PFX, and SCEP. It is important to understand which certificate is right for your company. Please visit [here](https://docs.microsoft.com/intune/protect/certificates-configure) to determine which cert is best for you. If you plan to use certificates for HoloLens Authentication, PFX or SCEP may be right for you. Steps for SCEP can be found [here](https://docs.microsoft.com/intune/protect/certificates-profile-scep). -### Device Certificates -Certificates can also be added to the HoloLens through package provisioning. Please see [HoloLens Provisioning](hololens-provisioning.md) for additional information. +### How to Upgrade to Holographics for Business Commercial Suite + +>[!NOTE] +>Windows Holographics for Business (commercial suite) is only intended for HoloLens 1st gen devices. The profile will not be applied to HoloLens 2 devices. + +Directions for upgrading to the commercial suite can be found [here](https://docs.microsoft.com/intune/configuration/holographic-upgrade). + +### How to Configure Kiosk Mode Using Microsoft Intune + +1. Sync Microsoft Store to Intune ([Here](https://docs.microsoft.com/intune/apps/windows-store-for-business)). + +1. Check your app settings + 1. Log into your Microsoft Store Business account + 1. **Manage > Products and Services > Apps and Software > Select the app you want to sync > Private Store Availability > Select “Everyone” or “Specific Groups”** + 1. If you do not see your apps in **Intune > Client Apps > Apps** , you may have to [sync your apps](https://docs.microsoft.com/intune/apps/windows-store-for-business#synchronize-apps) again. + +1. [Create a device profile for Kiosk mode](https://docs.microsoft.com/intune/configuration/kiosk-settings#create-the-profile) + +> [!NOTE] +> You can configure different users to have different Kiosk Mode experiences by using “Azure AD” as the “User logon type”. However, this option is only available in Multi-App kiosk mode. Multi-App kiosk mode will work with only one app as well as multiple apps. + +![Image that shows Configuration of Kiosk Mode in Intune](images/aad-kioskmode.png) + +For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, additional directions can be found [here](hololens-kiosk.md#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803) + +## Certificates and Authentication + +Certificates can be deployed via you MDM (see "certificates" in the [MDM Section](hololens-commercial-infrastructure.md#mobile-device-manager-guidance)). Certificates can also be deployed to the HoloLens through package provisioning. Please see [HoloLens Provisioning](hololens-provisioning.md) for additional information. + +### Additional Intune Quick Links + +1. [Create Profiles:](https://docs.microsoft.com/intune/configuration/device-profile-create) Profiles allow you to add and configure settings that will be pushed to the devices in your organization. + +## Next (Optional) Step: [Configure HoloLens using a provisioning package](hololens-provisioning.md) + +## Next Step: [Enroll your device](hololens-enroll-mdm.md) diff --git a/devices/hololens/hololens-faq-security.md b/devices/hololens/hololens-faq-security.md new file mode 100644 index 0000000000..b56e555f7d --- /dev/null +++ b/devices/hololens/hololens-faq-security.md @@ -0,0 +1,126 @@ +--- +title: Frequently Asked Security Questions +description: security questions frequently asked about the hololens +ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b +author: pawinfie +ms.author: pawinfie +ms.date: 02/19/2020 +keywords: hololens, Windows Mixed Reality, security +ms.prod: hololens +ms.sitesec: library +ms.topic: article +audience: ITPro +ms.localizationpriority: high +manager: bradke +appliesto: +- HoloLens 1 (1st gen) +- HoloLens 2 +--- + +# Frequently Asked Security Questions + +## HoloLens 1st Gen Security Questions + +1. **What type of wireless is used?** + 1. 802.11ac and Bluetooth 4.1 LE +1. **What type of architecture is incorporated? For example: point to point, mesh or something else?** + 1. Wi-Fi can be used in infrastructure mode to communicate with other wireless access points. + 1. Bluetooth can be used to talk peer to peer between multiple HoloLens if the customers application supports it or to other Bluetooth devices. +1. **What is FCC ID?** + 1. C3K1688 +1. **What frequency range and channels does the device operate on and is it configurable?** + 1. Wi-Fi: The frequency range is not user configurable and depends on the country of use. In the US Wi-Fi uses both 2.4 GHz (1-11) channels and 5 GHz (36-64, 100-165) channels. + 1. Bluetooth: Bluetooth uses the standard 2.4-2.48 GHz range. +1. **Can the device blacklist or white list specific frequencies?** + 1. This is not controllable by the user/device +1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?** + 1. Our emissions testing standards can be found [here](https://fccid.io/C3K1688). Range of operation is highly dependent on the access point and environment - but is roughly equivalent to other high-quality phones, tablets, or PCs. +1. **What is the duty cycle/lifetime for normal operation?** + 1. 2-3hrs of active use and up to 2 weeks of standby time + 1. Battery lifetime is unavailable. +1. **What is transmit and receive behavior when a tool is not in range?** + 1. HoloLens transmit/receive follows the standard Wi-Fi/Bluetooth pattern. At the edge of its range, you'll probably notice input getting choppy until it fully disconnects, but after you get back in range it should quickly reconnect. +1. **What is deployment density per square foot?** + 1. This is dependent on your network infrastructure. +1. **Can device use the infrastructure as a client?** + 1. Yes +1. **What protocol is used?** + 1. HoloLens does not use any proprietary protocols +1. **OS update frequency – What is the frequency of OS updates for the HL? Is there a set schedule? Does Microsoft release security patches as needed, etc.** + 1. Microsoft does provide OS updates to HoloLens exactly the same way it is done for Windows 10. There are normally two major updates per year, one in spring, one in fall. As HoloLens is a Windows device, the update concept is the same as with any other Windows device. Microsoft releases Security patches as needed and follows the same concept as done on any other Windows device. +1. **OS hardening – What options are there to harden the OS? Can we remove or shutdown unnecessary apps or services?** + 1. HoloLens behaves like a smartphone. It is comparable to other modern Windows devices. HoloLens can be managed by either Microsoft Intune or other Modern Device Management Solutions, like MobileIron, Airwatch, or Soti. There are Policies you can set in these Management Systems to put Security policies on the device and in order to harden the device. There is also the option in deleting any unnecessary applications if wanted. +1. **How will software applications be managed and updated? What control do we have to define what apps are loaded and app update process for apps that are living in the Microsoft store?** + 1. HoloLens gets software applications only through the Windows store. Only Appx Application Packages can be installed, which are developed for the Use of HoloLens. You can see this in the Microsoft Store with a little logo next to the application which shows the HoloLens device. Any control that you have over the management of Store applications also applies to HoloLens. You can use the concept of the official store or the store for business. Apps can either be side-loaded (manual process to load an app on a Windows device) or can be managed through an MDM so that apps are automatically pulled from the store when needed. +1. **What is the frequency of updates to apps in the store for HoloLens?** + 1. As we follow the same concept of the Microsoft Store and pull apps from there, the update cycle is determined by the developer of the Application. All management options that you have to control the update mechanism in the store apply to HoloLens as well. +1. **Is there a secure boot capability for the HoloLens?** + 1. Yes +1. **Is there an ability to disable or disconnect peripheral support from the device?** + 1. Yes +1. **Is there an ability to control or disable the use of ports on the device?** + 1. The HoloLens only contains 2 ports (one for headphones and one for charging or connecting to PCs). There is not ability to disable the port due to functionality and recovery reasons. +1. **Antivirus, end point detection, IPS, app control whitelist – Any ability to run antivirus, end point detection, IPS, app control whitelist, etc.** + 1. Windows Holographic for Business (commercial suite) does support Windows Defender Smart Screen. If an antivirus company were to create and publish their app to the Universal Windows Platform, it could be downloaded on HoloLens. At present, no companies have done this for HoloLens. + 1. Whitelisting apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device. +1. **Can we quarantine the device from prod network until we update the device if it has been offline for an extended period of time? Ex. Device has been sitting in a drawer not powered up for a period (6 months) and has not received any updates, patches, etc. When it tries to come on the network can we flag it and say you must update on another network prior to being complaint to join the network.** + 1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version. +1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?** + 1. No +1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it’s only on that device, unique to that device, and can’t be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?** + 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that’s sent to the client. + 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn’t be verified on a different device, rendering the certs/key unusable on different devices. +1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?** + 1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities. + +## HoloLens 2nd Gen Security Questions + +1. **What type of wireless is used?** + 1. 802.11ac and Bluetooth 5.0 +1. **What type of architecture is incorporated? For example: point to point, mesh or something else?** + 1. Wi-Fi can be used in infrastructure mode to communicate with other wireless access points. + 1. Bluetooth can be used to talk peer to peer between multiple HoloLens if the customers application supports it or to other Bluetooth devices. +1. **What is FCC ID?** + 1. C3K1855 +1. **What frequency range and channels does the device operate on and is it configurable?** + 1. Wi-Fi: The frequency range is not user configurable and depends on the country of use. In the US Wi-Fi uses both 2.4 GHz (1-11) channels and 5 GHz (36-64, 100-165) channels. +1. **Can the device blacklist or white list specific frequencies?** + 1. This is not controllable by the user/device +1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?** + 1. Wireless power levels depend on the channel of operation. Devices are calibrated to perform at the highest power levels allowed based on the region’s regulatory rules. +1. **What is the duty cycle/lifetime for normal operation?** + 1. *Currently unavailable.* +1. **What is transmit and receive behavior when a tool is not in range?** + 1. HoloLens transmit/receive follows the standard Wi-Fi/Bluetooth pattern. At the edge of its range, you'll probably notice input getting choppy until it fully disconnects, but after you get back in range it should quickly reconnect. +1. **What is deployment density per square foot?** + 1. This is dependent on your network infrastructure. +1. **Can device use the infrastructure as a client?** + 1. Yes +1. **What protocol is used?** + 1. HoloLens does not use any proprietary protocols +1. **OS update frequency – What is the frequency of OS updates for the HL? Is there a set schedule? Does Microsoft release security patches as needed, etc.** + 1. Microsoft does provide OS updates to HoloLens exactly the same way it is done for Windows 10. There are normally two major updates per year, one in spring, one in fall. As HoloLens is a Windows device, the update concept is the same as with any other Windows device. Microsoft releases Security patches as needed and follows the same concept as done on any other Windows device. +1. **OS hardening – What options are there to harden the OS? Can we remove or shutdown unnecessary apps or services?** + 1. HoloLens behaves like a smartphone. It is comparable to other modern Windows devices. HoloLens can be managed by either Microsoft Intune or other Modern Device Management Solutions, like MobileIron, Airwatch, or Soti. There are Policies you can set in these Management Systems to put Security policies on the device and in order to harden the device. There is also the option in deleting any unnecessary applications if wanted. +1. **How will software applications be managed and updated? What control do we have to define what apps are loaded and app update process for apps that are living in the Microsoft store?** + 1. HoloLens gets software applications only through the Windows store. Only Appx Application Packages can be installed, which are developed for the Use of HoloLens. You can see this in the Microsoft Store with a little logo next to the application which shows the HoloLens device. Any control that you have over the management of Store applications also applies to HoloLens. You can use the concept of the official store or the store for business. Apps can either be side-loaded (manual process to load an app on a Windows device) or can be managed through an MDM so that apps are automatically pulled from the store when needed. +1. **What is the frequency of updates to apps in the store for HoloLens?** + 1. As we follow the same concept of the Microsoft Store and pull apps from there, the update cycle is determined by the developer of the Application. All management options that you have to control the update mechanism in the store apply to HoloLens as well. +1. **Is there a secure boot capability for the HoloLens?** + 1. Yes +1. **Is there an ability to disable or disconnect peripheral support from the device?** + 1. Yes +1. **Is there an ability to control or disable the use of ports on the device?** + 1. The HoloLens only contains 2 ports (one for headphones and one for charging or connecting to PCs). There is not ability to disable the port due to functionality and recovery reasons. +1. **Antivirus, end point detection, IPS, app control whitelist – Any ability to run antivirus, end point detection, IPS, app control whitelist, etc.** + 1. HoloLens 2nd Gen supports Windows Defender Smart Screen. If an antivirus company were to create and publish their app to the Universal Windows Platform, it could be downloaded on HoloLens. At present, no companies have done this for HoloLens. + 1. Whitelisting apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device. +1. **Can we quarantine the device from prod network until we update the device if it has been offline for an extended period of time? Ex. Device has been sitting in a drawer not powered up for a period (6 months) and has not received any updates, patches, etc. When it tries to come on the network can we flag it and say you must update on another network prior to being complaint to join the network.** + 1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version. +1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?** + 1. No +1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it’s only on that device, unique to that device, and can’t be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?** + 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that’s sent to the client. + 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn’t be verified on a different device, rendering the certs/key unusable on different devices. +1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?** + 1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities. diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md index 633f296a3e..c5b4546772 100644 --- a/devices/hololens/hololens-insider.md +++ b/devices/hololens/hololens-insider.md @@ -12,7 +12,6 @@ ms.date: 1/6/2020 ms.reviewer: manager: dansimp appliesto: -- HoloLens (1st gen) - HoloLens 2 --- @@ -22,7 +21,7 @@ Welcome to the latest Insider Preview builds for HoloLens! It’s simple to get ## Start receiving Insider builds -On a device running the Windows 10 April 2018 Update, go to **Settings** -> **Update & Security** -> **Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider. +On a HoloLens 2 device go to **Settings** -> **Update & Security** -> **Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider. Then, select **Active development of Windows**, choose whether you’d like to receive **Fast** or **Slow** builds, and review the program terms. @@ -30,7 +29,7 @@ Select **Confirm -> Restart Now** to finish up. After your device has rebooted, ## Stop receiving Insider builds -If you no longer want to receive Insider builds of Windows Holographic, you can opt out when your HoloLens is running a production build, or you can [recover your device](hololens-recovery.md) using the Windows Device Recovery Tool to recover your device to a non-Insider version of Windows Holographic. +If you no longer want to receive Insider builds of Windows Holographic, you can opt out when your HoloLens is running a production build, or you can [recover your device](hololens-recovery.md) using the Advanced Recovery Companion to recover your device to a non-Insider version of Windows Holographic. To verify that your HoloLens is running a production build: @@ -52,3 +51,54 @@ Please use [the Feedback Hub app](hololens-feedback.md) on your HoloLens to prov ## Note for developers You are welcome and encouraged to try developing your applications using Insider builds of HoloLens. Check out the [HoloLens Developer Documentation](https://developer.microsoft.com/windows/mixed-reality/development) to get started. Those same instructions work with Insider builds of HoloLens. You can use the same builds of Unity and Visual Studio that you're already using for HoloLens development. + + +## Windows Insider Release Notes + +HoloLens 2 Windows Insider builds are full of new features and improvements. Sign up for Windows Insider Fast or Slow flights to test them out! +Here's a quick summary of what's new: + +- Support for FIDO2 Security Keys to enable secure and easy authentication for shared devices +- Seamlessly apply a provisioning package from a USB drive to your HoloLens +- Use a provisioning packages to enroll your HoloLens to your Mobile Device Management system +- Use Windows AutoPilot to set up and pre-configure new devices, quickly getting them ready for productive use. Send a note to hlappreview@microsoft.com to join the preview. +- Dark Mode - many Windows apps support both dark and light modes, and now HoloLens customers can choose the default mode for apps that support both color schemes! Based on customer feedback, with this update we are setting the default app mode to "dark," but you can easily change this setting at any time. Navigate to Settings > System > Colors to find "Choose your default app mode." +- Support for additional system voice commands +- Hand Tracking improvements to reduce the tendency to close the index finger when pointing. This should make button pressing and 2D slate usage feel more accurate +- Performance and stability improvements across the product +- More information in settings on HoloLens about the policy pushed to the device + +Once you’ve had a chance to explore these new capabilities, use the Feedback Hub app to let us know what you think. Feedback you provide in the Feedback Hub goes directly to our engineers. + +### FIDO 2 support +Many of you share a HoloLens with lots of people in a work or school environment. Whether devices are shared between students in a classroom or they're checked out from a device locker, it's important to be able to change users quickly and easily without typing long user names and passwords. FIDO lets anyone in your organization (AAD tenant) seamlessly sign in to HoloLens without entering a username or password. + +Read the [passwordless security docs](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key) to get started. + +### Provisioning package updates +Provisioning packages let you set HoloLens configuration through a config file rather than going through the HoloLens out of box experience. Previously, provisioning packages had to be copied onto HoloLens' internal memory, now they can be on a USB drive so they're easier to re-use on multiple HoloLens and so more people can provision HoloLens in parallel. + +1. To try it out, download the latest version of the Windows Configuration Designer from the Windows store onto your PC. +1. Select **Provision HoloLens Devices** > Select **Provision HoloLens 2 devices** +1. Build your configuration profile and, when you're done, copy all files created to a USB-C storage device. +1. Plug it into any freshly flashed HoloLens and press **Volume down + Power** to apply your provisioning package. + +### System voice commands +You can now can access these commands with your voice: +- "Restart device" +- "Shutdown device" +- "Brightness up" +- "Brightness down" +- "Volume up" +- "Volume down" +- "What is my IP address?" + +If you're running your system with a different language, please try the appropriate commands in that language. + +### FFU download and flash directions +To test with a flight signed ffu, you first have to flight unlock your device prior to flashing the flight signed ffu. +1. On PC + 1. Download ffu to your PC from: [https://aka.ms/hololenspreviewdownload](https://aka.ms/hololenspreviewdownload) + 1. Install ARC (Advanced Recovery Companion) from the Microsoft Store: [https://www.microsoft.com/store/productId/9P74Z35SFRS8](https://www.microsoft.com/store/productId/9P74Z35SFRS8) +1. On HoloLens - Flight Unlock: Open **Settings** > **Update & Security** > **Windows Insider Program** then sign up, reboot device +1. Flash FFU - Now you can flash the flight signed FFU using ARC diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md index d0dbb126b7..ae870f5847 100644 --- a/devices/hololens/hololens-kiosk.md +++ b/devices/hololens/hololens-kiosk.md @@ -14,11 +14,9 @@ manager: dansimp # Set up HoloLens in kiosk mode - - In Windows 10, version 1803, you can configure your HoloLens devices to run as multi-app or single-app kiosks. You can also configure guest access for a HoloLens kiosk device by [designating a SpecialGroup account in your XML file.](#add-guest-access-to-the-kiosk-configuration-optional) -When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. +When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app. When single-app kiosk mode is enabled for HoloLens, the [start gestures](https://docs.microsoft.com/hololens/hololens2-basic-usage#start-gesture) (including [Bloom](https://docs.microsoft.com/hololens/hololens1-basic-usage) on HoloLens (1st Gen)) and Cortana are disabled, and placed apps aren't shown in the user's surroundings. @@ -41,14 +39,14 @@ The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft For HoloLens devices running Windows 10, version 1803, there are three methods that you can use to configure the device as a kiosk: - You can use [Microsoft Intune or other mobile device management (MDM) service](#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803) to configure single-app and multi-app kiosks. -- You can [use a provisioning package](#setup-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to configure single-app and multi-app kiosks. +- You can [use a provisioning package](#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to configure single-app and multi-app kiosks. - You can [use the Windows Device Portal](#set-up-kiosk-mode-using-the-windows-device-portal-windows-10-version-1607-and-version-1803) to configure single-app kiosks. This method is recommended only for demonstrations, as it requires that developer mode be enabled on the device. For HoloLens devices running Windows 10, version 1607, you can [use the Windows Device Portal](#set-up-kiosk-mode-using-the-windows-device-portal-windows-10-version-1607-and-version-1803) to configure single-app kiosks. ## Start layout for HoloLens -If you use [MDM, Microsoft Intune](#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803), or a [provisioning package](#setup-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to configure a multi-app kiosk, the procedure requires a Start layout. Start layout customization isn't supported in Holographic for Business, so you'll need to use a placeholder Start layout. +If you use [MDM, Microsoft Intune](#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803), or a [provisioning package](#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to configure a multi-app kiosk, the procedure requires a Start layout. Start layout customization isn't supported in Holographic for Business, so you'll need to use a placeholder Start layout. >[!NOTE] >Because a single-app kiosk launches the kiosk app when a user signs in, there is no Start screen displayed. @@ -58,7 +56,7 @@ If you use [MDM, Microsoft Intune](#set-up-kiosk-mode-using-microsoft-intune-or- Save the following sample as an XML file. You can use this file when you configure the multi-app kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile). >[!NOTE] ->If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, use the [Start layout instructions for a provisioning package](#start-layout-for-a-provisioning-package). +>If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, use the [Start layout instructions for a provisioning package](#start-layout-for-a-provisioning-package). ```xml - + ``` ### Start layout for a provisioning package -You will [create an XML file](#setup-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to define the kiosk configuration to be included in a provisioning package. Use the following sample in the `StartLayout` section of your XML file. +You will [create an XML file](#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to define the kiosk configuration to be included in a provisioning package. Use the following sample in the `StartLayout` section of your XML file. ```xml @@ -102,11 +100,11 @@ You will [create an XML file](#setup-kiosk-mode-using-a-provisioning-package-win ## Set up kiosk mode using Microsoft Intune or MDM (Windows 10, version 1803) -For HoloLens devices that are managed by Microsoft Intune, you [create a device profile](https://docs.microsoft.com/intune/device-profile-create) and configure the [Kiosk settings](https://docs.microsoft.com/intune/kiosk-settings). +For HoloLens devices that are managed by Microsoft Intune, directions can be found [here](hololens-commercial-infrastructure.md#how-to-configure-kiosk-mode-using-microsoft-intune). For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#create-a-kiosk-configuration-xml-file), and make sure to include the [Start layout](#start-layout-for-a-provisioning-package) in the XML file. -## Setup kiosk mode using a provisioning package (Windows 10, version 1803) +## Set up kiosk mode using a provisioning package (Windows 10, version 1803) Process: 1. [Create an XML file that defines the kiosk configuration.](#create-a-kiosk-configuration-xml-file) @@ -155,7 +153,7 @@ Use the following snippet in your kiosk configuration XML to enable the **Guest* 13. On the **Provisioning package security** page, do not select **Enable package encryption** or provisioning will fail on HoloLens. You can choose to enable package signing. - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package. + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package. 14. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Configuration Designer uses the project folder as the output location. Optionally, you can click **Browse** to change the default output location. @@ -181,7 +179,7 @@ Use the following snippet in your kiosk configuration XML to enable the **Guest* ## Set up kiosk mode using the Windows Device Portal (Windows 10, version 1607 and version 1803) -1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/mixed-reality/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC. +1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/mixed-reality/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC. >[!IMPORTANT] >When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device. **Developer Mode** on a device that has been upgraded to Windows Holographic for Business enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode) @@ -202,17 +200,14 @@ Use the following snippet in your kiosk configuration XML to enable the **Guest* 5. Select **Enable Kiosk Mode**, choose an app to run when the device starts, and click **Save**. - ## Kiosk app recommendations - You cannot select Microsoft Edge, Microsoft Store, or the Shell app as a kiosk app. - We recommend that you do **not** select the Settings app and the File Explorer app as a kiosk app. -- You can select Cortana as a kiosk app. +- You can select Cortana as a kiosk app. - To enable photo or video capture, the HoloCamera app must be enabled as a kiosk app. ## More information - - Watch how to configure a kiosk in a provisioning package. ->[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false] +>[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false] \ No newline at end of file diff --git a/devices/hololens/hololens-licenses-requirements.md b/devices/hololens/hololens-licenses-requirements.md index 6d33228879..c89587c100 100644 --- a/devices/hololens/hololens-licenses-requirements.md +++ b/devices/hololens/hololens-licenses-requirements.md @@ -10,41 +10,53 @@ ms.topic: article ms.localizationpriority: high ms.date: 1/23/2020 ms.reviewer: +audience: ITPro manager: bradke appliesto: - HoloLens (1st gen) - HoloLens 2 --- -# Licenses Required for Mixed Reality Deployment - -If you plan on using a Mobile Device Management system (MDM) to manage your HoloLens, please review the MDM License Guidance section. +# Determine what licenses you need ## Mobile Device Management (MDM) Licenses Guidance +If you plan on managing your HoloLens devices, you will need Azure AD and an MDM. Active Director (AD) cannot be used to manage HoloLens devices. If you plan on using an MDM other than Intune, an [Azure Active Directory Licenses](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) is required. - -If you plan on using Intune as your MDM, you can acquire an [Enterprise Mobility + Security (EMS) suite (E3 or E5) licenses](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing). **Please note that Azure AD is included in both suites.** +If you plan on using Intune as your MDM, you can acquire an [Enterprise Mobility + Security (EMS) suite (E3 or E5) licenses](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing). **Please note that Azure AD is included in both suites.** ## Identify the licenses needed for your scenario and products +### HoloLens Licenses Requirements + +You may need to upgrade your HoloLens 1st Gen Device to Windows Holographic for Business. (See [HoloLens commercial features](holoLens-commercial-features.md#feature-comparison-between-editions) to determine if you need to upgrade). + + If so, you will need to do the following: + +- Acquire a HoloLens Enterprise license XML file +- Apply the XML file to the HoloLens. You can do this through a [Provisioning package](hololens-provisioning.md) or through your [Mobile Device Manager](https://docs.microsoft.com/intune/configuration/holographic-upgrade) + ### Remote Assist License Requirements + Make sure you have the required licensing and device. Updated licensing and product requirements can be found [here](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/requirements). -1. [Remote Assist License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) -1. [Teams Freemium/Teams](https://products.office.com/microsoft-teams/free) -1. [Azure Active Directory (Azure AD) License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) +1. [Remote Assist License](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/buy-and-deploy-remote-assist) +1. [Teams Freemium/Teams](https://products.office.com/microsoft-teams/free) +1. [Azure Active Directory (Azure AD) License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) ### Guides License Requirements + Updated licensing and device requirements can be found [here](https://docs.microsoft.com/dynamics365/mixed-reality/guides/requirements). -1. [Azure Active Directory (Azure AD) License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) -1. [Power BI](https://powerbi.microsoft.com/desktop/) -1. [Guides](https://docs.microsoft.com/dynamics365/mixed-reality/guides/setup) +1. [Azure Active Directory (Azure AD) License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) +1. [Power BI](https://powerbi.microsoft.com/desktop/) +1. [Guides](https://docs.microsoft.com/dynamics365/mixed-reality/guides/setup) ### Scenario 1: Kiosk Mode -If you are not planning to use an MDM to manage your device and you are planning to use a local account or an MSA as the login identity, you will not need any additional licenses. Kiosk mode can be accomplished using a provisioning packages. -1. If you are **not** planning to use an MDM to manage your device and you are planning to use a local account or an MSA as the login identity, you will not need any additional licenses. Kiosk mode can be accomplished using a provisioning packages. -1. If you are planning to use an MDM other than Intune, your MDM provider will have steps on configuring Kiosk mode. -1. If you are planning to use **Intune** as your MDM, implementation directions can be found in [Configuring your Network for HoloLens](). +1. If you are **not** planning to manage your device and you are planning to use a local account or an MSA as the login identity, you will not need any additional licenses. Kiosk mode can be accomplished using a provisioning packages. +1. If you are planning to use an MDM to implement Kiosk mode, you will need an [Azure Active Directory (Azure AD) License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis). + +Additional information regarding kiosk mode will be covered in [Configuring your Network for HoloLens](hololens-commercial-infrastructure.md#how-to-configure-kiosk-mode-using-microsoft-intune). + +## Next Step: [Configure your network for HoloLens](hololens-commercial-infrastructure.md) \ No newline at end of file diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md index b22a4ef671..392032737a 100644 --- a/devices/hololens/hololens-provisioning.md +++ b/devices/hololens/hololens-provisioning.md @@ -14,46 +14,49 @@ manager: dansimp # Configure HoloLens using a provisioning package +[Windows provisioning](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages) makes it easy for IT administrators to configure end-user devices without imaging. Windows Configuration Designer is a tool for configuring images and runtime settings which are then built into provisioning packages. +Some of the HoloLens configurations that you can apply in a provisioning package: -[Windows provisioning](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages) makes it easy for IT administrators to configure end-user devices without imaging. Windows Configuration Designer is a tool for configuring images and runtime settings which are then built into provisioning packages. - -Some of the HoloLens configurations that you can apply in a provisioning package: -- Upgrade to Windows Holographic for Business +- Upgrade to Windows Holographic for Business [here](hololens1-upgrade-enterprise.md) - Set up a local account - Set up a Wi-Fi connection - Apply certificates to the device +- Enable Developer Mode +- Configure Kiosk mode (Detailed instructions for configuring kiosk mode can be found [here](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803). -To create provisioning packages, you must install Windows Configuration Designer [from Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) or [from the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box. - - - - -## Create a provisioning package for HoloLens using the HoloLens wizard +## Provisioning package HoloLens wizard The HoloLens wizard helps you configure the following settings in a provisioning package: - Upgrade to the enterprise edition >[!NOTE] - >Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens1-upgrade-enterprise.md). + > This should only be used for HoloLens 1st Gen devices. Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens1-upgrade-enterprise.md). - Configure the HoloLens first experience (OOBE) -- Configure Wi-Fi network +- Configure Wi-Fi network - Enroll device in Azure Active Directory or create a local account - Add certificates - Enable Developer Mode +- Configure kiosk mode. (Detailed instructions for configuring kiosk mode can be found [here](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803)). >[!WARNING] >You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. -Provisioning packages can include management instructions and policies, customization of network connections and policies, and more. +Provisioning packages can include management instructions and policies, customization of network connections and policies, and more. > [!TIP] > Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc. +## Steps for Creating Provisioning Packages -### Create the provisioning package +### 1. Install Windows Configuration Designer on your PC. (There are two ways to do this). + +1. **Option 1:** [From Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) +2. **Option 2:** [From the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box. + +### 2. Create the Provisioning Package Use the Windows Configuration Designer tool to create a provisioning package. @@ -61,9 +64,9 @@ Use the Windows Configuration Designer tool to create a provisioning package. 2. Click **Provision HoloLens devices**. - ![ICD start options](images/icd-create-options-1703.png) + ![ICD start options](images/icd-create-options-1703.png) -3. Name your project and click **Finish**. +3. Name your project and click **Finish**. 4. Read the instructions on the **Getting started** page and select **Next**. The pages for desktop provisioning will walk you through the following steps. @@ -72,7 +75,6 @@ Use the Windows Configuration Designer tool to create a provisioning package. ### Configure settings - @@ -84,10 +86,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. - **Next step**: [How to apply a provisioning package](#apply) - - -## Create a provisioning package for HoloLens using advanced provisioning +### 3. Create a provisioning package for HoloLens using advanced provisioning >[!NOTE] >Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens1-upgrade-enterprise.md). @@ -106,7 +105,7 @@ After you're done, click **Create**. It only takes a few seconds. When the packa >[!IMPORTANT] >(For Windows 10, version 1607 only) If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/mixed-reality/reset_or_recover_your_hololens#perform_a_full_device_recovery). -8. On the **File** menu, click **Save**. +8. On the **File** menu, click **Save**. 4. Read the warning that project files may contain sensitive information, and click **OK**. @@ -135,9 +134,10 @@ After you're done, click **Create**. It only takes a few seconds. When the packa 9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status. -10. When the build completes, click **Finish**. +10. When the build completes, click **Finish**. + ## Apply a provisioning package to HoloLens during setup 1. Connect the device via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box). @@ -157,17 +157,17 @@ After you're done, click **Create**. It only takes a few seconds. When the packa >[!NOTE] >If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package. -## Apply a provisioning package to HoloLens after setup +### 4. Apply a provisioning package to HoloLens after setup >[!NOTE] >Windows 10, version 1809 only On your PC: -1. Create a provisioning package as described at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md). -2. Connect the HoloLens device via USB to a PC. HoloLens will show up as a device in File Explorer on the PC. -3. Drag and drop the provisioning package to the Documents folder on the HoloLens. +1. Create a provisioning package as described at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md). +2. Connect the HoloLens device via USB to a PC. HoloLens will show up as a device in File Explorer on the PC. +3. Drag and drop the provisioning package to the Documents folder on the HoloLens. -On your HoloLens: +On your HoloLens: 1. Go to **Settings > Accounts > Access work or school**. 2. In **Related Settings**, select **Add or remove a provisioning package**. 3. On the next page, select **Add a package** to launch the file picker and select your provisioning package. If the folder is empty, make sure you select **This Device** and select **Documents**. @@ -192,9 +192,4 @@ In Windows Configuration Designer, when you create a provisioning package for Wi >[!NOTE] >App installation (**UniversalAppInstall**) using a provisioning package is not currently supported for HoloLens. - - - - - - +## Next Step: [Enroll your device](hololens-enroll-mdm.md) diff --git a/devices/hololens/hololens-recovery.md b/devices/hololens/hololens-recovery.md index b2e0d48bc7..c873f08b58 100644 --- a/devices/hololens/hololens-recovery.md +++ b/devices/hololens/hololens-recovery.md @@ -110,8 +110,8 @@ The Advanced Recovery Companion is a new app in Microsoft Store restore the oper >In the event that a HoloLens 2 gets into a state where Advanced Recovery Companion cannot recognize the device, and it does not boot, try forcing the device into Flashing Mode and recovering it with Advanced Recovery Companion: 1. Connect the HoloLens 2 to a PC with Advanced Recovery Companion installed. -1. Press and hold the **Volume Up and Power buttons** until the device reboots. Release the Power button, but continue to hold the Volume Up button until the third LED is lit. It will the the only lit LED. - 1. The device should be visible in **Device Manager** as a **Microsoft HoloLens Recovery** device: +1. Press and hold the **Volume Up and Power buttons** until the device reboots. Release the Power button, but continue to hold the Volume Up button until the third LED is lit. +1. The device should be visible in **Device Manager** as a **Microsoft HoloLens Recovery** device. 1. Launch Advanced Recovery Companion, and follow the on-screen prompts to reflash the OS to the HoloLens 2. ### HoloLens (1st gen) diff --git a/devices/hololens/hololens-release-notes.md b/devices/hololens/hololens-release-notes.md index aaf200a4b0..f2a5d92512 100644 --- a/devices/hololens/hololens-release-notes.md +++ b/devices/hololens/hololens-release-notes.md @@ -19,9 +19,17 @@ appliesto: # HoloLens Release Notes ## HoloLens 2 + > [!Note] > HoloLens Emulator Release Notes can be found [here](https://docs.microsoft.com/windows/mixed-reality/hololens-emulator-archive). +### February Update - build 18362.1053 + +- Temporarily disabled the HolographicSpace.UserPresence API for Unity applications to avoid an issue which causes some apps to pause when the visor is flipped up, even if the setting to run in the background is enabled. +- Fixed a random HUP crash cased by hand tracking, in which user will notice an UI freeze then back to shell after several seconds. +- We made an improvement in hand tracking so that while poking using index finger, the upper part of that finger will be less likely to curl unexpectedly. +- Improved reliability of head tracking, spatial mapping, and other runtimes. + ### January Update - build 18362.1043 - Stability improvements for exclusive apps when working with the HoloLens 2 emulator. @@ -85,7 +93,7 @@ Windows 10, version 1803, is the first feature update to Windows Holographic for - Previously, you could only verify that upgrade license for Commercial Suite had been applied to your HoloLens device by checking to see if VPN was an available option on the device. Now, **Settings** > **System** will display **Windows Holographic for Business** after the upgrade license is applied. [Learn how to unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md). - You can view the operating system build number in device properties in the File Explorer app and in the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq). -- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#wizard). +- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#provisioning-package-hololens-wizard). ![Provisioning HoloLens devices](images/provision-hololens-devices.png) @@ -97,7 +105,7 @@ Windows 10, version 1803, is the first feature update to Windows Holographic for - Previously, after you signed in to the device with an Azure Active Directory (Azure AD) account, you then had to **Add work access** in **Settings** to get access to corporate resources. Now, you sign in with an Azure AD account and enrollment happens automatically. -- Before you sign in, you can choose the network icon below the password field to choose a different Wi-Fi network to connect to. You can also connect to a guest network, such as at a hotel, conference center, or business. +- Before you sign in, you can choose the network icon below the password field to choose a different Wi-Fi network to connect to. You can also connect to a guest network, such as at a hotel, conference center, or business. - You can now easily [share HoloLens with multiple people](hololens-multiple-users.md) using Azure AD accounts. diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md index eb068d6e65..139648349b 100644 --- a/devices/hololens/hololens-requirements.md +++ b/devices/hololens/hololens-requirements.md @@ -6,6 +6,7 @@ ms.sitesec: library ms.assetid: 88bf50aa-0bac-4142-afa4-20b37c013001 author: scooley ms.author: scooley +audience: ITPro ms.topic: article ms.localizationpriority: medium ms.date: 07/15/2019 @@ -13,62 +14,67 @@ ms.date: 07/15/2019 # Deploy HoloLens in a commercial environment -You can deploy and configure HoloLens at scale in a commercial setting. +You can deploy and configure HoloLens at scale in a commercial setting. This article provides instructions for deploying HoloLens devices in a commercial environment. This guide assumes basic familiarity with HoloLens. Follow the [get started guide](hololens1-setup.md) to set up HoloLens for the first time. -This article includes: +This document also assumes that the HoloLens has been evaluated by security teams as safe to use on the corporate network. Frequently asked security questions can be found [here](hololens-faq-security.md) -- Infrastructure requirements and recommendations for HoloLens management -- Tools for provisioning HoloLens -- Instructions for remote device management -- Options for application deployment +## Overview of Deployment Steps -This guide assumes basic familiarity with HoloLens. Follow the [get started guide](hololens1-setup.md) to set up HoloLens for the first time. +1. [Determine what features you need](hololens-requirements.md#step-1-determine-what-you-need) +1. [Determine what licenses you need](hololens-licenses-requirements.md) +1. [Configure your network for HoloLens](hololens-commercial-infrastructure.md). + 1. This section includes bandwidth requirements, URL, and ports that need to be whitelisted on your firewall; Azure AD guidance; Mobile Device Management (MDM) Guidance; app deployment/management guidance; and certificate guidance. +1. (Optional) [Configure HoloLens using a provisioning package](hololens-provisioning.md) +1. [Enroll Device](hololens-enroll-mdm.md) +1. [Set up ring based updates for HoloLens](hololens-updates.md) +1. [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) -## Infrastructure for managing HoloLens +## Step 1. Determine what you need -HoloLens is, at its core, a Windows mobile device integrated with Azure. It works best in commercial environments with wireless network availability (wi-fi) and access to Microsoft services. +Before deploying the HoloLens in your environment, it is important to first determine what features, apps, and type of identities are needed. It is also important to ensure that your security team has approved of the use of the HoloLens on the company's network. Please see [Frequently ask security questions](hololens-faq-security.md) for additional security information. -Critical cloud services include: +### Type of Features -- Azure active directory (AAD) -- Windows Update (WU) +Your feature requirements will determine which HoloLens you need. One popular feature that we see deployed in customer environments frequently is Kiosk Mode. A list of HoloLens key features, and the editions of HoloLens that support them, can be found [here](hololens-commercial-features.md). -Commercial customers will need enterprise mobility management (EMM) or mobile device management (MDM) infrastructure to manage HoloLens devices at scale. This guide uses [Microsoft Intune](https://www.microsoft.com/enterprise-mobility-security/microsoft-intune) as an example, though any provider with full support for Microsoft Policy can support HoloLens. Ask your mobile device management provider if they support HoloLens 2. +**What is Kiosk Mode?** -HoloLens does support a limited set of cloud disconnected experiences. +Kiosk mode is a way to restrict the apps that a user has access to. This means that users will only be allowed to access certain apps. -## Initial set up at scale +**What Kiosk Mode do I require?** -The HoloLens out of box experience is great for setting up one or two devices or for experiencing HoloLens for the first time. If you're provisioning many HoloLens devices, however, selecting your language and settings manually for each device gets tedious and limits scale. +There are two types of Kiosk Modes: Single app and multi-app. Single app kiosk mode allows user to only access one app while multi-app kiosk mode allows users to access multiple, specified apps. To determine which kiosk mode is right for your corporation, the following two questions need to be answered: -This section: +1. **Do different users require different experiences/restrictions?** Consider the following example: User A is a field service engineer who only needs access to Remote Assist. User B is a trainee who only needs access to Guides. + 1. If yes, you will require the following: + 1. Azure AD Accounts as the method of signing into the device. + 1. **Multi-app** kiosk mode. + 1. If no, continue to question two +1. **Do you require a multi-app experience?** + 1. If yes, **Multi-app** kiosk is mode is needed + 1. If your answer to question 1 and 2 are both no, **single-app** kiosk mode can be used -- Introduces Windows provisioning using provisioning packages -- Walks through applying a provisioning package during first setup +**How to Configure Kiosk Mode:** -### Create and apply a provisioning package +There are two main ways ([provisioning packages](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) and [MDM](hololens-kiosk.md#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803)) to deploy kiosk mode for HoloLens. These options will be discussed later in the document; however, you can use the links above to jump to the respective sections in this doc. -The best way to configure many new HoloLens device is with Windows provisioning. You can use it to specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in minutes. +### Apps -A [provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages) (.ppkg) is a collection of configuration settings. With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device. +The majority of the steps found in this document will also apply to the following apps: -### Upgrade to Windows Holographic for Business +1. Remote Assist +2. Guides +3. Customer Apps -- HoloLens Enterprise license XML file +### Type of identity -Some of the HoloLens configurations you can apply in a provisioning package: +Determine the type of identity that will be used to sign into the device. -- Apply certificates to the device -- Set up a Wi-Fi connection -- Pre-configure out of box questions like language and locale -- (HoloLens 2) bulk enroll in mobile device management -- (HoloLens v1) Apply key to enable Windows Holographic for Business +1. **Local Accounts:** This account is local to the device (like a local admin account on a windows PC). This will allow only 1 user to log into the device. +2. **MSA:** This is a personal account (like outlook, hotmail, gmail, yahoo, etc.) This will allow only 1 user to log into the device. +3. **Azure Active Directory (Azure AD) accounts:** This is an account created in Azure AD. This grants your corporation the ability to manage the HoloLens device. This will allow multiple users to log into the HoloLens 1st Gen Commercial Suite/the HoloLens 2 device. -Follow [this guide](https://docs.microsoft.com/hololens/hololens-provisioning) to create and apply a provisioning package to HoloLens. - -### Set up user identity and enroll in device management - -The last step in setting up HoloLens for management at scale is to enroll devices with mobile device management infrastructure. There are several ways to enroll: +### Determine your enrollment method 1. Bulk enrollment with a security token in a provisioning package. Pros: this is the most automated approach @@ -80,66 +86,29 @@ The last step in setting up HoloLens for management at scale is to enroll device Pros: possible to enroll after set up Cons: most manual approach and devices aren't centrally manageable until they're manually enrolled. -Learn more about MDM enrollment [here](hololens-enroll-mdm.md). + More information can be found [here](hololens-enroll-mdm.md) -## Ongoing device management +### Determine if you need to create a provisioning package -Ongoing device management will depend on your mobile device management infrastructure. Most have the same general functionality but the user interface may vary widely. +There are two methods to configure a HoloLens device (Provisioning packages and MDMs). We suggest using your MDM to configure you HoloLens device. However, there are some scenarios where using a provisioning package is the better choice: -This article outlines [policies and capabilities HoloLens supports](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#hololens). +1. You want to configure the HoloLens to skip the Out of Box Experience (OOBE) +1. You are having trouble deploying certificate in a complex network. The majority of the time you can deploy certificates using MDM (even in complex environments). However, some scenarios require certificates to be deployed through the provisioning package. -[This article](https://docs.microsoft.com/intune/windows-holographic-for-business) talks about Intune's management tools for HoloLens. +Some of the HoloLens configurations you can apply in a provisioning package: -### Push compliance policy via Intune +- Apply certificates to the device +- Set up a Wi-Fi connection +- Pre-configure out of box questions like language and locale +- (HoloLens 2) bulk enroll in mobile device management +- (HoloLens v1) Apply key to enable Windows Holographic for Business -[Compliance policies](https://docs.microsoft.com/intune/device-compliance-get-started) are rules and settings that devices must meet to be compliant in your corporate infrastructure. Use these policies with Conditional Access to block access to company resources for devices that are non-compliant. +If you decide to use provisioning packages, follow [this guide](hololens-provisioning.md). -For example, you can create a policy that requires Bitlocker be enabled. - -[Create compliance policies with Intune](https://docs.microsoft.com/intune/compliance-policy-create-windows). - -### Manage updates - -Intune includes a feature called Update rings for Windows 10 devices, including HoloLens 2 and HoloLens v1 (with Holographic for Business). Update rings include a group of settings that determine how and when updates are installed. - -For example, you can create a maintenance window to install updates, or choose to restart after updates are installed. You can also choose to pause updates indefinitely until you're ready to update. - -Read more about [configuring update rings with Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure). - -## Application management - -Manage HoloLens applications through: - -1. Microsoft Store - The Microsoft Store is the best way to distribute and consume applications on HoloLens. There is a great set of core HoloLens applications already available in the store or you can [publish your own](https://docs.microsoft.com/windows/uwp/publish/). - All applications in the store are available publicly to everyone, but if it isn't acceptable, checkout the Microsoft Store for Business. - -1. [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/) - Microsoft Store for Business and Education is a custom store for your corporate environment. It lets you use the Microsoft Store built into Windows 10 and HoloLens to find, acquire, distribute, and manage apps for your organization. It also lets you deploy apps that are specific to your commercial environment but not to the world. - -1. Application deployment and management via Intune or another mobile device management solution - Most mobile device management solutions, including Intune, provide a way to deploy line of business applications directly to a set of enrolled devices. See this article for [Intune app install](https://docs.microsoft.com/intune/apps-deploy). - -1. _not recommended_ Device Portal - Applications can also be installed on HoloLens directly using the Windows Device Portal. This isn't recommended since Developer Mode has to be enabled to use the device portal. - -Read more about [installing apps on HoloLens](https://docs.microsoft.com/hololens/hololens-install-apps). +## Next Step: [Determine what licenses you need](hololens-licenses-requirements.md) ## Get support Get support through the Microsoft support site. -[File a support request](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f). - -## Technical Reference - -### Wireless network EAP support - -- PEAP-MS-CHAPv2 -- PEAP-TLS -- TLS -- TTLS-CHAP -- TTLS-CHAPv2 -- TTLS-MS-CHAPv2 -- TTLS-PAP -- TTLS-TLS +[File a support request](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f) diff --git a/devices/hololens/hololens-whats-new.md b/devices/hololens/hololens-whats-new.md index 59c777fdec..064d470afc 100644 --- a/devices/hololens/hololens-whats-new.md +++ b/devices/hololens/hololens-whats-new.md @@ -43,16 +43,14 @@ manager: dansimp | Read device hardware info through MDM so devices can be tracked by serial # | IT administrators can see and track HoloLens by device serial number in their MDM console. Refer to your MDM documentation for feature availability and instructions. | | Set HoloLens device name through MDM (rename) |  IT administrators can see and rename HoloLens devices in their MDM console. Refer to your MDM documentation for feature availability and instructions. | -### For international customers - +### For international customers Feature | Details ---- | --- +--- | --- Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands. -Speech Synthesis (TTS) | Speech synthesis feature now supports Chinese, Japanese, and English. - -[Learn how to install the Chinese and Japanese versions of HoloLens.](hololens1-install-localized.md) +Speech Synthesis (TTS) | Speech synthesis feature now supports Chinese, Japanese, and English. +[Learn how to install the Chinese and Japanese versions of HoloLens.](hololens1-install-localized.md) ## Windows 10, version 1803 for Microsoft HoloLens @@ -60,11 +58,11 @@ Speech Synthesis (TTS) | Speech synthesis feature now supports Chinese, Japanese Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. This update introduces the following changes: -- Previously, you could only verify that upgrade license for Commercial Suite had been applied to your HoloLens device by checking to see if VPN was an available option on the device. Now, **Settings** > **System** will display **Windows Holographic for Business** after the upgrade license is applied. [Learn how to unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md). +- Previously, you could only verify that upgrade license for Commercial Suite had been applied to your HoloLens device by checking to see if VPN was an available option on the device. Now, **Settings** > **System** will display **Windows Holographic for Business** after the upgrade license is applied. [Learn how to unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md). - You can view the operating system build number in device properties in the File Explorer app and in the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq). -- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#wizard). +- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#provisioning-package-hololens-wizard). ![Provisioning HoloLens devices](images/provision-hololens-devices.png) @@ -74,9 +72,9 @@ Windows 10, version 1803, is the first feature update to Windows Holographic for - Media Transfer Protocol (MTP) is enabled so that you can connect the HoloLens device to a PC by USB and transfer files between HoloLens and the PC. You can also use the File Explorer app to move and delete files from within HoloLens. -- Previously, after you signed in to the device with an Azure Active Directory (Azure AD) account, you then had to **Add work access** in **Settings** to get access to corporate resources. Now, you sign in with an Azure AD account and enrollment happens automatically. +- Previously, after you signed in to the device with an Azure Active Directory (Azure AD) account, you then had to **Add work access** in **Settings** to get access to corporate resources. Now, you sign in with an Azure AD account and enrollment happens automatically. -- Before you sign in, you can choose the network icon below the password field to choose a different Wi-Fi network to connect to. You can also connect to a guest network, such as at a hotel, conference center, or business. +- Before you sign in, you can choose the network icon below the password field to choose a different Wi-Fi network to connect to. You can also connect to a guest network, such as at a hotel, conference center, or business. - You can now easily [share HoloLens with multiple people](hololens-multiple-users.md) using Azure AD accounts. diff --git a/devices/hololens/hololens1-start.md b/devices/hololens/hololens1-start.md index 466fc431b2..8cb970020a 100644 --- a/devices/hololens/hololens1-start.md +++ b/devices/hololens/hololens1-start.md @@ -6,7 +6,7 @@ ms.prod: hololens author: Teresa-Motiv ms.author: v-tea ms.topic: article -ms.date: 8/12/19 +ms.date: 8/12/2019 manager: jarrettr ms.topic: article ms.localizationpriority: high @@ -26,9 +26,9 @@ Before you get started, make sure you have the following available: **A Wi-Fi connection**. You'll need to connect your HoloLens to a Wi-Fi network to set it up. The first time you connect, you'll need an open or password-protected network that doesn't require navigating to a website or using certificates to connect. [Learn more about the websites that HoloLens uses](hololens-offline.md). -**A Microsoft account or a work account**. You'll also need to use a Microsoft account (or a work account, if your organization owns the device) to sign in to HoloLens. If you don't have a Microsoft account, go to [account.microsoft.com](http://account.microsoft.com) and set one up for free. +**A Microsoft account or a work account**. You'll also need to use a Microsoft account (or a work account, if your organization owns the device) to sign in to HoloLens. If you don't have a Microsoft account, go to [account.microsoft.com](https://account.microsoft.com) and set one up for free. -**A safe, well-lit space with no tripping hazards**. [Health and safety info](http://go.microsoft.com/fwlink/p/?LinkId=746661). +**A safe, well-lit space with no tripping hazards**. [Health and safety info](https://go.microsoft.com/fwlink/p/?LinkId=746661). **The optional comfort accessories** that came with your HoloLens, to help you get the most comfortable fit. [More on fit and comfort](https://support.microsoft.com/help/12632/hololens-fit-your-hololens). diff --git a/devices/hololens/images/mdm-enrollment-error.png b/devices/hololens/images/mdm-enrollment-error.png new file mode 100644 index 0000000000..77b695d1cf Binary files /dev/null and b/devices/hololens/images/mdm-enrollment-error.png differ diff --git a/devices/hololens/scep-whitepaper.md b/devices/hololens/scep-whitepaper.md new file mode 100644 index 0000000000..06b7527960 --- /dev/null +++ b/devices/hololens/scep-whitepaper.md @@ -0,0 +1,77 @@ +--- +title: SCEP Whitepaper +description: A whitepaper that describes how Microsoft mitigates the vulnerabilities of SCEP. +ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b +author: pawinfie +ms.author: pawinfie +ms.date: 02/12/2020 +keywords: hololens, Windows Mixed Reality, security +ms.prod: hololens +ms.sitesec: library +ms.topic: article +audience: ITPro +ms.localizationpriority: high +appliesto: +- HoloLens 1 (1st gen) +- HoloLens 2 +--- + +# SCEP Whitepaper + +## High Level + +### How the SCEP Challenge PW is secured + +We work around the weakness of the SCEP protocol by generating custom challenges in Intune itself. The challenge string we create is signed/encrypted, and contains the information we’ve configured in Intune for certificate issuance into the challenge blob. This means the blob used as the challenge string contains the expected CSR information like the Subject Name, Subject Alternative Name, and other attributes. + +We then pass that to the device and then the device generates it’s CSR and passes it, and the blob to the SCEP URL it received in the MDM profile. On NDES servers running the Intune SCEP module we perform a custom challenge validation that validates the signature on the blob, decrypts the challenge blob itself, compare it to the CSR received, and then determine if we should issue the cert. If any portion of this check fails then the certificate request is rejected. + +## Behind the scenes + +### Intune Connector has a number of responsibilities + +1. The connector is SCEP policy module which contains a "Certification Registration Point" component which interacts with the Intune service, and is responsible for validating, and securing the SCEP request coming into the NDES server. + +1. The connector will install an App Pool on the NDES IIS server > Microsoft Intune CRP service Pool, and a CertificateRegistrationSvc under the "Default Web Site" on IIS. + +1. **When the Intune NDES connector is first configured/setup on the NDES server, a certificate is issued from the Intune cloud service to the NDES server. This cert is used to securely communicate with the Intune cloud service - customer tenant. The cert is unique to the customers NDES server. Can be viewed in Certlm.msc issued by SC_Online_Issuing. This certs Public key is used by Intune in the cloud to encrypt the challenge blob. In addition, when the connector is configured, Intune's public key is sent to the NDES server.** + >[!NOTE] + >The connector communication with Intune is strictly outbound traffic. + +1. The Intune cloud service combined with the Intune connector/policy module addresses the SCEP protocol challenge password weakness (in the SCEP protocol) by generating a custom challenge. The challenge is generated in Intune itself. + + 1. In the challenge blob, Intune puts information that we expect in the cert request (CSR - Certificate Signing Request) coming from a mobile device like the following: what we expect the Subject and SAN (validated against AAD attributes/properties of the user/device) to be, and specifics contained in the Intune SCEP profile that is created by an Intune admin, i.e., Request Handling, EKU, Renewal, validity period, key size, renewal period. + >[!NOTE] + >The Challenge blob is Encrypted with the Connectors Public Key, and Signed with Intune's (cloud service) Private Key. The device cannot decrypt the challenge + + 1. When an Intune admin creates a SCEP profile in their tenant, Intune will send the SCEP profile payload along with the Encrypted and Signed Challenge to the targeted device. The device generates a CSR, and reaches out to NDES URL (contained in the SCEP profile). The device cert request payload contains the CSR, and the encrypted, signed challenge blob. + + 1. When the device reaches out to the NDES server (via the NDES/SCEP URL provided in the SCEP Profile payload), the SCEP cert request validation is performed by the policy module running on the NDES server. The challenge signature is verified using Intune's public key (which is on the NDES server, when the connector was installed and configured) and decrypted using the connectors private key. The policy module compares the CSR details against the decrypted challenge and determines if a cert should be issued. If the CSR passes validation, the NDES server requests a certificate from the CA on behalf of the user/device. + >[!NOTE] + >The above process takes place on the NDES server running the Policy Module. No interaction with the Intune cloud service takes place. + + 1. The NDES connector notification/reporting of cert delivery takes place after NDES sends the issued cert to the device. This is performed as a separate operation outside the cert request flow. Meaning that once NDES sends the cert to the device via the AAD app proxy (or other publishing firewall/proxy, a log is written with the cert delivery details on the NDES server by the connector (file location \Program Files\Microsoft Intune\CertificateRequestStatus\Succeed\ folder. The connector will look here, and send updates to Intune. + + 1. The mobile device must be enrolled in Intune. If not, we reject the request as well + + 1. The Intune connector disables the standard NDES challenge password request URL on the NDES server. + + 1. The NDES server SCEP URI in most customer deployments is made available to the internet via Azure App Proxy, or an on-prem reverse proxy, i.e. F5. + >[!NOTE] + >The Azure App Proxy is an outbound-only connection over Port 443, from the customers onprem network where the App Proxy connector is running on a server. The AAD app proxy can also be hosted on the NDES server. No inbound ports required when using Azure App Proxy. + + 1. The mobile device talks only to the NDES URI + + 1. Side note: AAD app proxy's role is to make onprem resources (like NDES and other customer onprem web services) securely available to the internet. + + 1. The Intune connector must communicate with the Intune cloud service. The connector communication will not go through the Azure App Proxy. The connector will talk with the Intune cloud service via whatever mechanism a customer has onprem to allow outbound traffic to the internet, i.e. Internal proxy service. + >[!NOTE] + > if a proxy is used by the customer, no SSL packet inspection can take place for the NDES/Connector server going out. + +1. Connector traffic with Intune cloud service consists of the following operations: + + 1. 1st time configuration of the connector: Authentication to AAD during the initial connector setup. + + 1. Connector checks in with Intune, and will process and any cert revocation transactions (i.e, if the Intune tenant admin issues a remote wipe – full or partial, also If a user unenrolls their device from Intune), reporting on issued certs, renewing the connectors’ SC_Online_Issuing certificate from Intune. Also note: the NDES Intune connector has shared PKCS cert functionality (if you decide to issue PKCS/PFX based certs) so the connector checks to Intune for PKCS cert requests even though there won’t be any requests to process. We are splitting that functionality out, so this connector just handles SCEP, but no ETA yet. + +1. [Here](https://docs.microsoft.com/intune/intune-endpoints#microsoft-intune-certificate-connector) is a reference for Intune NDES connector network communications. diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md index 8196982606..7b44ff3d38 100644 --- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md +++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md @@ -617,7 +617,7 @@ try { catch { PrintError "Some dependencies are missing" - PrintError "Please install the Windows PowerShell Module for Lync Online. For more information go to http://www.microsoft.com/download/details.aspx?id=39366" + PrintError "Please install the Windows PowerShell Module for Lync Online. For more information go to https://www.microsoft.com/download/details.aspx?id=39366" PrintError "Please install the Azure Active Directory module for PowerShell from https://go.microsoft.com/fwlink/p/?linkid=236297" CleanupAndFail } @@ -1104,7 +1104,7 @@ if ($fSfbIsOnline) } catch { - CleanupAndFail "To verify Skype for Business in online tenants you need the Lync Online Connector module from http://www.microsoft.com/download/details.aspx?id=39366" + CleanupAndFail "To verify Skype for Business in online tenants you need the Lync Online Connector module from https://www.microsoft.com/download/details.aspx?id=39366" } } else @@ -1518,7 +1518,7 @@ if ($online) catch { PrintError "Some dependencies are missing" - PrintError "Please install the Windows PowerShell Module for Lync Online. For more information go to http://www.microsoft.com/download/details.aspx?id=39366" + PrintError "Please install the Windows PowerShell Module for Lync Online. For more information go to https://www.microsoft.com/download/details.aspx?id=39366" PrintError "Please install the Azure Active Directory module for PowerShell from https://go.microsoft.com/fwlink/p/?linkid=236297" CleanupAndFail } diff --git a/devices/surface-hub/images/surface-hub-2s-repack-1.png b/devices/surface-hub/images/surface-hub-2s-repack-1.png index cab6f33cb7..c78a536083 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-repack-1.png and b/devices/surface-hub/images/surface-hub-2s-repack-1.png differ diff --git a/devices/surface-hub/images/surface-hub-2s-repack-10.png b/devices/surface-hub/images/surface-hub-2s-repack-10.png index 7f3c6ab51c..ae99a0697a 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-repack-10.png and b/devices/surface-hub/images/surface-hub-2s-repack-10.png differ diff --git a/devices/surface-hub/images/surface-hub-2s-repack-11.png b/devices/surface-hub/images/surface-hub-2s-repack-11.png index 0e0485056a..1d79a116ef 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-repack-11.png and b/devices/surface-hub/images/surface-hub-2s-repack-11.png differ diff --git a/devices/surface-hub/images/surface-hub-2s-repack-12.png b/devices/surface-hub/images/surface-hub-2s-repack-12.png index 7032cbc1b7..67108c5110 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-repack-12.png and b/devices/surface-hub/images/surface-hub-2s-repack-12.png differ diff --git a/devices/surface-hub/images/surface-hub-2s-repack-13.png b/devices/surface-hub/images/surface-hub-2s-repack-13.png index 465ce22bee..565d0469c5 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-repack-13.png and b/devices/surface-hub/images/surface-hub-2s-repack-13.png differ diff --git a/devices/surface-hub/images/surface-hub-2s-repack-2.png b/devices/surface-hub/images/surface-hub-2s-repack-2.png index f8fbc235b6..117f0d5899 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-repack-2.png and b/devices/surface-hub/images/surface-hub-2s-repack-2.png differ diff --git a/devices/surface-hub/images/surface-hub-2s-repack-3.png b/devices/surface-hub/images/surface-hub-2s-repack-3.png index e270326ab9..53afdbd11c 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-repack-3.png and b/devices/surface-hub/images/surface-hub-2s-repack-3.png differ diff --git a/devices/surface-hub/images/surface-hub-2s-repack-4.png b/devices/surface-hub/images/surface-hub-2s-repack-4.png index 42bc3a0389..cc213389d9 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-repack-4.png and b/devices/surface-hub/images/surface-hub-2s-repack-4.png differ diff --git a/devices/surface-hub/images/surface-hub-2s-repack-5.png b/devices/surface-hub/images/surface-hub-2s-repack-5.png index d6457cd161..202963bcb5 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-repack-5.png and b/devices/surface-hub/images/surface-hub-2s-repack-5.png differ diff --git a/devices/surface-hub/images/surface-hub-2s-repack-6.png b/devices/surface-hub/images/surface-hub-2s-repack-6.png index 73b8a14630..d7617b8f1b 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-repack-6.png and b/devices/surface-hub/images/surface-hub-2s-repack-6.png differ diff --git a/devices/surface-hub/images/surface-hub-2s-repack-7.png b/devices/surface-hub/images/surface-hub-2s-repack-7.png index 54a20e2257..18310ea9cb 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-repack-7.png and b/devices/surface-hub/images/surface-hub-2s-repack-7.png differ diff --git a/devices/surface-hub/images/surface-hub-2s-repack-8.png b/devices/surface-hub/images/surface-hub-2s-repack-8.png index f2dcac60ed..fb5b8929bb 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-repack-8.png and b/devices/surface-hub/images/surface-hub-2s-repack-8.png differ diff --git a/devices/surface-hub/images/surface-hub-2s-repack-9.png b/devices/surface-hub/images/surface-hub-2s-repack-9.png index c067cbf1d8..be9ceb2bee 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-repack-9.png and b/devices/surface-hub/images/surface-hub-2s-repack-9.png differ diff --git a/devices/surface-hub/images/surface-hub-2s-replace-camera-1.png b/devices/surface-hub/images/surface-hub-2s-replace-camera-1.png index 10530cba1e..57ed3f50a6 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-replace-camera-1.png and b/devices/surface-hub/images/surface-hub-2s-replace-camera-1.png differ diff --git a/devices/surface-hub/images/surface-hub-2s-replace-camera-2.png b/devices/surface-hub/images/surface-hub-2s-replace-camera-2.png index 119dc21a5a..888d417b0e 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-replace-camera-2.png and b/devices/surface-hub/images/surface-hub-2s-replace-camera-2.png differ diff --git a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-1.png b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-1.png index ceebc3d5fd..5924546a4c 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-1.png and b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-1.png differ diff --git a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-10.png b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-10.png index 77ab33c1d5..a1d6d6d163 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-10.png and b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-10.png differ diff --git a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-2.png b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-2.png index 3cf6d0ec62..ddb0ccfc7d 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-2.png and b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-2.png differ diff --git a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-3.png b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-3.png index d44ad9d37c..1e9156e94f 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-3.png and b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-3.png differ diff --git a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-4.png b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-4.png index ffbec86f57..9885cc6c7a 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-4.png and b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-4.png differ diff --git a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-5.png b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-5.png index 90ddf71366..54cb393ff4 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-5.png and b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-5.png differ diff --git a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-6.png b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-6.png index 5020d16853..e74270f93b 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-6.png and b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-6.png differ diff --git a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-7.png b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-7.png index 9ea535dff4..39fd3da31f 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-7.png and b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-7.png differ diff --git a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-8.png b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-8.png index 1a64ae0ebb..c68b5fab64 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-8.png and b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-8.png differ diff --git a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-9.png b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-9.png index 9d9bc52c66..6acb8a627d 100644 Binary files a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-9.png and b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-9.png differ diff --git a/devices/surface-hub/surface-hub-2s-onprem-powershell.md b/devices/surface-hub/surface-hub-2s-onprem-powershell.md index fb2c98dcbd..6a0553f72e 100644 --- a/devices/surface-hub/surface-hub-2s-onprem-powershell.md +++ b/devices/surface-hub/surface-hub-2s-onprem-powershell.md @@ -26,12 +26,6 @@ $ExchSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUr Import-PSSession $ExchSession ``` -```PowerShell -$ExchServer = Read-Host "Please Enter the FQDN of your Exchange Server" -$ExchSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$ExchServer/PowerShell/ -Authentication Kerberos -Credential (Get-Credential) -Import-PSSession $ExchSession -``` - ## Create the device account ```PowerShell diff --git a/devices/surface-hub/surface-hub-2s-pack-components.md b/devices/surface-hub/surface-hub-2s-pack-components.md index 287f43ec7b..ff8dbd07ad 100644 --- a/devices/surface-hub/surface-hub-2s-pack-components.md +++ b/devices/surface-hub/surface-hub-2s-pack-components.md @@ -9,7 +9,7 @@ ms.author: greglin manager: laurawi audience: Admin ms.topic: article -ms.date: 07/1/2019 +ms.date: 02/06/2019 ms.localizationpriority: Medium --- @@ -24,62 +24,45 @@ If you replace your Surface Hub 2S, one of its components, or a related accessor Use the following steps to pack your Surface Hub 2S 50" for shipment. -![The Surface Hub unit and mobile stand.](images/surface-hub-2s-repack-1.png) -![Remove the pen and the camera. Do not pack them with the unit.](images/surface-hub-2s-repack-2.png) +| | | | +| - | ----------------------------------------------------------------------------------------------------------------------------------------------- | ----- | +| **1.** | Remove the pen and the camera. Do not pack them with the unit. | ![Remove the pen and the camera. Do not pack them with the unit.](images/surface-hub-2s-repack-2.png) | +| **2.** | Remove the drive and the power cable. Do not pack them with the unit. Do not pack the Setup guide with the unit. | ![Remove the drive and the power cable. Do not pack them with the unit.](images/surface-hub-2s-repack-3.png) | +| **3.** | Unplug all cables, slide the cover sideways, and unscrew the locking screw of the Compute Cartridge. | ![Unplug all cables, slide the cover sideways, and unscrew the locking screw of the Compute Cartridge.](images/surface-hub-2s-repack-5.png) | +| **4.** | Slide the Compute Cartridge out of the unit. | ![Slide the Compute Cartridge out of the unit.](images/surface-hub-2s-repack-6.png) | +| **5.** | You will need the Compute Cartridge and a screwdriver. | ![You will need the Compute Cartridge and a screwdriver.](images/surface-hub-2s-repack-7.png)| +| **6.** | Remove the cover screw and the cover from the Compute Cartridge, and then remove the solid state drive (SSD). | ![Remove the cover screw and the cover from the Compute Cartridge, and then remove the solid state drive (SSD).](images/surface-hub-2s-repack-8.png)| +| **7.** | Replace the cover and slide the Compute Cartridge back into the unit. | ![Replace the cover and slide the Compute Cartridge back into the unit.](images/surface-hub-2s-repack-9.png)| +| **8.** | Re-fasten the locking screw and slide the cover into place. | ![Re-fasten the locking screw and slide the cover into place.](images/surface-hub-2s-repack-10.png)| +| **9.** | Remove any base or mounting hardware. Using two people, place the unit in the base of the shipping container. | ![Remove any base or mounting hardware. Using two people, place the unit in the base of the shipping container.](images/surface-hub-2s-repack-11.png)| +| **10.** | Replace the cover of the shipping container, and insert the four clips. | ![Replace the cover of the shipping container, and insert the four clips.](images/surface-hub-2s-repack-12.png| +| **11.** | Close the four clips. | ![Close the four clips.](images/surface-hub-2s-repack-13.png)| -![Remove the drive and the power cable. Do not pack them with the unit.](images/surface-hub-2s-repack-3.png) - -![Do not pack the Setup guide with the unit.](images/surface-hub-2s-repack-4.png) - -![Unplug all cables, slide the cover sideways, and unscrew the locking screw of the Compute Cartridge.](images/surface-hub-2s-repack-5.png) - -![Slide the Compute Cartridge out of the unit.](images/surface-hub-2s-repack-6.png) - -![You will need the Compute Cartridge and a screwdriver.](images/surface-hub-2s-repack-7.png) - -![Remove the cover screw and the cover from the Compute Cartridge, and then remove the solid state drive (SSD).](images/surface-hub-2s-repack-8.png) - -![Replace the cover and slide the Compute Cartridge back into the unit.](images/surface-hub-2s-repack-9.png) - -![Re-fasten the locking screw and slide the cover into place.](images/surface-hub-2s-repack-10.png) - -![Remove any base or mounting hardware. Using two people, place the unit in the base of the shipping container.](images/surface-hub-2s-repack-11.png) - -![Replace the cover of the shipping container, and insert the four clips.](images/surface-hub-2s-repack-12.png) - -![Close the four clips.](images/surface-hub-2s-repack-13.png) ## How to replace and pack your Surface Hub 2S Compute Cartridge -Use the following steps to remove the Surface Hub 2S Compute Cartridge, pack it for shipment, and install the new Compute Cartridge. +Use the following steps to remove the Surface Hub 2S Compute Cartridge, pack it for shipment, and install the new Compute Cartridge.
+ ![Image of the compute cartridge.](images/surface-hub-2s-replace-cartridge-1.png) -![Image of the compute cartridge.](images/surface-hub-2s-replace-cartridge-1.png) - -![Unplug all cables, slide the cover sideways, and unscrew the locking screw of the Compute Cartridge.](images/surface-hub-2s-replace-cartridge-2.png) - -![Slide the Compute Cartridge out of the unit.](images/surface-hub-2s-replace-cartridge-3.png) - -![You will need the Compute Cartridge and a screwdriver.](images/surface-hub-2s-replace-cartridge-4.png) - -![Remove the cover screw and the cover from the Compute Cartridge, and then remove the solid state drive (SSD). When finished, replace the cover.](images/surface-hub-2s-repack-8.png) - -![You will need the packaging fixtures that were used to package your replacement Compute Cartridge.](images/surface-hub-2s-replace-cartridge-6.png) - -![Place the old Compute Cartridge in the packaging fixtures.](images/surface-hub-2s-replace-cartridge-7.png) - -![Place the old Compute Cartridge and its packaging into the box that was used for the replacement Compute Cartridge. Reseal the box.](images/surface-hub-2s-replace-cartridge-8.png) - -![Image of the replacement Compute Cartridge.](images/surface-hub-2s-replace-cartridge-1.png) - -![Slide the replacement Compute Cartridge into the unit.](images/surface-hub-2s-replace-cartridge-9.png) - -![Fasten the locking screw and slide the cover into place.](images/surface-hub-2s-replace-cartridge-10.png) +| | | | +| - | ----------------------------------------------------------------------------------------------------------------------------------------------- | ----- | +| **1.** | Unplug all cables, slide the cover sideways, and unscrew the locking screw of the Compute Cartridge. | ![Unplug all cables, slide the cover sideways, and unscrew the locking screw of the Compute Cartridge.](images/surface-hub-2s-replace-cartridge-2.png) | +| **2.** | Slide the Compute Cartridge out of the unit. | ![Slide the Compute Cartridge out of the unit.](images/surface-hub-2s-replace-cartridge-3.png) | +| **3.** | You will need the Compute Cartridge and a screwdriver. | ![You will need the Compute Cartridge and a screwdriver.](images/surface-hub-2s-replace-cartridge-4.png) | +| **4.** | Remove the cover screw and the cover from the Compute Cartridge, and then remove the solid state drive (SSD). When finished, replace the cover. | ![Remove the cover screw and the cover from the Compute Cartridge, and then remove the solid state drive (SSD). When finished, replace the cover.](images/surface-hub-2s-repack-8.png) | +| **5.**| You will need the packaging fixtures that were used to package your replacement Compute Cartridge. | ![You will need the packaging fixtures that were used to package your replacement Compute Cartridge.](images/surface-hub-2s-replace-cartridge-6.png) | +| **6.**| Place the old Compute Cartridge in the packaging fixtures. | ![Place the old Compute Cartridge in the packaging fixtures.](images/surface-hub-2s-replace-cartridge-7.png) | +| **7.** | Place the old Compute Cartridge and its packaging into the box that was used for the replacement Compute Cartridge. Reseal the box. | ![Place the old Compute Cartridge and its packaging into the box that was used for the replacement Compute Cartridge. Reseal the box.](images/surface-hub-2s-replace-cartridge-8.png)| +| **8.**| Slide the replacement Compute Cartridge into the unit. | ![Slide the replacement Compute Cartridge into the unit.](images/surface-hub-2s-replace-cartridge-9.png) | +| **9.**| Fasten the locking screw and slide the cover into place | ![Fasten the locking screw and slide the cover into place.](images/surface-hub-2s-replace-cartridge-10.png) | ## How to replace your Surface Hub 2S Camera Use the following steps to remove the Surface Hub 2S camera and install the new camera. -![You will need the new camera and the two-millimeter allen wrench](images/surface-hub-2s-replace-camera-1.png) -![Unplug the old camera from the unit. If needed, use the allen wrench to adjust the new camera. Plug the new camera into the unit.](images/surface-hub-2s-replace-camera-2.png) +| | | | +| - | ----------------------------------------------------------------------------------------------------------------------------------------------- | ----- | +| **1.** | You will need the new camera and the two-millimeter allen wrench. |![You will need the new camera and the two-millimeter allen wrench](images/surface-hub-2s-replace-camera-1.png) | +| **2.** | Unplug the old camera from the unit. If needed, use the allen wrench to adjust the new camera. Plug the new camera into the unit. | ![Unplug the old camera from the unit. If needed, use the allen wrench to adjust the new camera. Plug the new camera into the unit.](images/surface-hub-2s-replace-camera-2.png) | diff --git a/devices/surface-hub/surface-hub-2s-recover-reset.md b/devices/surface-hub/surface-hub-2s-recover-reset.md index af763b9e26..1f0e98f92b 100644 --- a/devices/surface-hub/surface-hub-2s-recover-reset.md +++ b/devices/surface-hub/surface-hub-2s-recover-reset.md @@ -23,8 +23,10 @@ To begin, sign in to Surface Hub 2S with admin credentials, open the **Settings* 1. To reset the device, select **Get Started**. 2. When the **Ready to reset this device** window appears, select **Reset**. + >[!NOTE] >Surface Hub 2S reinstalls the operating system from the recovery partition. This may take up to one hour to complete. + 3. To reconfigure the device, run the first-time Setup program. 4. If you manage the device using Microsoft Intune or another mobile device management solution, retire and delete the previous record, and then re-enroll the new device. For more information, see [Remove devices by using wipe, retire, or manually unenrolling the device](https://docs.microsoft.com/intune/devices-wipe). diff --git a/devices/surface-hub/surface-hub-update-history.md b/devices/surface-hub/surface-hub-update-history.md index 943400d44c..50af49ec5c 100644 --- a/devices/surface-hub/surface-hub-update-history.md +++ b/devices/surface-hub/surface-hub-update-history.md @@ -24,6 +24,17 @@ Please refer to the “[Surface Hub Important Information](https://support.micro ## Windows 10 Team Creators Update 1703 +
+January 14, 2020—update for Team edition based on KB4534296* (OS Build 15063.2254) + +This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include: + +* Addresses an issue with log collection for Microsoft Surface Hub 2S. + +Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface-hub/) for enabling/disabling device features and services. +*[KB4534296](https://support.microsoft.com/help/4534296) +
+
September 24, 2019—update for Team edition based on KB4516059* (OS Build 15063.2078) @@ -57,7 +68,6 @@ Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include: -* Addresses an issue with log collection for Microsoft Surface Hub 2S. * Addresses an issue preventing a user from signing in to a Microsoft Surface Hub device with an Azure Active Directory account. This issue occurs because a previous session did not end successfully. * Adds support for TLS 1.2 connections to identity providers and Exchange in device account setup scenarios. * Fixes to improve reliability of Hardware Diagnostic App on Hub 2S. @@ -520,7 +530,6 @@ This update to the Surface Hub includes quality improvements and security fixes. ## Related topics -* [Windows 10 feature roadmap](https://go.microsoft.com/fwlink/p/?LinkId=785967) * [Windows 10 release information](https://go.microsoft.com/fwlink/p/?LinkId=724328) * [Windows 10 November update: FAQ](https://windows.microsoft.com/windows-10/windows-update-faq) * [Microsoft Surface update history](https://go.microsoft.com/fwlink/p/?LinkId=724327) diff --git a/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md b/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md index 0e5600c12c..e01737c52e 100644 --- a/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md +++ b/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md @@ -89,11 +89,11 @@ The Surface Hub Hardware Diagnostic tool is an easy-to-navigate tool that lets t Field |Success |Failure |Comment |Reference |------|------|------|------|------| -Internet Connectivity |Device does have Internet connectivity |Device does not have Internet connectivity |Verifies internet connectivity, including proxy connection |[Configuring a proxy for your Surface Hub](https://blogs.technet.microsoft.com/y0av/2017/12/03/7/) +Internet Connectivity |Device does have Internet connectivity |Device does not have Internet connectivity |Verifies internet connectivity, including proxy connection | HTTP Version |1.1 |1.0 |If HTTP 1.0 found, it will cause issue with WU and Store | Direct Internet Connectivity |Device has a Proxy configured Device has no Proxy configured |N/A |Informational. Is your device behind a proxy? | Proxy Address | | |If configured, returns proxy address. | -Proxy Authentication |Proxy does not require Authentication |Proxy requires Proxy Auth |Result may be a false positive if a user already has an open session in Edge and has authenticated through the proxy. |[Configuring a proxy for your Surface Hub](https://blogs.technet.microsoft.com/y0av/2017/12/03/7/) +Proxy Authentication |Proxy does not require Authentication |Proxy requires Proxy Auth |Result may be a false positive if a user already has an open session in Edge and has authenticated through the proxy. | Proxy Auth Types | | |If proxy authentication is used, return the Authentication methods advertised by the proxy. | #### Environment @@ -131,5 +131,5 @@ SIP Pool Cert Root CA | | |Information. Display the SIP Pool Cert Root CA, if av Field |Success |Failure |Comment |Reference |------|------|------|------|------| -Trust Model Status |No Trust Model Issue Detected. |SIP Domain and server domain are different please add the following domains. |Check the LD FQDN/ LD Server Name/ Pool Server name for Trust model issue. |[Surface Hub and the Skype for Business Trusted Domain List](https://blogs.technet.microsoft.com/y0av/2017/10/25/95/) +Trust Model Status |No Trust Model Issue Detected. |SIP Domain and server domain are different please add the following domains. |Check the LD FQDN/ LD Server Name/ Pool Server name for Trust model issue. Domain Name(s) | | |Return the list of domains that should be added for SFB to connect. | diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index 53918a7ad5..86ad0dd85e 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -1,4 +1,4 @@ -# [Surface](index.md) +# [Surface](index.yml) ## [Get started](get-started.md) diff --git a/devices/surface/images/config-mgr-semm-fig3.png b/devices/surface/images/config-mgr-semm-fig3.png index c844b60531..e699359552 100644 Binary files a/devices/surface/images/config-mgr-semm-fig3.png and b/devices/surface/images/config-mgr-semm-fig3.png differ diff --git a/devices/surface/images/dataeraser-arch.png b/devices/surface/images/dataeraser-arch.png new file mode 100644 index 0000000000..5010120cf1 Binary files /dev/null and b/devices/surface/images/dataeraser-arch.png differ diff --git a/devices/surface/index.md b/devices/surface/index.md deleted file mode 100644 index 3d8e45e45e..0000000000 --- a/devices/surface/index.md +++ /dev/null @@ -1,151 +0,0 @@ ---- -title: Microsoft Surface documentation and resources -layout: HubPage -hide_bc: true -description: Surface and Surface Hub documentation for admins & IT professionals -author: greg-lindsay -ms.author: greglin -manager: laurawi -ms.topic: hub-page -keywords: Microsoft Surface, Microsoft Surface Hub, Surface documentation -ms.localizationpriority: High -audience: ITPro -ms.prod: Surface -description: Learn about Microsoft Surface and Surface Hub devices. ---- - diff --git a/devices/surface/index.yml b/devices/surface/index.yml new file mode 100644 index 0000000000..29bd13e5da --- /dev/null +++ b/devices/surface/index.yml @@ -0,0 +1,62 @@ +### YamlMime:Hub + +title: Microsoft Surface # < 60 chars +summary: Learn how to plan, deploy, and manage Microsoft Surface and Surface Hub devices. # < 160 chars +# brand: aspnet | azure | dotnet | dynamics | m365 | ms-graph | office | power-platform | project | sharepoint | sql | sql-server | teams | vs | visual-studio | windows | xamarin +brand: windows + +metadata: + title: Microsoft Surface # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Learn how to plan, deploy, and manage Microsoft Surface and Surface Hub devices. # Required; article description that is displayed in search results. < 160 chars. + ms.prod: surface #Required; service per approved list. service slug assigned to your service by ACOM. + ms.topic: hub-page # Required + audience: ITPro + author: samanro #Required; your GitHub user alias, with correct capitalization. + ms.author: samanro #Required; microsoft alias of author; optional team alias. + ms.date: 07/03/2019 #Required; mm/dd/yyyy format. + localization_priority: Priority + +# additionalContent section (optional) +# Card with summary style +additionalContent: + # Supports up to 3 sections + sections: + - title: For IT Professionals # < 60 chars (optional) + items: + # Card + - title: Surface devices + summary: Harness the power of Surface, Windows, and Office connected together through the cloud. Find tools, step-by-step guides, and other resources to help you plan, deploy, and manage Surface devices in your organization. + url: https://docs.microsoft.com/en-us/surface/get-started + # Card + - title: Surface Hub + summary: Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platform, and collaborative computing device that brings the power of Windows 10 to team collaboration. Learn how to plan, deploy, manage, and support your Surface Hub devices. + url: https://docs.microsoft.com/surface-hub/index + # Card + - title: Surface for Business + summary: Explore how Surface devices are transforming the modern workplace with people-centric design and flexible form factors, helping you get the most out of AI, big data, the cloud, and other foundational technologies. + url: https://www.microsoft.com/surface/business + - title: Other resources # < 60 chars (optional) + items: + # Card + - title: Communities + links: + - text: Surface IT Pro blog + url: https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/bg-p/SurfaceITPro + - text: Surface Devices Tech Community + url: https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices + # Card + - title: Learn + links: + - text: Surface training on Microsoft Learn + url: https://docs.microsoft.com/learn/browse/?term=Surface + - text: Microsoft Mechanics Surface videos + url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ + - text: Surface Hub 2S adoption and training + url: https://docs.microsoft.com/surface-hub/surface-hub-2s-adoption-kit + # Card + - title: Need help? + links: + - text: Surface devices + url: https://support.microsoft.com/products/surface-devices + - text: Surface Hub + url: https://support.microsoft.com/hub/4343507/surface-hub-help diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md index d205908048..9932a573bc 100644 --- a/devices/surface/manage-surface-uefi-settings.md +++ b/devices/surface/manage-surface-uefi-settings.md @@ -39,7 +39,7 @@ The PC information page includes detailed information about your Surface device: - **UUID** – This Universally Unique Identification number is specific to your device and is used to identify the device during deployment or management. - **Serial Number** – This number is used to identify this specific Surface device for asset tagging and support scenarios. -- **Asset Tag** – The asset tag is assigned to the Surface device with the [Asset Tag Tool](https://www.microsoft.com/download/details.aspx?id=44076). +- **Asset Tag** – The asset tag is assigned to the Surface device with the [Asset Tag Tool](https://docs.microsoft.com/surface/assettag). You will also find detailed information about the firmware of your Surface device. Surface devices have several internal components that each run different versions of firmware. The firmware version of each of the following devices is displayed on the **PC information** page (as shown in Figure 1): @@ -214,4 +214,4 @@ When you update Surface device firmware, by using either Windows Update or manua - [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md) -- [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) \ No newline at end of file +- [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index 90b623c490..a835026b8b 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -14,7 +14,7 @@ author: dansimp ms.author: dansimp ms.topic: article ms.audience: itpro -ms.date: 11/13/2019 +ms.date: 02/20/2020 --- # Microsoft Surface Data Eraser @@ -83,30 +83,35 @@ After the creation tool is installed, follow these steps to create a Microsoft S 1. Start Microsoft Surface Data Eraser from the Start menu or Start screen. -2. Click **Build** to begin the Microsoft Surface Data Eraser USB creation process. +2. Click **Build** to begin the Microsoft Surface Data Eraser USB creation process. 3. Click **Start** to acknowledge that you have a USB stick of at least 4 GB connected, as shown in Figure 1. ![Start the Microsoft Surface Data Eraser tool](images/dataeraser-start-tool.png "Start the Microsoft Surface Data Eraser tool") *Figure 1. Start the Microsoft Surface Data Eraser tool* +4. Choose **x64** for most Surface devices or **ARM64** for Surface Pro X from the **Architecture Selection** page, as shown in Figure 2. Select **Continue**. -4. Select the USB drive of your choice from the **USB Thumb Drive Selection** page as shown in Figure 2, and then click **Start** to begin the USB creation process. The drive you select will be formatted and any existing data on this drive will be lost. + ![Architecture selection](images/dataeraser-arch.png "Architecture Selection")
+ *Figure 2. Select device architecture* + + +4. Select the USB drive of your choice from the **USB Thumb Drive Selection** page as shown in Figure 3, and then click **Start** to begin the USB creation process. The drive you select will be formatted and any existing data on this drive will be lost. >[!NOTE] >If the Start button is disabled, check that your removable drive has a total capacity of at least 4 GB. ![USB thumb drive selection](images/dataeraser-usb-selection.png "USB thumb drive selection") - *Figure 2. USB thumb drive selection* + *Figure 3. USB thumb drive selection* 5. After the creation process is finished, the USB drive has been formatted and all binaries are copied to the USB drive. Click **Success**. -6. When the **Congratulations** screen is displayed, you can eject and remove the thumb drive. This thumb drive is now ready to be inserted into a Surface device, booted from, and wipe any data on the device. Click **Complete** to finish the USB creation process, as shown in Figure 3. +6. When the **Congratulations** screen is displayed, you can eject and remove the thumb drive. This thumb drive is now ready to be inserted into a Surface device, booted from, and wipe any data on the device. Click **Complete** to finish the USB creation process, as shown in Figure 4. ![Surface Data Eraser USB creation process](images/dataeraser-complete-process.png "Surface Data Eraser USB creation process") - *Figure 3. Complete the Microsoft Surface Data Eraser USB creation process* + *Figure 4. Complete the Microsoft Surface Data Eraser USB creation process* 7. Click **X** to close Microsoft Surface Data Eraser. @@ -130,11 +135,11 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo >[!NOTE] >If your device does not boot to USB using these steps, you may need to turn on the **Enable Alternate Boot Sequence** option in Surface UEFI. You can read more about Surface UEFI boot configuration in [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings). -3. When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed, as shown in Figure 4. +3. When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed, as shown in Figure 5. ![Booting the Microsoft Surface Data Eraser USB stick](images/data-eraser-3.png "Booting the Microsoft Surface Data Eraser USB stick") - *Figure 4. Booting the Microsoft Surface Data Eraser USB stick* + *Figure 5. Booting the Microsoft Surface Data Eraser USB stick* 4. Read the software license terms, and then close the Notepad file. @@ -147,14 +152,14 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo ![Partition to be erased is displayed](images/sda-fig5-erase.png "Partition to be erased is displayed") - *Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser* + *Figure 6. Partition to be erased is displayed in Microsoft Surface Data Eraser* 7. If you pressed **Y** in step 6, due to the destructive nature of the data erasure process, an additional dialog box is displayed to confirm your choice. 8. Click the **Yes** button to continue erasing data on the Surface device. ->[!NOTE] ->When you run Surface Data Eraser on the Surface Data Eraser USB drive, a log file is generated in the **SurfaceDataEraserLogs** folder. + >[!NOTE] + >When you run Surface Data Eraser on the Surface Data Eraser USB drive, a log file is generated in the **SurfaceDataEraserLogs** folder. ## Changes and updates @@ -222,8 +227,8 @@ This version of Microsoft Surface Data Eraser adds support for the following: - Surface Pro 1TB ->[!NOTE] ->Surface Data Eraser v3.2.45.0 and above can be used to restore Surface Pro or Surface Laptop devices with the 1TB storage option in the scenario that the device shows two separate 512GB volumes or encounters errors when attempting to deploy or install Windows 10. See [Surface Pro Model 1796 and Surface Laptop 1TB display two drives](https://support.microsoft.com/help/4046105/surface-pro-model-1796-and-surface-laptop-1tb-display-two-drives) for more information. + >[!NOTE] + >Surface Data Eraser v3.2.45.0 and above can be used to restore Surface Pro or Surface Laptop devices with the 1TB storage option in the scenario that the device shows two separate 512GB volumes or encounters errors when attempting to deploy or install Windows 10. See [Surface Pro Model 1796 and Surface Laptop 1TB display two drives](https://support.microsoft.com/help/4046105/surface-pro-model-1796-and-surface-laptop-1tb-display-two-drives) for more information. ### Version 3.2.36.0 diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index dc3e5b41f0..aac758fa29 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -5,50 +5,71 @@ ms.localizationpriority: medium ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp -ms.author: dansimp +author: greg-lindsay +ms.author: greglin ms.topic: article -ms.date: 10/09/2019 ms.reviewer: scottmca manager: dansimp ms.audience: itpro --- # Microsoft Surface Dock Firmware Update -This article explains how to use Microsoft Surface Dock Firmware Update, newly redesigned to update Surface Dock firmware while running in the background on your Surface device. Once installed, it will update any Surface Dock attached to your Surface device. +This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device. -> [!NOTE] ->Microsoft Surface Dock Firmware Update supersedes the earlier Microsoft Surface Dock Updater tool, previously available for download as part of Surface Tools for IT. It was named Surface_Dock_Updater_vx.xx.xxx.x.msi (where x indicates the version of the tool). The earlier tool has been retired, is no longer available for download, and should not be used. +Microsoft Surface Dock Firmware Update supersedes the earlier Microsoft Surface Dock Updater tool, previously available for download as part of Surface Tools for IT. It was named Surface_Dock_Updater_vx.xx.xxx.x.msi (where x indicates the version number). The earlier tool is no longer available for download and should not be used. -## To run Surface Dock Firmware Update +> [!IMPORTANT] +>Microsoft periodically releases new versions of Surface Dock Firmware Update. The MSI file is not self-updating. If you have deployed the MSI to Surface devices and a new version of the firmware is released, you will need to deploy the new version. + +## Monitor the Surface Dock Firmware Update + +This section is optional and provides an overview of how to monitor installation of the firmware update. When you are ready to install the update, see [Install the Surface Dock Firmware Update](#install-the-surface-dock-firmware-update) below. For more detailed information about monitoring the update process, see the following sections in this article: + - [How to verify completion of firmware update](#how-to-verify-completion-of-the-firmware-update) + - [Event logging](#event-logging) + - [Troubleshooting tips](#troubleshooting-tips) + - [Versions reference](#versions-reference) + +To monitor the update: + +1. Open Event Viewer, browse to **Windows Logs > Application**, and then under **Actions** in the right-hand pane click **Filter Current Log**, enter **SurfaceDockFwUpdate** next to **Event sources**, and then click **OK**. +2. Type the following command at an elevated command prompt: + + ```cmd + Reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services\SurfaceDockFwUpdate\Parameters" + ``` +3. Install the update as described in the [next section](#install-the-surface-dock-firmware-update) of this article. +4. Event 2007 with the following text indicates a successful update: **Firmware update finished. hr=0 DriverTelementry EventCode = 2007**. + - If the update is not successful, then event ID 2007 will be displayed as an **Error** event rather than **Information**. Additionally, the version reported in the Windows Registry will not be current. +5. When the update is complete, updated DWORD values will be displayed in the Windows Registry, corresponding to the current version of the tool. See the [Versions reference](#versions-reference) section in this article for details. For example: + - Component10CurrentFwVersion 0x04ac3970 (78395760) + - Component20CurrentFwVersion 0x04915a70 (76634736) + +>[!TIP] +>If you see "The description for Event ID xxxx from source SurfaceDockFwUpdate cannot be found" in event text, this is expected and can be ignored. + +## Install the Surface Dock Firmware Update + +This section describes how to install the firmware update. 1. Download and install [Microsoft Surface Dock Firmware Update](https://www.microsoft.com/download/details.aspx?id=46703). - - The file is released in the following naming format: **Surface_Dock_FwUpdate_X.XX.XXX_Win10_XXXXX_XX.XXX.XXXXX_X.MSI** and installs by default to C:\Program Files\SurfaceUpdate. - - Requires Surface devices running at least Windows 10 version 1803 or later. + - The update requires a Surface device running Windows 10, version 1803 or later. + - Installing the MSI file might prompt you to restart Surface. However, restarting is not required to perform the update. -2. After you connect Surface Dock to your Surface device, the tool checks the firmware status while running in the background. - -4. After several seconds, disconnect your Surface Dock from your device and then wait for 5 seconds before reconnecting. The Surface Dock Firmware Update will normally update the dock silently in background after you disconnect from the dock and reconnect. The process can take a few minutes to complete and will continue even if interrupted. - -### Manual installation -If preferred, you can manually complete the update as follows: - -- Reconnect your Surface Dock for 2 minutes and then disconnect it from your device. The DisplayPort firmware update will be installed while the hardware is disconnected. The LED in the Ethernet port of the dock will blink while the update is in progress. Please wait until the LED stops blinking before you unplug your Surface Dock from power. - -> [!NOTE] -> -> - Manually installing the MSI file may prompt you to restart Surface; however, restarting is optional and not required. -> - You will need to disconnect and reconnect the dock twice before the update fully completes. -> - To create a log file, specify the path in the Msiexec command. For example, append /l*v %windir%\logs\ SurfaceDockFWI.log". +2. Disconnect your Surface device from the Surface Dock (using the power adapter), wait ~5 seconds, and then reconnect. The Surface Dock Firmware Update will update the dock silently in background. The process can take a few minutes to complete and will continue even if interrupted. ## Network deployment You can use Windows Installer commands (Msiexec.exe) to deploy Surface Dock Firmware Update to multiple devices across your network. When using Microsoft Endpoint Configuration Manager or other deployment tool, enter the following syntax to ensure the installation is silent: -- **Msiexec.exe /i /quiet /norestart** +- **Msiexec.exe /i \ /quiet /norestart** + + For example: + ``` + msiexec /i "\\share\folder\Surface_Dock_FwUpdate_1.42.139_Win10_17134_19.084.31680_0.msi" /quiet /norestart + ``` > [!NOTE] -> A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]" +> A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]". For example: Msiexec.exe /i \ /l*v %windir%\logs\ SurfaceDockFWI.log" For more information, refer to [Command line options](https://docs.microsoft.com/windows/win32/msi/command-line-options) documentation. @@ -56,12 +77,13 @@ For more information, refer to [Command line options](https://docs.microsoft.com > If you want to keep your Surface Dock updated using any other method, refer to [Update your Surface Dock](https://support.microsoft.com/help/4023478/surface-update-your-surface-dock) for details. ## Intune deployment + You can use Intune to distribute Surface Dock Firmware Update to your devices. First you will need to convert the MSI file to the .intunewin format, as described in the following documentation: [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps/apps-win32-app-management). Use the following command: - - **msiexec /i /quiet /q** + - **msiexec /i \ /quiet /q** -## How to verify completion of firmware update +## How to verify completion of the firmware update Surface dock firmware consists of two components: @@ -117,11 +139,11 @@ Events are logged in the Application Event Log. Note: Earlier versions of this - Ensure that the Surface Dock is disconnected, and then allow enough time for the update to complete as monitored via an LED in the Ethernet port of the dock. Wait until the LED stops blinking before you unplug Surface Dock from power. - Connect the Surface Dock to a different device to see if it is able to update the dock. -## Changes and updates - -Microsoft periodically releases new versions of Surface Dock Firmware Update.Note that the MSI file is not self-updating. If you have deployed the MSI to Surface devices and a new version of the firmware is released, you will need to deploy the new version of the MSI. - ## Versions reference + +>[!NOTE] +>The installation file is released with the following naming format: **Surface_Dock_FwUpdate_X.XX.XXX_Win10_XXXXX_XX.XXX.XXXXX_X.MSI** (ex: Surface_Dock_FwUpdate_1.42.139_Win10_17134_19.084.31680_0.msi) and installs by default to C:\Program Files\SurfaceUpdate. + ### Version 1.42.139 *Release Date: September 18 2019* diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md index 0cf1ab9bda..1ac8eb8aa2 100644 --- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md +++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md @@ -75,10 +75,9 @@ To create a new application and deploy it to a collection that contains your Sur * **Import Information** – The Create Application Wizard will parse the .msi file and read the **Application Name** and **Product Code**. SurfaceUEFIManagerSetup.msi should be listed as the only file under the line **Content Files**, as shown in Figure 1. Select **Next** to proceed. - - ![Information from Surface UEFI Manager setup is automatically parsed](images/config-mgr-semm-fig1.png "Information from Surface UEFI Manager setup is automatically parsed") - - *Figure 1. Information from Microsoft Surface UEFI Manager setup is automatically parsed* + ![Information from Surface UEFI Manager setup is automatically parsed](images/config-mgr-semm-fig1.png "Information from Surface UEFI Manager setup is automatically parsed") + + *Figure 1. Information from Microsoft Surface UEFI Manager setup is automatically parsed* * **General Information** – You can modify the name of the application and information about the publisher and version, or add comments on this page. The installation command for Microsoft Surface UEFI Manager is displayed in the Installation Program field. The default installation behavior of Install for system will allow Microsoft Surface UEFI Manager to install the required assemblies for SEMM even if a user is not logged on to the Surface device. Select **Next** to proceed. * **Summary** – The information that was parsed in the **Import Information** step and your selections from the **General Information** step is displayed on this page. Select **Next** to confirm your selections and create the application. @@ -107,7 +106,7 @@ The sample scripts include examples of how to set Surface UEFI settings and how The first region of the script that you need to modify is the portion that specifies and loads the SEMM certificate, and also indicates SurfaceUEFIManager version, and the names for the SEMM configuration package and SEMM reset package. The certificate name and SurfaceUEFIManager version are specified on lines 56 through 73 in the ConfigureSEMM.ps1 script. - ``` + ```powershell 56 $WorkingDirPath = split-path -parent $MyInvocation.MyCommand.Definition 57 $packageRoot = "$WorkingDirPath\Config" 58 $certName = "FabrikamSEMMSample.pfx" @@ -137,7 +136,7 @@ On line 73, replace the value of the **$password** variable, from **1234** to th > [!Note] > The last two characters of the certificate thumbprint are required to enroll a device in SEMM. This script will display these digits to the user, which allows the user or technician to record these digits before the system reboots to enroll the device in SEMM. The script uses the following code, found on lines 150-155, to accomplish this. -``` +```powershell 150 # Device owners will need the last two characters of the thumbprint to accept SEMM ownership. 151 # For convenience we get the thumbprint here and present to the user. 152 $pw = ConvertTo-SecureString $password -AsPlainText -Force @@ -163,7 +162,7 @@ Administrators with access to the certificate file (.pfx) can read the thumbprin The first region of the script where you will specify the configuration for Surface UEFI is the **Configure Permissions** region. This region begins at line 210 in the sample script with the comment **# Configure Permissions** and continues to line 247. The following code fragment first sets permissions to all Surface UEFI settings so that they may be modified by SEMM only, then adds explicit permissions to allow the local user to modify the Surface UEFI password, TPM, and front and rear cameras. -``` +```powershell 210 # Configure Permissions 211 foreach ($uefiV2 IN $surfaceDevices.Values) { 212 if ($uefiV2.SurfaceUefiFamily -eq $Device.Model) { @@ -215,7 +214,7 @@ You can find information about the available settings names and IDs for Surface The second region of the script where you will specify the configuration for Surface UEFI is the **Configure Settings** region of the ConfigureSEMM.ps1 script, which configures whether each setting is enabled or disabled. The sample script includes instructions to set all settings to their default values. The script then provides explicit instructions to disable IPv6 for PXE Boot and to leave the Surface UEFI Administrator password unchanged. You can find this region beginning with the **# Configure Settings** comment at line 291 through line 335 in the sample script. The region appears as follows. -``` +```powershell 291 # Configure Settings 292 foreach ($uefiV2 IN $surfaceDevices.Values) { 293 if ($uefiV2.SurfaceUefiFamily -eq $Device.Model) { @@ -277,7 +276,7 @@ To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 sc The following code fragment, found on lines 380-477, is used to write these registry keys. -``` +```powershell 380 # For Endpoint Configuration Manager or other management solutions that wish to know what version is applied, tattoo the LSV and current DateTime (in UTC) to the registry: 381 $UTCDate = (Get-Date).ToUniversalTime().ToString() 382 $certIssuer = $certPrint.Issuer @@ -480,10 +479,10 @@ To add the SEMM Configuration Manager scripts to Configuration Manager as an app - Select **Registry** from the **Setting Type** drop-down menu. - Select **HKEY_LOCAL_MACHINE** from the **Hive** drop-down menu. - Enter **SOFTWARE\Microsoft\Surface\SEMM** in the **Key** field. - - Enter **Enabled_Version1000** in the **Value** field. + - Enter **CertName** in the **Value** field. - Select **String** from the **Data Type** drop-down menu. - Select the **This registry setting must satisfy the following rule to indicate the presence of this application** button. - - Enter **1** in the **Value** field. + - Enter the name of the certificate you entered in line 58 of the script in the **Value** field. - Select **OK** to close the **Detection Rule** window. ![Use a registry key to identify devices enrolled in SEMM](images/config-mgr-semm-fig3.png "Use a registry key to identify devices enrolled in SEMM") diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md index 36283c8d84..1fbdba19cf 100644 --- a/devices/surface/windows-autopilot-and-surface-devices.md +++ b/devices/surface/windows-autopilot-and-surface-devices.md @@ -13,7 +13,7 @@ ms.author: dansimp ms.topic: article ms.localizationpriority: medium ms.audience: itpro -ms.date: 11/26/2019 +ms.date: 02/14/2020 --- # Windows Autopilot and Surface devices @@ -25,15 +25,24 @@ Windows Autopilot-registered devices are identified over the Internet at first s You can register Surface devices at the time of purchase from a Surface partner that's enabled for Windows Autopilot. These partners can ship new devices directly to your users. The devices will be automatically enrolled and configured when they are first turned on. This process eliminates reimaging during deployment, which lets you implement new, agile methods of device management and distribution. ## Modern management + Autopilot is the recommended deployment option for Surface devices, including Surface Pro 7, Surface Laptop 3, and Surface Pro X, which is specifically designed for deployment through Autopilot. It's best to enroll your Surface devices with the help of a Microsoft Cloud Solution Provider. This step allows you to manage UEFI firmware settings on Surface directly from Intune. It eliminates the need to physically touch devices for certificate management. See [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md) for details. ## Windows version considerations + Broad deployment of Surface devices through Windows Autopilot, including enrollment by Surface partners at the time of purchase, requires Windows 10 Version 1709 (Fall Creators Update) or later. These Windows versions support a 4,000-byte (4k) hash value that uniquely identifies devices for Windows Autopilot, which is necessary for deployments at scale. All new Surface devices, including Surface Pro 7, Surface Pro X, and Surface Laptop 3, ship with Windows 10 Version 1903 or later. +## Exchange experience on Surface devices in need of repair or replacement + +Microsoft automatically checks every Surface for Autopilot enrollment and will deregister the device from the customer’s tenant. Microsoft ensures the replacement device is enrolled into Windows Autopilot once a replacement is shipped back to the customer. This service is available on all device exchange service orders directly with Microsoft. + +> [!NOTE] +> When customers use a Partner to return devices, the Partner is responsible for managing the exchange process including deregistering and enrolling devices into Windows Autopilot. + ## Surface partners enabled for Windows Autopilot Select Surface partners can enroll Surface devices in Windows Autopilot for you at the time of purchase. They can also ship enrolled devices directly to your users. The devices can be configured entirely through a zero-touch process by using Windows Autopilot, Azure AD, and mobile device management. @@ -42,7 +51,7 @@ Surface partners that are enabled for Windows Autopilot include: - [ALSO](https://www.also.com/ec/cms5/de_1010/1010_anbieter/microsoft/windows-autopilot/index.jsp) - [Atea](https://www.atea.com/) -- [Bechtle](https://www.bechtle.com/de-en) +- [Bechtle](https://www.bechtle.com/marken/microsoft/microsoft-windows-autopilot) - [Cancom](https://www.cancom.de/) - [CDW](https://www.cdw.com/) - [Computacenter](https://www.computacenter.com/uk) @@ -53,6 +62,7 @@ Surface partners that are enabled for Windows Autopilot include: - [Techdata](https://www.techdata.com/) ## Learn more + For more information about Windows Autopilot, see: - [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot) - [Windows Autopilot requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-requirements) \ No newline at end of file diff --git a/mdop/appv-v5/app-v-50-prerequisites.md b/mdop/appv-v5/app-v-50-prerequisites.md index 1d1dcd7770..e90a62583c 100644 --- a/mdop/appv-v5/app-v-50-prerequisites.md +++ b/mdop/appv-v5/app-v-50-prerequisites.md @@ -100,8 +100,8 @@ The following table lists the installation prerequisites for the App-V 5.0 clien
@@ -158,8 +158,8 @@ The following table lists the installation prerequisites for the App-V 5.0 Remot @@ -221,14 +221,14 @@ If the system requirements of a locally installed application exceed the require - + diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index 3b50e8d5cf..38e128bd28 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -34,7 +34,7 @@ The enrollment process includes the following steps: ## Enrollment protocol -There are a number of changes made to the enrollment protocol to better support a variety of scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). +There are a number of changes made to the enrollment protocol to better support a variety of scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). The enrollment process involves the following steps: diff --git a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md index fc1667fcc2..22c3ac4fbe 100644 --- a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md +++ b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md @@ -14,7 +14,7 @@ ms.date: 06/26/2017 # On-premises authentication device enrollment -This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). +This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). ## In this topic diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 9d72af8a49..6704ebd00c 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -15,6 +15,8 @@ ms.date: 07/18/2019 # Policy CSP +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies. @@ -198,6 +200,9 @@ The following diagram shows the Policy configuration service provider in tree fo
ApplicationManagement/AllowSharedUserAppData
+
+ ApplicationManagement/BlockNonAdminUserInstall +
ApplicationManagement/DisableStoreOriginatedApps
@@ -612,6 +617,9 @@ The following diagram shows the Policy configuration service provider in tree fo
Bluetooth/ServicesAllowedList
+
+ Bluetooth/SetMinimumEncryptionKeySize +
### Browser policies @@ -3325,6 +3333,23 @@ The following diagram shows the Policy configuration service provider in tree fo
Storage/AllowDiskHealthModelUpdates
+
+ Storage/AllowStorageSenseGlobal +
+
+ Storage/AllowStorageSenseTemporaryFilesCleanup +
+
+ Storage/ConfigStorageSenseCloudContentDehydrationThreshold +
+
+ Storage/ConfigStorageSenseDownloadsCleanupThreshold +
+
+ Storage/ConfigStorageSenseGlobalCadence +
+
+ Storage/ConfigStorageSenseRecycleBinCleanupThreshold
Storage/EnhancedStorageDevices
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index e978cc82da..f097cc7b37 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -232,6 +232,9 @@ Added in Windows 10, version 1703. Allows IT Admins the ability to disable the " > [!NOTE] > If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). +> [!NOTE] +> If the MSA service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the MSA ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app. + The following list shows the supported values: diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index a7680a8600..798bbae111 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.date: 02/11/2020 ms.reviewer: manager: dansimp --- @@ -39,6 +39,9 @@ manager: dansimp
ApplicationManagement/AllowSharedUserAppData
+
+ ApplicationManagement/BlockNonAdminUserInstall +
ApplicationManagement/DisableStoreOriginatedApps
@@ -414,6 +417,83 @@ Most restricted value: 0
+ +**ApplicationManagement/BlockNonAdminUserInstall** + + +
step oneset up device

Browse to and select the enterprise license file to upgrade the HoloLens edition.

You can also toggle Yes or No to hide parts of the first experience.

To set up the device without the need to connect to a Wi-Fi network, toggle Skip Wi-Fi setup to On.

Select a region and timezone in which the device will be used. 		Select enterprise licence file and configure OOBE
step two set up network

In this section, you can enter the details of the Wi-Fi wireless network that the device should connect to automatically. To do this, select On, enter the SSID, the network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.		Enter network SSID and type

Software requirements

Software requirements

Software requirements

Management Server

 @@ -339,7 +339,7 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve

The App-V 5.0 server components are dependent but they have varying requirements and installation options that must be deployed. Use the following information to prepare your environment to run the App-V 5.0 management database.

@@ -355,7 +355,7 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve

Reporting Server

Publishing Server
    -

  • Microsoft .NET Framework 4 (Full Package) (http://www.microsoft.com/download/details.aspx?id=17718)

    • +

  • Microsoft .NET Framework 4 (Full Package) (https://www.microsoft.com/download/details.aspx?id=17718)

  • Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)(https://go.microsoft.com/fwlink/?LinkId=267110)

  • Windows Web Server with the IIS role with the following features: Common HTTP Features (static content and default document), Application Development (ASP.NET, .NET Extensibility, ISAPI Extensions and ISAPI Filters), Security (Windows Authentication, Request Filtering), Security (Windows Authentication, Request Filtering), Management Tools (IIS Management Console)

  • 64-bit ASP.NET registration

    • diff --git a/mdop/mbam-v1/known-issues-in-the-mbam-international-release-mbam-1.md b/mdop/mbam-v1/known-issues-in-the-mbam-international-release-mbam-1.md index 965278e188..d365a7ce2c 100644 --- a/mdop/mbam-v1/known-issues-in-the-mbam-international-release-mbam-1.md +++ b/mdop/mbam-v1/known-issues-in-the-mbam-international-release-mbam-1.md @@ -36,7 +36,7 @@ If you are using a certificate for authentication between MBAM servers, after up ### MBAM Svclog File Filling Disk Space -If you have followed Knowledge Base article 2668170, [http://support.microsoft.com/kb/2668170](https://go.microsoft.com/fwlink/?LinkID=247277), you might have to repeat the KB steps after you install this update. +If you have followed Knowledge Base article 2668170, [https://support.microsoft.com/kb/2668170](https://go.microsoft.com/fwlink/?LinkID=247277), you might have to repeat the KB steps after you install this update. **Workaround**: None. diff --git a/mdop/mbam-v2/mbam-20-privacy-statement-mbam-2.md b/mdop/mbam-v2/mbam-20-privacy-statement-mbam-2.md index 2c93b51293..1d8f677dab 100644 --- a/mdop/mbam-v2/mbam-20-privacy-statement-mbam-2.md +++ b/mdop/mbam-v2/mbam-20-privacy-statement-mbam-2.md @@ -92,7 +92,7 @@ Incorrectly editing the registry may severely damage your system. Before making Important Information: Enterprise customers can use Group Policy to configure how Microsoft Error Reporting behaves on their PCs. Configuration options include the ability to turn off Microsoft Error Reporting. If you are an administrator and wish to configure Group Policy for Microsoft Error Reporting, technical details are available on [TechNet](https://technet.microsoft.com/library/cc709644.aspx). -Additional information on how to modify enable and disable error reporting is available at this support article: [(http://support.microsoft.com/kb/188296)](https://support.microsoft.com/kb/188296). +Additional information on how to modify enable and disable error reporting is available at this support article: [(https://support.microsoft.com/kb/188296)](https://support.microsoft.com/kb/188296). ### Microsoft Update diff --git a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md index 3ed2c2c111..cd77d39b06 100644 --- a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md +++ b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md @@ -19,7 +19,10 @@ author: shortpatti This topic describes the process for applying the hotfixes for Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1 ### Before you begin, download the latest hotfix of Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1 -[Desktop Optimization Pack](https://www.microsoft.com/download/details.aspx?id=58345) +[Desktop Optimization Pack](https://www.microsoft.com/download/details.aspx?id=57157) + +> [!NOTE] +> For more information about the hotfix releases, see the [MBAM version chart](https://docs.microsoft.com/archive/blogs/dubaisec/mbam-version-chart). #### Steps to update the MBAM Server for existing MBAM environment 1. Remove MBAM server feature (do this by opening the MBAM Server Configuration Tool, then selecting Remove Features). diff --git a/mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md b/mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md index 4e0f5b098c..436bbbe48d 100644 --- a/mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md +++ b/mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md @@ -26,24 +26,21 @@ Verify you have a current documentation of your MBAM environment, including all ### Upgrade steps #### Steps to upgrade the MBAM Database (SQL Server) 1. Using the MBAM Configurator; remove the Reports role from the SQL server, or wherever the SSRS database is hosted. Depending on your environment, this can be the same server or a separate one. - Note: You will not see an option to remove the Databases; this is expected. + > [!NOTE] + > You will not see an option to remove the Databases; this is expected. 2. Install 2.5 SP1 (Located with MDOP - Microsoft Desktop Optimization Pack 2015 from the Volume Licensing Service Center site: 3. Do not configure it at this time  -4. Install the May 2019 Rollup: https://www.microsoft.com/download/details.aspx?id=58345 -5. Using the MBAM Configurator; re-add the Reports role -6. This will configure the SSRS connection using the latest MBAM code from the rollup  -7. Using the MBAM Configurator; re-add the SQL Database role on the SQL Server. -8. At the end, you will be warned that the DBs already exist and weren’t created, but this is expected. -9. This process updates the existing databases to the current version being installed +4. Using the MBAM Configurator; re-add the Reports role +5. Using the MBAM Configurator; re-add the SQL Database role on the SQL Server +6. At the end, you will be warned that the DBs already exist and weren’t created, but this is expected +7. This process updates the existing databases to the current version being installed. #### Steps to upgrade the MBAM Server (Running MBAM and IIS) 1. Using the MBAM Configurator; remove the Admin and Self Service Portals from the IIS server 2. Install MBAM 2.5 SP1 3. Do not configure it at this time   -4. Install the May 2019 Rollup on the IIS server(https://www.microsoft.com/download/details.aspx?id=58345) -5. Using the MBAM Configurator; re-add the Admin and Self Service Portals to the IIS server  -6. This will configure the sites using the latest MBAM code from the May 2019 Rollup -7. Open an elevated command prompt, Type: **IISRESET** and Hit Enter. +4. Using the MBAM Configurator; re-add the Admin and Self Service Portals to the IIS server  +5. Open an elevated command prompt, type **IISRESET**, and hit Enter. #### Steps to upgrade the MBAM Clients/Endpoints 1. Uninstall the 2.5 Agent from client endpoints diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 205e2c3711..da98a12e3b 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -33,14 +33,14 @@ Organizations that use Windows Server Update Services (WSUS) must take action to 2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD. - a. Download the FOD .cab file for [Windows 10, version 1903](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). + a. Download the FOD .cab file for [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). >[!NOTE] >You must download the FOD .cab file that matches your operating system version. b. Use `Add-Package` to add Windows Mixed Reality FOD to the image. - ``` + ```powershell Add-Package Dism /Online /add-package /packagepath:(path) ``` diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md index cb93e0fb3b..b99a2d3ee4 100644 --- a/windows/client-management/TOC.md +++ b/windows/client-management/TOC.md @@ -32,5 +32,6 @@ #### [Advanced troubleshooting for stop error or blue screen error](troubleshoot-stop-errors.md) #### [Advanced troubleshooting for stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md) #### [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) +#### [Stop error occurs when you update the in-box Broadcom network adapter driver](troubleshoot-stop-error-on-broadcom-driver-update.md) ## [Mobile device management for solution providers](mdm/index.md) ## [Change history for Client management](change-history-for-client-management.md) diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index 267386adc6..124846eb32 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -59,7 +59,7 @@ First, validate the type of EAP method being used: ![eap authentication type comparison](images/comparisontable.png) -If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu: +If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Right click on the policy and select **Properties**. In the pop-up window, go to the **Constraints** tab and select the **Authentication Methods** section. ![Constraints tab of the secure wireless connections properties](images/eappropertymenu.png) @@ -118,4 +118,3 @@ Even if audit policy appears to be fully enabled, it sometimes helps to disable [Troubleshooting Windows Vista 802.11 Wireless Connections](https://technet.microsoft.com/library/cc766215%28v=ws.10%29.aspx)
    [Troubleshooting Windows Vista Secure 802.3 Wired Connections](https://technet.microsoft.com/library/cc749352%28v=ws.10%29.aspx) - diff --git a/windows/client-management/change-history-for-client-management.md b/windows/client-management/change-history-for-client-management.md index 8265dd9abc..fa3febbd0f 100644 --- a/windows/client-management/change-history-for-client-management.md +++ b/windows/client-management/change-history-for-client-management.md @@ -9,7 +9,7 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 12/27/2019 +ms.date: 1/21/2020 ms.reviewer: manager: dansimp ms.topic: article @@ -19,11 +19,19 @@ ms.topic: article This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile. +## February 2020 + +New or changed topic | Description +--- | --- +[Blue screen occurs when you update the in-box Broadcom NIC driver](troubleshoot-stop-error-on-broadcom-driver-update.md) | New +[Advanced troubleshooting for Windows startup](troubleshoot-windows-startup.md) | Updated + ## December 2019 New or changed topic | Description --- | --- [Change in default removal policy for external storage media in Windows 10, version 1809](change-default-removal-policy-external-storage-media.md) | New +[Advanced troubleshooting for Windows startup](troubleshoot-windows-startup.md) | Updated [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) | New ## December 2018 diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index a7c0f2f152..3afcb4da3f 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -65,7 +65,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu ## Supported configurations -In organizations that have integrated Active Directory and Azure AD, you can connect from a domain-joined PC to an Azure AD-joined PC using: +In organizations that have integrated Active Directory and Azure AD, you can connect from a Hybrid-joined PC to an Azure AD-joined PC using: - Password - Smartcards diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 82139a98a6..6ba943ffca 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -31,12 +31,15 @@ The following diagram shows the BitLocker configuration service provider in tree ![BitLocker csp](images/provisioning-csp-bitlocker.png) + **./Device/Vendor/MSFT/BitLocker** Defines the root node for the BitLocker configuration service provider. - + **RequireStorageCardEncryption** + Allows the administrator to require storage card encryption on the device. This policy is valid only for a mobile SKU. - + + @@ -57,12 +60,13 @@ Allows the administrator to require storage card encryption on the device. This
    Homecheck mark
    + Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on. - + - 0 (default) – Storage cards do not need to be encrypted. - 1 – Require storage cards to be encrypted. - + Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on. If you want to disable this policy use the following SyncML: @@ -87,11 +91,13 @@ If you want to disable this policy use the following SyncML: ``` Data type is integer. Supported operations are Add, Get, Replace, and Delete. - + + **RequireDeviceEncryption** - + Allows the administrator to require encryption to be turned on by using BitLocker\Device Encryption. - + + @@ -112,7 +118,7 @@ Allows the administrator to require encryption to be turned on by using BitLocke
    Homecheck mark
    - + Data type is integer. Sample value for this node to enable this policy: 1. Supported operations are Add, Get, Replace, and Delete. @@ -126,12 +132,12 @@ Encryptable fixed data volumes are treated similarly to OS volumes. However, fix - It must not be a system partition. - It must not be backed by virtual storage. - It must not have a reference in the BCD store. - + The following list shows the supported values: - 0 (default) — Disable. If the policy setting is not set or is set to 0, the device's enforcement status is not checked. The policy does not enforce encryption and it does not decrypt encrypted volumes. - 1 – Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) policy). - + If you want to disable this policy, use the following SyncML: ```xml @@ -152,10 +158,13 @@ If you want to disable this policy, use the following SyncML: ``` - + + **EncryptionMethodByDriveType** - -Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)". + +Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)". + + @@ -176,6 +185,8 @@ Allows you to set the default encryption method for each of the different drive
    Homecross mark
    + + ADMX Info:
    • GP English name: Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
      • @@ -183,6 +194,7 @@ ADMX Info:
    • GP path: Windows Components/Bitlocker Drive Encryption
    • GP ADMX file name: VolumeEncryption.admx
    + > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). @@ -202,14 +214,14 @@ If you disable or do not configure this policy setting, BitLocker will use the d EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives. EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives. - + The possible values for 'xx' are: - 3 = AES-CBC 128 - 4 = AES-CBC 256 - 6 = XTS-AES 128 - 7 = XTS-AES 256 - + > [!NOTE] > When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status. @@ -231,9 +243,13 @@ EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for remov ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. - + + **SystemDrivesRequireStartupAuthentication** + This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup". + + @@ -254,6 +270,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Require add
    Homecross mark
    + + ADMX Info:
    • GP English name: Require additional authentication at startup
      • @@ -261,6 +279,7 @@ ADMX Info:
    • GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
    • GP ADMX file name: VolumeEncryption.admx
    + > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). @@ -297,7 +316,7 @@ Data id:
  • ConfigureTPMPINKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key and PIN.
  • ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.
- + The possible values for 'xx' are:
  • true = Explicitly allow
    • @@ -310,7 +329,7 @@ The possible values for 'yy' are:
  • 1 = Required
  • 0 = Disallowed
- + Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml @@ -328,9 +347,13 @@ Disabling the policy will let the system choose the default behaviors. If you wa ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. - + + **SystemDrivesMinimumPINLength** + This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup". + + @@ -351,6 +374,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Configure m
Homecross mark
+ + ADMX Info:
  • GP English name:Configure minimum PIN length for startup
    • @@ -358,6 +383,7 @@ ADMX Info:
  • GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
  • GP ADMX file name: VolumeEncryption.admx
+ > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). @@ -397,9 +423,14 @@ Disabling the policy will let the system choose the default behaviors. If you wa ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. - -**SystemDrivesRecoveryMessage** -This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name). + + +**SystemDrivesRecoveryMessage** + +This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" +(PrebootRecoveryInfo_Name). + + @@ -420,6 +451,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Configure p
Homecross mark
+ + ADMX Info:
  • GP English name: Configure pre-boot recovery message and URL
    • @@ -427,6 +460,7 @@ ADMX Info:
  • GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
  • GP ADMX file name: VolumeEncryption.admx
+ > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). @@ -445,6 +479,7 @@ Sample value for this node to enable this policy is: ```xml ``` + The possible values for 'xx' are: - 0 = Empty @@ -453,7 +488,7 @@ The possible values for 'xx' are: - 3 = Custom recovery URL is set. - 'yy' = string of max length 900. - 'zz' = string of max length 500. - + > [!NOTE] > When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status. @@ -478,9 +513,13 @@ Disabling the policy will let the system choose the default behaviors. If you w > Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen. Data type is string. Supported operations are Add, Get, Replace, and Delete. - + + **SystemDrivesRecoveryOptions** + This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name). + + @@ -501,6 +540,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Choose how
Homecross mark
+ + ADMX Info:
  • GP English name: Choose how BitLocker-protected operating system drives can be recovered
    • @@ -508,6 +549,7 @@ ADMX Info:
  • GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
  • GP ADMX file name: VolumeEncryption.admx
+ > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). @@ -536,7 +578,7 @@ Sample value for this node to enable this policy is: ```xml ``` - + The possible values for 'xx' are: - true = Explicitly allow - false = Policy not set @@ -549,7 +591,7 @@ The possible values for 'yy' are: The possible values for 'zz' are: - 2 = Store recovery passwords only - 1 = Store recovery passwords and key packages - + Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml @@ -568,9 +610,13 @@ Disabling the policy will let the system choose the default behaviors. If you wa ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. - + + **FixedDrivesRecoveryOptions** + This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" (). + + @@ -591,6 +637,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Choose how
Homecross mark
+ + ADMX Info:
  • GP English name: Choose how BitLocker-protected fixed drives can be recovered
    • @@ -598,6 +646,7 @@ ADMX Info:
  • GP path: Windows Components/Bitlocker Drive Encryption/Fixed Drives
  • GP ADMX file name: VolumeEncryption.admx
+ > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). @@ -627,7 +676,7 @@ Sample value for this node to enable this policy is: ```xml ``` - + The possible values for 'xx' are:
  • true = Explicitly allow
    • @@ -647,7 +696,7 @@ The possible values for 'zz' are:
  • 2 = Store recovery passwords only
  • 1 = Store recovery passwords and key packages
- + Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml @@ -666,9 +715,13 @@ Disabling the policy will let the system choose the default behaviors. If you wa ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. - + + **FixedDrivesRequireEncryption** + This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name). + + @@ -689,6 +742,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Deny write
Homecross mark
+ + ADMX Info:
  • GP English name: Deny write access to fixed drives not protected by BitLocker
    • @@ -696,6 +751,7 @@ ADMX Info:
  • GP path: Windows Components/Bitlocker Drive Encryption/Fixed Drives
  • GP ADMX file name: VolumeEncryption.admx
+ > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). @@ -728,9 +784,13 @@ If you disable or do not configure this setting, all fixed data drives on the co ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. - + + **RemovableDrivesRequireEncryption** + This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name). + + @@ -751,6 +811,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Deny write
Homecross mark
+ + ADMX Info:
  • GP English name: Deny write access to removable drives not protected by BitLocker
    • @@ -758,6 +820,7 @@ ADMX Info:
  • GP path: Windows Components/Bitlocker Drive Encryption/Removeable Drives
  • GP ADMX file name: VolumeEncryption.admx
+ > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). @@ -777,13 +840,13 @@ Sample value for this node to enable this policy is: ```xml ``` - + The possible values for 'xx' are:
  • true = Explicitly allow
  • false = Policy not set
- + Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml @@ -800,17 +863,18 @@ Disabling the policy will let the system choose the default behaviors. If you wa ``` - + + **AllowWarningForOtherDiskEncryption** - + Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is also set to 1. - + > [!IMPORTANT] > Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview). > [!Warning] > When you enable BitLocker on a device with third-party encryption, it may render the device unusable and require you to reinstall Windows. - + @@ -831,12 +895,13 @@ Allows the admin to disable the warning prompt for other disk encryption on the
Homecross mark
- + + The following list shows the supported values: - 0 – Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0. - 1 (default) – Warning prompt allowed. - + ```xml 110 @@ -846,7 +911,6 @@ The following list shows the supported values: int - 0 @@ -861,22 +925,24 @@ The following list shows the supported values: >3. The user's personal OneDrive (MDM/MAM only). > >Encryption will wait until one of these three locations backs up successfully. - -**AllowStandardUserEncryption** + + +**AllowStandardUserEncryption** + Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account. - + > [!NOTE] > This policy is only supported in Azure AD accounts. "AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, silent encryption is enforced. If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system. - + The expected values for this policy are: - 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user. - 0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive. - + If you want to disable this policy use the following SyncML: ```xml @@ -893,9 +959,18 @@ If you want to disable this policy use the following SyncML: ``` + + + **ConfigureRecoveryPasswordRotation** + + This setting initiates a client-driven recovery password refresh after an OS drive recovery (either by using bootmgr or WinRE) and recovery password unlock on a Fixed data drive. This setting will refresh the specific recovery password that was used, and other unused passwords on the volume will remain unchanged. If the initialization of the refresh fails, the device will retry the refresh during the next reboot. When password refresh is initiated, the client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure. After the recovery password has been successfully backed up to Azure AD, the recovery key that was used locally will be removed. This setting refreshes only the used key and retains other unused keys. + + + + @@ -916,15 +991,28 @@ This setting initiates a client-driven recovery password refresh after an OS dri
Homecross mark
+ + Value type is int. Supported operations are Add, Delete, Get, and Replace. + + Supported values are: - 0 – Refresh off (default) - 1 – Refresh on for Azure AD-joined devices - 2 – Refresh on for both Azure AD-joined and hybrid-joined devices + + + + + **RotateRecoveryPasswords** + + + This setting refreshes all recovery passwords for OS and fixed drives (removable drives are not included so they can be shared between users). All recovery passwords for all drives will be refreshed and only one password per volume is retained. In case of errors, an error code will be returned so that server can take appropriate action to remediate. + The client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure. @@ -937,6 +1025,7 @@ Recovery password refresh will only occur for devices that are joined to Azure A Each server-side recovery key rotation is represented by a request ID. The server can query the following nodes to make sure it reads status/result for same rotation request. - RotateRecoveryPasswordsRequestID: Returns request ID of last request processed. - RotateRecoveryPasswordsRotationStatus: Returns status of last request processed. + @@ -957,14 +1046,21 @@ Each server-side recovery key rotation is represented by a request ID. The serve
Homecross mark
+ + Value type is string. Supported operation is Execute. Request ID is expected as a parameter. **Status** Interior node. Supported operation is Get. -**Status/DeviceEncryptionStatus** -This node reports compliance state of device encryption on the system. + + +**Status/DeviceEncryptionStatus** + +This node reports compliance state of device encryption on the system. + + @@ -985,15 +1081,25 @@ This node reports compliance state of device encryption on the system.
Homecross mark
+ + Supported values: - 0 - Indicates that the device is compliant. - Any other value represents a non-compliant device. + Value type is int. Supported operation is Get. + + + + **Status/RotateRecoveryPasswordsStatus** + + This node reports the status of RotateRecoveryPasswords request. + Status code can be one of the following: @@ -1001,6 +1107,7 @@ Status code can be one of the following: - 1 - Pending - 0 - Pass - Any other code - Failure HRESULT + @@ -1021,11 +1128,21 @@ Status code can be one of the following:
Homecross mark
+ + Value type is int. Supported operation is Get. + + + + **Status/RotateRecoveryPasswordsRequestID** + + This node reports the RequestID corresponding to RotateRecoveryPasswordsStatus. This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus to ensure the status is correctly matched to the request ID. + + @@ -1046,6 +1163,9 @@ This node needs to be queried in synchronization with RotateRecoveryPasswordsSta
Homecross mark
+ + + Value type is string. Supported operation is Get. ### SyncML example @@ -1210,4 +1330,5 @@ The following example is provided to show proper format and should not be taken -``` \ No newline at end of file +``` + diff --git a/windows/client-management/mdm/certificate-authentication-device-enrollment.md b/windows/client-management/mdm/certificate-authentication-device-enrollment.md index 042efca28b..dd72081354 100644 --- a/windows/client-management/mdm/certificate-authentication-device-enrollment.md +++ b/windows/client-management/mdm/certificate-authentication-device-enrollment.md @@ -15,7 +15,7 @@ ms.date: 06/26/2017 # Certificate authentication device enrollment -This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). +This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). > **Note**  To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107). diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index 1ed4f22fd6..c961d51a7e 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -264,7 +264,8 @@ Optional. Number of days after last successful sync to unenroll. Supported operations are Add, Delete, Get, and Replace. Value type is integer. **Provider/*ProviderID*/AADSendDeviceToken** -Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token cannot be obtained. + +Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token can not be obtained. Supported operations are Add, Delete, Get, and Replace. Value type is bool. diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md index f687502610..7ccca3fe88 100644 --- a/windows/client-management/mdm/eap-configuration.md +++ b/windows/client-management/mdm/eap-configuration.md @@ -1,6 +1,6 @@ --- title: EAP configuration -description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, plus info about EAP certificate filtering in Windows 10. +description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including details about EAP certificate filtering in Windows 10. ms.assetid: DD3F2292-4B4C-4430-A57F-922FED2A8FAE ms.reviewer: manager: dansimp @@ -15,46 +15,46 @@ ms.date: 06/26/2017 # EAP configuration -The topic provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for the VPN profile and information about EAP certificate filtering in Windows 10. +This article provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including information about EAP certificate filtering in Windows 10. -## Create an Extensible Authentication Protocol (EAP) configuration XML for the VPN profile +## Create an EAP configuration XML for a VPN profile -Here is an easy way to get the EAP configuration from your desktop using the rasphone tool that is shipped in the box. +To get the EAP configuration from your desktop using the rasphone tool that is shipped in the box: 1. Run rasphone.exe. ![vpnv2 rasphone](images/vpnv2-csp-rasphone.png) -2. If you don't currently have any VPN connections and you see the following message, click **OK**. +1. If you don't currently have a VPN connection and you see the following message, select **OK**. ![vpnv2 eap configuration](images/vpnv2-csp-networkconnections.png) -3. Select **Workplace network** in the wizard. +1. In the wizard, select **Workplace network**. ![vpnv2 eap configuration](images/vpnv2-csp-setupnewconnection.png) -4. Enter any dummy information for the internet address and connection name. These can be fake since it does not impact the authentication parameters. +1. Enter an Internet address and connection name. These can be fake since it does not impact the authentication parameters. ![vpnv2 eap configuration](images/vpnv2-csp-setupnewconnection2.png) -5. Create a fake VPN connection. In the UI shown below, click **Properties**. +1. Create a fake VPN connection. In the UI shown here, select **Properties**. ![vpnv2 eap configuration](images/vpnv2-csp-choosenetworkconnection.png) -6. In the **Test Properties** dialog, click the **Security** tab. +1. In the **Test Properties** dialog, select the **Security** tab. ![vpnv2 eap configuration](images/vpnv2-csp-testproperties.png) -7. In the **Security** tab, select **Use Extensible Authentication Protocol (EAP)** radio button. +1. On the **Security** tab, select **Use Extensible Authentication Protocol (EAP)**. ![vpnv2 eap configuration](images/vpnv2-csp-testproperties2.png) -8. From the drop down menu, select the EAP method that you want to configure. Then click **Properties** to configure as needed. +1. From the drop-down menu, select the EAP method that you want to configure, and then select **Properties** to configure as needed. ![vpnv2 eap configuration](images/vpnv2-csp-testproperties3.png)![vpnv2 eap configuration](images/vpnv2-csp-testproperties4.png) -9. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML. +1. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML. ```powershell Get-VpnConnection -Name Test @@ -88,7 +88,7 @@ Here is an easy way to get the EAP configuration from your desktop using the ras $a.EapConfigXmlStream.InnerXml ``` - Here is an example output + Here is an example output. ```xml 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or > 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) or > 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all) -> 2. Install the package on the Primary Domain Controller (PDC). +> 2. Install the package on the Domain Controller. > 3. Navigate, depending on the version to the folder: > 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or > 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**, or @@ -178,14 +179,13 @@ Requirements: > 4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**. > 5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**. > (If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain). -> 6. Restart the Primary Domain Controller for the policy to be available. +> 6. Restart the Domain Controller for the policy to be available. > This procedure will work for any future version as well. 1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**. 2. Create a Security Group for the PCs. 3. Link the GPO. 4. Filter using Security Groups. -5. Enforce a GPO link. ## Troubleshoot auto-enrollment of devices diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md index 12af80dacf..e8ad3c9cd8 100644 --- a/windows/client-management/mdm/federated-authentication-device-enrollment.md +++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md @@ -19,7 +19,7 @@ This section provides an example of the mobile device enrollment protocol using The <AuthenticationServiceURL> element the discovery response message specifies web authentication broker page start URL. -For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). +For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). ## In this topic diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md index 481d57ea45..254c91259b 100644 --- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md +++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md @@ -1,6 +1,6 @@ --- -title: Provide server-side support for mobile app management on Windows -description: The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. +title: Implement server-side support for mobile application management on Windows +description: Learn about implementing the Windows version of mobile application management (MAM), which is a lightweight solution for managing company data access and security on personal devices. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -16,21 +16,21 @@ manager: dansimp The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703. -## Integration with Azure Active Directory +## Integration with Azure AD MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).  -MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD integrated MDM services are provided in an organization, a users’ personal devices will be enrolled to MAM or MDM depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM.  In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices. +MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD integrated MDM services are provided in an organization, a users’ personal devices will be enrolled to MAM or MDM, depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM.  In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices. -On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings>Accounts>Access work or school**. +On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**. Regular non-admin users can enroll to MAM.  ## Integration with Windows Information Protection -MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](https://technet.microsoft.com/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip) and WIP-aware applications. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they do not handle personal data, and therefore it is safe for Windows to protect data on their behalf.  +MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](https://technet.microsoft.com/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they do not handle personal data, and therefore it is safe for Windows to protect data on their behalf.  -To make applications WIP-aware, app developers need to include the following data in the app resource file: +To make applications WIP-aware, app developers need to include the following data in the app resource file. ``` syntax // Mark this binary as Allowed for WIP (EDP) purpose  @@ -42,20 +42,20 @@ To make applications WIP-aware, app developers need to include the following dat ## Configuring an Azure AD tenant for MAM enrollment -MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the Management app for an IT admin configuration.  +MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.  ![Mobile application management app](images/implement-server-side-mobile-application-management.png) MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. Please note: if the MDM service in an organization is not integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.  -## MAM enrollment +## MAM enrollment MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](https://msdn.microsoft.com/library/mt221945.aspx). MAM enrollment supports Azure AD [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method.  Below are protocol changes for MAM enrollment:  -- MDM discovery is not supported -- APPAUTH node in [DMAcc CSP](dmacc-csp.md) is optional -- MAM enrollment variation of [MS-MDE2] protocol does not support the client authentication certificate, and therefore, does not support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication. +- MDM discovery is not supported. +- APPAUTH node in [DMAcc CSP](dmacc-csp.md) is optional. +- MAM enrollment variation of [MS-MDE2] protocol does not support the client authentication certificate, and therefore does not support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication. Here is an example provisioning XML for MAM enrollment. @@ -73,39 +73,36 @@ Here is an example provisioning XML for MAM enrollment. Since the [Poll](dmclient-csp.md#provider-providerid-poll) node isn’t provided above, the device would default to once every 24 hours. -## Supported Configuration Service Providers (CSPs) +## Supported CSPs -MAM on Windows support the following CSPs. All other CSPs will be blocked. Note the list may change later based on customer feedback. +MAM on Windows supports the following configuration service providers (CSPs). All other CSPs will be blocked. Note the list may change later based on customer feedback: -- [AppLocker CSP](applocker-csp.md) for configuration of WIP enterprise allowed apps -- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs -- [DeviceStatus CSP](devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703) -- [DevInfo CSP](devinfo-csp.md) -- [DMAcc CSP](dmacc-csp.md) -- [DMClient CSP](dmclient-csp.md) for polling schedules configuration and MDM discovery URL -- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has WIP policies -- [Health Attestation CSP](healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703) -- [PassportForWork CSP](passportforwork-csp.md) for Windows Hello for Business PIN management -- [Policy CSP](policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas -- [Reporting CSP](reporting-csp.md) for retrieving WIP logs -- [RootCaTrustedCertificates CSP](rootcacertificates-csp.md) -- [VPNv2 CSP](vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM -- [WiFi CSP](wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM +- [AppLocker CSP](applocker-csp.md) for configuration of WIP enterprise allowed apps. +- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs. +- [DeviceStatus CSP](devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703). +- [DevInfo CSP](devinfo-csp.md). +- [DMAcc CSP](dmacc-csp.md). +- [DMClient CSP](dmclient-csp.md) for polling schedules configuration and MDM discovery URL. +- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has WIP policies. +- [Health Attestation CSP](healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703). +- [PassportForWork CSP](passportforwork-csp.md) for Windows Hello for Business PIN management. +- [Policy CSP](policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas. +- [Reporting CSP](reporting-csp.md) for retrieving WIP logs. +- [RootCaTrustedCertificates CSP](rootcacertificates-csp.md). +- [VPNv2 CSP](vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM. +- [WiFi CSP](wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM. ## Device lock policies and EAS MAM supports device lock policies similar to MDM. The policies are configured by DeviceLock area of Policy CSP and PassportForWork CSP. -We do not recommend configuring both Exchange Active Sync (EAS) and MAM policies for the same device. However, if both are configured, the client will behave as follows: +We do not recommend configuring both Exchange ActiveSync (EAS) and MAM policies for the same device. However, if both are configured, the client will behave as follows: -
    -
  1. When EAS policies are sent to a device that already has MAM policies, Windows evaluates whether the existing MAM policies are compliant with the configured EAS policies and reports compliance to EAS:
      2. -
    • If the device is found to be compliant, EAS will report compliance to the server to allow mail to sync. MAM supports mandatory EAS policies only. Checking EAS compliance does not require device admin rights.
      • -
    • If the device is found to be non-compliant, EAS will enforce its own policies to the device and the resultant set of policies will be a superset of both. Applying EAS policies to the device requires admin rights.
      • -
    -
  2. If a device that already has EAS policies is enrolled to MAM, the device will have both sets of policies: MAM, EAS, and the resultant set of policies will be a superset of both.
    3. -
+- When EAS policies are sent to a device that already has MAM policies, Windows evaluates whether the existing MAM policies are compliant with the configured EAS policies and reports compliance to EAS. +- If the device is found to be compliant, EAS will report compliance to the server to allow mail to sync. MAM supports mandatory EAS policies only. Checking EAS compliance does not require device admin rights. +- If the device is found to be non-compliant, EAS will enforce its own policies to the device and the resultant set of policies will be a superset of both. Applying EAS policies to the device requires admin rights. +- If a device that already has EAS policies is enrolled to MAM, the device will have both sets of policies: MAM and EAS, and the resultant set of policies will be a superset of both. ## Policy sync @@ -115,20 +112,18 @@ MAM policy syncs are modeled after MDM. The MAM client uses an Azure AD token to Windows does not support applying both MAM and MDM policies to the same devices. If configured by the admin, a user can change his MAM enrollment to MDM. -> [!Note] -> When users upgrade from MAM to MDM on Windows Home edition, they lose access to WIP. On the Home edition, we do not recommend pushing MDM policies to enable users to upgrade. +> [!NOTE] +> When users upgrade from MAM to MDM on Windows Home edition, they lose access to WIP. On Windows Home edition, we do not recommend pushing MDM policies to enable users to upgrade. To configure MAM device for MDM enrollment, the admin needs to configure the MDM Discovery URL in the DMClient CSP. This URL will be used for MDM enrollment. In the process of changing MAM enrollment to MDM, MAM policies will be removed from the device after MDM policies have been successfully applied. Normally when WIP policies are removed from the device, the user’s access to WIP-protected documents is revoked (selective wipe) unless EDP CSP RevokeOnUnenroll is set to false. To prevent selective wipe on enrollment change from MAM to MDM, the admin needs to ensure that: -
    -
  1. Both MAM and MDM policies for the organization support WIP
    2. -
  2. EDP CSP Enterprise ID is the same for both MAM and MDM
    3. -
  3. EDP CSP RevokeOnMDMHandoff is set to FALSE
    4. -
+- Both MAM and MDM policies for the organization support WIP. +- EDP CSP Enterprise ID is the same for both MAM and MDM. +- EDP CSP RevokeOnMDMHandoff is set to false. -If the MAM device is properly configured for MDM enrollment, then the Enroll only to device management link will be displayed in **Settings>Accounts>Access work or school**. The user can click on this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account will not be affected. +If the MAM device is properly configured for MDM enrollment, then the Enroll only to device management link will be displayed in **Settings > Accounts > Access work or school**. The user can select this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account will not be affected. ## Skype for Business compliance with MAM @@ -164,7 +159,7 @@ We have updated Skype for Business to work with MAM. The following table explain 		October 10 2017 Office 365 ProPlus
First release for deferred channelFirst release for Deferred channel Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. June 13 2017
+ + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscheck mark7
Enterprisecheck mark7
Educationcheck mark7
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in the next major release of Windows 10. + +Manages non-administrator users' ability to install Windows app packages. + +If you enable this policy, non-administrators will be unable to initiate installation of Windows app packages. Administrators who wish to install an app will need to do so from an Administrator context (for example, an Administrator PowerShell window). All users will still be able to install Windows app packages via the Microsoft Store, if permitted by other policies. + +If you disable or do not configure this policy, all users will be able to initiate installation of Windows app packages. + + + +ADMX Info: +- GP English name: *Prevent non-admin users from installing packaged Windows apps* +- GP name: *BlockNonAdminUserInstall* +- GP path: *Windows Components/App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + +The following list shows the supported values: +- 0 (default) - Disabled. All users will be able to initiate installation of Windows app packages. +- 1 - Enabled. Non-administrator users will not be able to initiate installation of Windows app packages. + + + + + + + + + +
+ **ApplicationManagement/DisableStoreOriginatedApps** @@ -1032,6 +1112,7 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. +- 7 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 225de9c9ca..40e770a691 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -7,14 +7,15 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.date: 02/12/2020 ms.reviewer: manager: dansimp --- # Policy CSP - Bluetooth - +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@@ -40,6 +41,9 @@ manager: dansimp
Bluetooth/ServicesAllowedList
+
+ Bluetooth/SetMinimumEncryptionKeySize +
@@ -390,6 +394,72 @@ The default value is an empty string. For more information, see [ServicesAllowed + +
+ + +**Bluetooth/SetMinimumEncryptionKeySize** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark7
Businesscheck mark7
Enterprisecheck mark7
Educationcheck mark7
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in the next major release of Windows 10. +There are multiple levels of encryption strength when pairing Bluetooth devices. This policy helps prevent weaker devices cryptographically being used in high security environments. + + + +The following list shows the supported values: +- 0 (default) - All Bluetooth traffic is allowed. +- N - A number from 1 through 16 representing the bytes that must be used in the encryption process. Currently, 16 is the largest allowed value for N and 16 bytes is the largest key size that Bluetooth supports. If you want to enforce Windows to always use Bluetooth encryption, ignoring the precise encryption key strength, use 1 as the value for N. + +For more information on allowed key sizes, refer to Bluetooth Core Specification v5.1. + + + + + + + + +
Footnotes: @@ -400,6 +470,7 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. +- 7 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index ff54e474bf..7cb986c7fd 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -307,6 +307,10 @@ ADMX Info: +The following list shows the supported values: + +- 0 (default) – Disabled. +- 1 – Allowed. diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md index dd82298d1b..1c13aa99ad 100644 --- a/windows/client-management/mdm/vpnv2-profile-xsd.md +++ b/windows/client-management/mdm/vpnv2-profile-xsd.md @@ -194,7 +194,6 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro IKEv2 Eap - Eap diff --git a/windows/client-management/troubleshoot-stop-error-on-broadcom-driver-update.md b/windows/client-management/troubleshoot-stop-error-on-broadcom-driver-update.md new file mode 100644 index 0000000000..6092ae3bc8 --- /dev/null +++ b/windows/client-management/troubleshoot-stop-error-on-broadcom-driver-update.md @@ -0,0 +1,46 @@ +--- +title: Stop error occurs when you update the in-box Broadcom network adapter driver +description: Describes an issue that causes a stop error when you update an in-box Broadcom driver on Windows Server 2019, version 1809. +author: Teresa-Motiv +ms.author: v-tea +ms.date: 2/3/2020 +ms.prod: w10 +ms.topic: article +ms.custom: +- CI 113175 +- CSSTroubleshooting +audience: ITPro +ms.localizationpriority: medium +keywords: +manager: kaushika +--- + +# Stop error occurs when you update the in-box Broadcom network adapter driver + +This issue affects computers that meet the following criteria: + +- The operating system is Windows Server 2019, version 1809. +- The network adapter is a Broadcom NX1 Gigabit Ethernet network adapter. +- The number of logical processors is large (for example, a computer that has more than 38 logical processors). + +On such a computer, when you update the in-box Broadcom network adapter driver to a later version, the computer experiences a Stop error (also known as a blue screen error or bug check error). + +## Cause + +The operating system media for Windows Server 2019, version 1809, contains version 17.2 of the Broadcom NIC driver. When you upgrade this driver to a later version, the process of uninstalling the version 17.2 driver generates an error. This is a known issue. + +This issue was resolved in Windows Server 2019 version 1903. The operating system media use a later version of the Broadcom network adapter driver. + +## Workaround + +To update the Broadcom network adapter driver on an affected computer, follow these steps: + +> [!NOTE] +> This procedure describes how to use Device Manager to disable and re-enable the Broadcom network adapter. Alternatively, you can use the computer BIOS to disable and re-enable the adapter. For specific instructions, see your OEM BIOS configuration guide. + +1. Download the driver update to the affected computer. +1. Open Device Manager, and then select the Broadcom network adapter. +1. Right-click the adapter and then select **Disable device**. +1. Right-click the adapter again and then select **Update driver** > **Browse my computer for driver software**. +1. Select the update that you downloaded, and then start the update. +1. After the update finishes, right-click the adapter and then select **Enable device**. diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md index 719976a254..3fe73d34ec 100644 --- a/windows/client-management/troubleshoot-stop-errors.md +++ b/windows/client-management/troubleshoot-stop-errors.md @@ -59,7 +59,7 @@ To troubleshoot Stop error messages, follow these general steps: 3. Run the [Machine Memory Dump Collector](https://home.diagnostics.support.microsoft.com/selfhelp?knowledgebasearticlefilter=2027760&wa=wsignin1.0) Windows diagnostic package. This diagnostic tool is used to collect machine memory dump files and check for known solutions. -4. Run [Microsoft Safety Scanner](http://www.microsoft.com/security/scanner/en-us/default.aspx) or any other virus detection program that includes checks of the Master Boot Record for infections. +4. Run [Microsoft Safety Scanner](https://www.microsoft.com/security/scanner/en-us/default.aspx) or any other virus detection program that includes checks of the Master Boot Record for infections. 5. Make sure that there is sufficient free space on the hard disk. The exact requirement varies, but we recommend 10–15 percent free disk space. diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md index 664dc7700e..c9691539ef 100644 --- a/windows/client-management/troubleshoot-windows-freeze.md +++ b/windows/client-management/troubleshoot-windows-freeze.md @@ -251,7 +251,7 @@ If the physical computer is still running in a frozen state, follow these steps Pool Monitor shows you the number of allocations and outstanding bytes of allocation by type of pool and the tag that is passed into calls of ExAllocatePoolWithTag. -Learn [how to use Pool Monitor](https://support.microsoft.com/help/177415) and how to [use the data to troubleshoot pool leaks](http://blogs.technet.com/b/markrussinovich/archive/2009/03/26/3211216.aspx). +Learn [how to use Pool Monitor](https://support.microsoft.com/help/177415) and how to [use the data to troubleshoot pool leaks](https://blogs.technet.com/b/markrussinovich/archive/2009/03/26/3211216.aspx). ### Use memory dump to collect data for the virtual machine that's running in a frozen state @@ -284,4 +284,4 @@ On Windows Server 2008, you may not have enough free disk space to generate a co Additionally, on Windows Server 2008 Service Pack (SP2), there's a second option if the system drive doesn't have sufficient space. Namely, you can use the DedicatedDumpFile registry entry. To learn how to use the registry entry, see [New behavior in Windows Vista and Windows Server 2008](https://support.microsoft.com/help/969028). -For more information, see [How to use the DedicatedDumpFile registry value to overcome space limitations on the system drive](http://blogs.msdn.com/b/ntdebugging/archive/2010/04/02/how-to-use-the-dedicateddumpfile-registry-value-to-overcome-space-limitations-on-the-system-drive-when-capturing-a-system-memory-dump.aspx). +For more information, see [How to use the DedicatedDumpFile registry value to overcome space limitations on the system drive](https://blogs.msdn.com/b/ntdebugging/archive/2010/04/02/how-to-use-the-dedicateddumpfile-registry-value-to-overcome-space-limitations-on-the-system-drive-when-capturing-a-system-memory-dump.aspx). diff --git a/windows/client-management/troubleshoot-windows-startup.md b/windows/client-management/troubleshoot-windows-startup.md index 308677bcef..0e39db4b3f 100644 --- a/windows/client-management/troubleshoot-windows-startup.md +++ b/windows/client-management/troubleshoot-windows-startup.md @@ -7,7 +7,7 @@ ms.topic: troubleshooting author: dansimp ms.localizationpriority: medium ms.author: dansimp -ms.date: +ms.date: 2/3/2020 ms.reviewer: manager: dansimp --- @@ -51,3 +51,5 @@ These articles will walk you through the resources you need to troubleshoot Wind - [Advanced troubleshooting for Stop error or blue screen error](https://docs.microsoft.com/windows/client-management/troubleshoot-stop-errors) - [Advanced troubleshooting for Windows-based computer freeze issues](https://docs.microsoft.com/windows/client-management/troubleshoot-windows-freeze) + +- [Stop error occurs when you update the in-box Broadcom network adapter driver](troubleshoot-stop-error-on-broadcom-driver-update.md) diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md index 8ca269aefe..1239cdfc7a 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md @@ -18,6 +18,9 @@ manager: dansimp - Windows 10, version 1703 - Windows 10 Mobile, version 1703 +>[!IMPORTANT] +>Cortana for Power BI is deprecated and will not be available in future releases. This topic is provided as a reference for previous versions only. + Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana “answers” using the full capabilities of Power BI Desktop. >[!Note] @@ -35,6 +38,7 @@ To use this walkthrough, you’ll need: - **Azure Active Directory (Azure AD)/Work or School account**. You can use the account that you created for Office 365, or you can create a new one while you’re establishing your Power BI account. If you choose to use Azure AD, you must connect your Azure AD account to your Windows account. **To connect your account to Windows** + a. Open **Windows Settings**, click **Accounts**, click **Access work or school**, and then in the **Connect to work or school** section, click **Connect**. b. Follow the instructions to add your Azure Active Directory (Azure AD) account to Windows. diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index ef3757e12b..84bd681996 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -253,6 +253,7 @@ ##### [Update Compliance Perspectives](update/update-compliance-perspectives.md) ### Best practices #### [Best practices for feature updates on mission-critical devices](update/feature-update-mission-critical.md) +#### [Update Windows 10 media with Dynamic Update](update/media-dynamic-update.md) #### [Deploy feature updates during maintenance windows](update/feature-update-maintenance-window.md) #### [Deploy feature updates for user-initiated installations](update/feature-update-user-install.md) #### [Conclusion](update/feature-update-conclusion.md) diff --git a/windows/deployment/update/images/update-catalog.png b/windows/deployment/update/images/update-catalog.png new file mode 100644 index 0000000000..e199b3a23a Binary files /dev/null and b/windows/deployment/update/images/update-catalog.png differ diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md new file mode 100644 index 0000000000..6f79f71c7e --- /dev/null +++ b/windows/deployment/update/media-dynamic-update.md @@ -0,0 +1,453 @@ +--- +title: Update Windows 10 media with Dynamic Update +description: Learn how to deploy feature updates to your mission critical devices +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: SteveDiAcetis +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Update Windows 10 media with Dynamic Update + +**Applies to**: Windows 10 + +This topic explains how to acquire and apply Dynamic Update packages to existing Windows 10 images prior to deployment and includes Windows PowerShell scripts you can use to automate this process. + +Volume-licensed media is available for each release of Windows 10 in the Volume Licensing Service Center (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. You can use Dynamic Update to ensure that Windows 10 devices have the latest feature update packages as part of an in-place upgrade while preserving language pack and Features on Demand (FODs) that might have been previously installed. Dynamic Update also eliminates the need to install a separate quality update as part of the in-place upgrade process. + +## Dynamic Update + +Whenever installation of a feature update starts (whether from media or an environment connected to Windows Update), *Dynamic Update* is one of the first steps. Windows 10 Setup contacts a Microsoft endpoint to fetch Dynamic Update packages, and then applies those updates to your operating system installation media. The update packages includes the following kinds of updates: + +- Updates to Setup.exe binaries or other files that Setup uses for feature updates +- Updates for the "safe operating system" (SafeOS) that is used for the Windows recovery environment +- Updates to the servicing stack necessary to complete the feature update (see [Servicing stack updates](servicing-stack-updates.md) for more information) +- The latest cumulative (quality) update +- Updates to applicable drivers already published by manufacturers specifically intended for Dynamic Update + +Dynamic Update preserves language pack and Features on Demand packages by reacquiring them. + +Devices must be able to connect to the internet to obtain Dynamic Updates. In some environments, it's not an option to obtain Dynamic Updates. You can still do a media-based feature update by acquiring Dynamic Update packages and applying it to the image prior to starting Setup on the device. + +## Acquire Dynamic Update packages + +You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). At that site, use the search bar in the upper right to find the Dynamic Update packages for a particular release. For example, you could enter *1809 Dynamic Update x64*, which would return results like this: + +![Table with columns labeled Title, Products, Classification, Last Updated, Version, and Size and four rows listing various dynamic updates and associated KB articles](images/update-catalog.png) + +The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the s. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in bold the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results. + + +|To find this Dynamic Update packages, search for or check the results here--> |Title |Product |Description (select the **Title** link to see **Details**) | +|---------|---------|---------|---------| +|Safe OS Dynamic Update | 2019-08 Dynamic Update... | Windows 10 Dynamic Update,Windows **Safe OS Dynamic Update** | ComponentUpdate: | +|Setup Dynamic Update | 2019-08 Dynamic Update... | Windows 10 Dynamic Update | **SetupUpdate** | +|Latest cumulative update | 2019-08 **Cumulative Update for Windows 10** | Windows 10 | Install this update to resolve issues in Windows... | +|Servicing stack Dynamic Update | 2019-09 **Servicing Stack Update for Windows 10** | Windows 10... | Install this update to resolve issues in Windows... | + +If you want to customize the image with additional languages or Features on Demand, download supplemental media ISO files from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx). For example, since Dynamic Update will be disabled for your devices, and if users require specific Features on Demand, you can preinstall these into the image. + +## Update Windows 10 installation media + +Properly updating the installation media involves a large number of actions operating on several different targets (image files). Some actions are repeated on different targets. The target images files include: + +- Windows Preinstallation Environment (WinPE): a small operating system used to install, deploy, and repair Windows operating systems +- Windows Recovery Environment (WinRE): repairs common causes of unbootable operating systems. WinRE is based on WinPE and can be customized with additional drivers, languages, optional packages, and other troubleshooting or diagnostic tools. +- Windows operating system: one or more editions of Windows 10 stored in \sources\install.wim +- Windows installation media: the complete collection of files and folders in the Windows 10 installation media. For example, \sources folder, \boot folder, Setup.exe, and so on. + +This table shows the correct sequence for applying the various tasks to the files. For example, the full sequence starts with adding the servicing stack update to WinRE (1) and concludes with adding the Dynamic Update for Setup to the new media (26). + +|Task |WinRE (winre.wim) |WinPE (boot.wim) |Operating system (install.wim) | New media | +|---------|---------|---------|---------|------| +|Add servicing stack Dynamic Update | 1 | 9 | 18 | +|Add language pack | 2 | 10 | 19 | +|Add localized optional packages | 3 | 11 | | +|Add font support | 4 | 12 | | +|Add text-to-speech | 5 | 13 | | +|Update Lang.ini | | 14 | | +|Add Features on Demand | | | 20 | +|Add Safe OS Dynamic Update | 6 | | | +|Add Setup Dynamic Update | | | | 26 +|Add latest cumulative update | | 15 | 21 | +|Clean up the image | 7 | 16 | 22 | +|Add Optional Components | | | 23 | +|Add .Net and .Net cumulative updates | | | 24 | +|Export image | 8 | 17 | 25 | + +### Multiple Windows editions + +The main operating system file (install.wim) contains multiple editions of Windows 10. It’s possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last. + +### Additional languages and features + +You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what is in your starting image. To do this, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image. + +Optional Components, along with the .Net feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid this. One option is to skip the image cleanup step, though that will result in a larger install.wim. Another option is to install the .Net and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you will have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month). + +## Windows PowerShell scripts to apply Dynamic Updates to an existing image + +These examples are for illustration only, and therefore lack error handling. The script assumes that the following packages is stored locally in this folder structure: + + +|Folder |Description | +|---------|---------| +|C:\mediaRefresh | Parent folder that contains the PowerShell script | +|C:\mediaRefresh\oldMedia | Folder that contains the original media that will be refreshed. For example, contains Setup.exe, and \sources folder. | +|C:\mediaRefresh\newMedia | Folder that will contain the updated media. It is copied from \oldMedia, then used as the target for all update and cleanup operations. | + +### Get started + +The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there is a script error and it's necessary to start over from a known state. Also, it will provide a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they are not read-only. + +``` +function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) } + +Write-Host "$(Get-TS): Starting media refresh" + +# Declare media for FOD and LPs +$FOD_ISO_PATH = "C:\mediaRefresh\packages\FOD-PACKAGES_OEM_PT1_amd64fre_MULTI.iso" +$LP_ISO_PATH = "C:\mediaRefresh\packages\CLIENTLANGPACKDVD_OEM_MULTI.iso" + +# Declare language for showcasing adding optional localized components +$LANG = "ja-jp" +$LANG_FONT_CAPABILITY = "jpan" + +# Declare Dynamic Update packages +$LCU_PATH = “C:\mediaRefresh\packages\LCU.msu” +$SSU_PATH = “C:\mediaRefresh\packages\SSU_DU.msu” +$SETUP_DU_PATH = "C:\mediaRefresh\packages\Setup_DU.cab" +$SAFE_OS_DU_PATH = “C:\mediaRefresh\packages\SafeOS_DU.cab” +$DOTNET_CU_PATH = "C:\mediaRefresh\packages\DotNet_CU.msu” + +# Declare folders for mounted images and temp files +$WORKING_PATH = "C:\mediaRefresh\temp" +$MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia" +$MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia" +$MAIN_OS_MOUNT = $WORKING_PATH + "\MainOSMount” +$WINRE_MOUNT = $WORKING_PATH + "\WinREMount” +$WINPE_MOUNT = $WORKING_PATH + "\WinPEMount” + +# Mount the language pack ISO +Write-Host "$(Get-TS): Mounting LP ISO" +$LP_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter + +# Declare language related cabs +$WINPE_OC_PATH = Join-Path $LP_ISO_DRIVE_LETTER":" -ChildPath "Windows Preinstallation Environment" | Join-Path -ChildPath "x64" | Join-Path -ChildPath "WinPE_OCs" +$WINPE_OC_LANG_PATH = Join-Path $WINPE_OC_PATH $LANG +$WINPE_OC_LANG_CABS = Get-ChildItem $WINPE_OC_LANG_PATH -name +$WINPE_OC_LP_PATH = Join-Path $WINPE_OC_LANG_PATH "lp.cab" +$WINPE_FONT_SUPPORT_PATH = Join-Path $WINPE_OC_PATH "WinPE-FontSupport-$LANG.cab" +$WINPE_SPEECH_TTS_PATH = Join-Path $WINPE_OC_PATH "WinPE-Speech-TTS.cab" +$WINPE_SPEECH_TTS_LANG_PATH = Join-Path $WINPE_OC_PATH "WinPE-Speech-TTS-$LANG.cab" +$OS_LP_PATH = $LP_ISO_DRIVE_LETTER + ":\x64\langpacks\" + "Microsoft-Windows-Client-Language-Pack_x64_" + $LANG + ".cab" + +# Mount the Features on Demand ISO +Write-Host "$(Get-TS): Mounting FOD ISO" +$FOD_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter +$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\" + +# Create folders for mounting images and storing temporary files +New-Item -ItemType directory -Path $WORKING_PATH -ErrorAction Stop | Out-Null +New-Item -ItemType directory -Path $MAIN_OS_MOUNT -ErrorAction stop | Out-Null +New-Item -ItemType directory -Path $WINRE_MOUNT -ErrorAction stop | Out-Null +New-Item -ItemType directory -Path $WINPE_MOUNT -ErrorAction stop | Out-Null + +# Keep the original media, make a copy of it for the new, updateed media. +Write-Host "$(Get-TS): Copying original media to new media path" +Copy-Item -Path $MEDIA_OLD_PATH“\*” -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null +Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContainer -and $_.IsReadOnly } | ForEach-Object { $_.IsReadOnly = $false } +``` +### Update WinRE + +The script assumes that only a single edition is being updated, indicated by Index = 1 (Windows 10 Education Edition). Then the script mounts the image, saves Winre.wim to the working folder, and mounts it. It then applies servicing stack Dynamic Update, since its s are used for updating other s. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package. + +It finishes by cleaning and exporting the image to reduce the image size. + +> [!NOTE] +> Skip adding the latest cumulative update to Winre.wim because it contains unnecessary s in the recovery environment. The s that are updated and applicable are contained in the safe operating system Dynamic Update package. This also helps to keep the image small. + +``` +# Mount the main operating system, used throughout the script +Write-Host "$(Get-TS): Mounting main OS" +Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim” -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null + +# +# update Windows Recovery Environment (WinRE) +# +Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim” -Destination $WORKING_PATH"\winre.wim” -Force -Recurse -ErrorAction stop | Out-Null +Write-Host "$(Get-TS): Mounting WinRE" +Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim” -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null + +# Add servicing stack update +Write-Host "$(Get-TS): Adding package $SSU_PATH" +Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null + +# +# Optional: Add the language to recovery environment +# +# Install lp.cab cab +Write-Host "$(Get-TS): Adding package $WINPE_OC_LP_PATH" +Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null + +# Install language cabs for each optional package installed +$WINRE_INSTALLED_OC = Get-WindowsPackage -Path $WINRE_MOUNT +Foreach ($PACKAGE in $WINRE_INSTALLED_OC) { + + if ( ($PACKAGE.PackageState -eq "Installed") ` + -and ($PACKAGE.PackageName.startsWith("WinPE-")) ` + -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) { + + $INDEX = $PACKAGE.PackageName.IndexOf("-Package") + if ($INDEX -ge 0) { + $OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab" + if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) { + $OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB + Write-Host "$(Get-TS): Adding package $OC_CAB_PATH" + Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null + } + } + } +} + +# Add font support for the new language +if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) { + Write-Host "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH" + Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null +} + +# Add TTS support for the new language +if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) { + if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) { + + Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH" + Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null + + Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH" + Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null + } +} + +# Add Safe OS +Write-Host "$(Get-TS): Adding package $SAFE_OS_DU_PATH" +Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SAFE_OS_DU_PATH -ErrorAction stop | Out-Null + +# Perform image cleanup +Write-Host "$(Get-TS): Performing image cleanup on WinRE" +DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null + +# Dismount +Dismount-WindowsImage -Path $WINRE_MOUNT -Save -ErrorAction stop | Out-Null + +# Export +Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\winre2.wim” +Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim” -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim” -ErrorAction stop | Out-Null +Move-Item -Path $WORKING_PATH"\winre2.wim” -Destination $WORKING_PATH"\winre.wim” -Force -ErrorAction stop | Out-Null +``` +### Update WinPE + +This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. Finally, it cleans and exports Boot.wim, and copies it back to the new media. + +``` +# +# update Windows Preinstallation Environment (WinPE) +# + +# Get the list of images contained within WinPE +$WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH“\sources\boot.wim” + +Foreach ($IMAGE in $WINPE_IMAGES) { + + # update WinPE + Write-Host "$(Get-TS): Mounting WinPE" + Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH“\sources\boot.wim” -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null + + # Add SSU + Write-Host "$(Get-TS): Adding package $SSU_PATH" + Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null + + # Install lp.cab cab + Write-Host "$(Get-TS): Adding package $WINPE_OC_LP_PATH" + Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null + + # Install language cabs for each optional package installed + $WINPE_INSTALLED_OC = Get-WindowsPackage -Path $WINPE_MOUNT + Foreach ($PACKAGE in $WINPE_INSTALLED_OC) { + + if ( ($PACKAGE.PackageState -eq "Installed") ` + -and ($PACKAGE.PackageName.startsWith("WinPE-")) ` + -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) { + + $INDEX = $PACKAGE.PackageName.IndexOf("-Package") + if ($INDEX -ge 0) { + + $OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab" + if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) { + $OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB + Write-Host "$(Get-TS): Adding package $OC_CAB_PATH" + Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null + } + } + } + } + + # Add font support for the new language + if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) { + Write-Host "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH" + Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null + } + + # Add TTS support for the new language + if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) { + if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) { + + Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH" + Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null + + Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH" + Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null + } + } + + # Generates a new Lang.ini file which is used to define the language packs inside the image + if ( (Test-Path -Path $WINPE_MOUNT"\sources\lang.ini") ) { + Write-Host "$(Get-TS): Updating lang.ini" + DISM /image:$WINPE_MOUNT /Gen-LangINI /distribution:$WINPE_MOUNT | Out-Null + } + + # Add latest cumulative update + Write-Host "$(Get-TS): Adding package $LCU_PATH" + Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null + + # Perform image cleanup + Write-Host "$(Get-TS): Performing image cleanup on WinPE" + DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null + + # Dismount + Dismount-WindowsImage -Path $WINPE_MOUNT -Save -ErrorAction stop | Out-Null + + #Export WinPE + Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim” + Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH“\sources\boot.wim” -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\boot2.wim" -ErrorAction stop | Out-Null + +} + +Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH“\sources\boot.wim” -Force -ErrorAction stop | Out-Null +``` +### Update the main operating system + +For this next phase, there is no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it leverages `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod). + +Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .Net), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image. + +You can install Optional Components, along with the .Net feature, offline, but that will require the device to be restarted. This is why the script installs .Net and Optional Components after cleanup and before export. + +``` +# +# update Main OS +# + +# Add servicing stack update +Write-Host "$(Get-TS): Adding package $SSU_PATH" +Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null + +# Optional: Add language to main OS +Write-Host "$(Get-TS): Adding package $OS_LP_PATH" +Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $OS_LP_PATH -ErrorAction stop | Out-Null + +# Optional: Add a Features on Demand to the image +Write-Host "$(Get-TS): Adding language FOD: Language.Fonts.Jpan~~~und-JPAN~0.0.1.0" +Add-WindowsCapability -Name "Language.Fonts.$LANG_FONT_CAPABILITY~~~und-$LANG_FONT_CAPABILITY~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null + +Write-Host "$(Get-TS): Adding language FOD: Language.Basic~~~$LANG~0.0.1.0" +Add-WindowsCapability -Name "Language.Basic~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null + +Write-Host "$(Get-TS): Adding language FOD: Language.OCR~~~$LANG~0.0.1.0" +Add-WindowsCapability -Name "Language.OCR~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null + +Write-Host "$(Get-TS): Adding language FOD: Language.Handwriting~~~$LANG~0.0.1.0" +Add-WindowsCapability -Name "Language.Handwriting~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null + +Write-Host "$(Get-TS): Adding language FOD: Language.TextToSpeech~~~$LANG~0.0.1.0" +Add-WindowsCapability -Name "Language.TextToSpeech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null + +Write-Host "$(Get-TS): Adding language FOD:Language.Speech~~~$LANG~0.0.1.0" +Add-WindowsCapability -Name "Language.Speech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null + +# Note: If I wanted to enable additional Features on Demand, I'd add these here. + +# Add latest cumulative update +Write-Host "$(Get-TS): Adding package $LCU_PATH" +Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null + +# Copy our updated recovery image from earlier into the main OS +# Note: If I were updating more than 1 edition, I'd want to copy the same recovery image file +# into each edition to enable single instancing +Copy-Item -Path $WORKING_PATH"\winre.wim” -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim” -Force -Recurse -ErrorAction stop | Out-Null + +# Perform image cleanup +Write-Host "$(Get-TS): Performing image cleanup on main OS" +DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null + +# +# Note: If I wanted to enable additional Optional Components, I'd add these here. +# In addition, we'll add .Net 3.5 here as well. Both .Net and Optional Components might require +# the image to be booted, and thus if we tried to cleanup after installation, it would fail. +# + +Write-Host "$(Get-TS): Adding NetFX3~~~~" +Add-WindowsCapability -Name "NetFX3~~~~" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null + +# Add .Net Cumulative Update +Write-Host "$(Get-TS): Adding package $DOTNET_CU_PATH" +Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $DOTNET_CU_PATH -ErrorAction stop | Out-Null + +# Dismount +Dismount-WindowsImage -Path $MAIN_OS_MOUNT -Save -ErrorAction stop | Out-Null + +# Export +Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim” +Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH“\sources\install.wim” -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\install2.wim” -ErrorAction stop | Out-Null +Move-Item -Path $WORKING_PATH"\install2.wim” -Destination $MEDIA_NEW_PATH“\sources\install.wim” -Force -ErrorAction stop | Out-Null +``` + +### Update remaining media files + +This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings an updated Setup.exe as needed, along with the latest compatibility database, and replacement component manifests. + +``` +# +# update remaining files on media +# + +# Add Setup DU by copy the files from the package into the newMedia +Write-Host "$(Get-TS): Adding package $SETUP_DU_PATH" +cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PATH"\sources" | Out-Null +``` +### Finish up + +As a last step, the script removes the working folder of temporary files, and unmounts our language pack and Features on Demand ISOs. + +``` +# +# Perform final cleanup +# + +# Remove our working folder +Remove-Item -Path $WORKING_PATH -Recurse -Force -ErrorAction stop | Out-Null + +# Dismount ISO images +Write-Host "$(Get-TS): Dismounting ISO images" +Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Out-Null +Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null + +Write-Host "$(Get-TS): Media refresh completed!" +``` + diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 812e47c937..cd447823e3 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -118,7 +118,7 @@ When Microsoft officially releases a feature update for Windows 10, it is made a Organizations are expected to initiate targeted deployment on Semi-Annual Channel releases. All customers, independent software vendors (ISVs), and partners should use this time for testing and piloting within their environments. After 2-4 months, we will transition to broad deployment and encourage customers and partners to expand and accelerate the deployment of the release. For customers using Windows Update for Business, the Semi-Annual Channel provides three months of additional total deployment time before being required to update to the next release. > [!NOTE] -> All releases of Windows 10 have 18 months of servicing for all editions--these updates provide security and feature updates for the release. Customers running Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release. These versions include Enterprise and Education editions for Windows 10, versions 1607 and later. Starting in October 2018, all Semi-Annual Channel releases in the September/October timeframe will also have the additional 12 months of servicing for a total of 30 months from the initial release. The Semi-Annual Channel versions released in March/April timeframe will continue to have an 18-month lifecycle. +> All releases of Windows 10 have **18 months of servicing for all editions**--these updates provide security and feature updates for the release. However, fall releases of the **Enterprise and Education editions** will have an **additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release**. This extended servicing window applies to Enterprise and Education editions starting with Windows 10, version 1607. > > > [!NOTE] diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index 5119f6f5be..e571a94f62 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -23,7 +23,7 @@ ms.topic: article ## Overview -You can use Group Policy through the Group Policy Management Console (GPMC) to control how Windows Update for Business works. You should consider and devise a deployment strategy for updates before you make changes to the Windows Update for Business settings. See +You can use Group Policy through the Group Policy Management Console (GPMC) to control how Windows Update for Business works. You should consider and devise a deployment strategy for updates before you make changes to the Windows Update for Business settings. See [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) for more information. An IT administrator can set policies for Windows Update for Business by using Group Policy, or they can be set locally (per device). All of the relevant policies are under the path **Computer configuration > Administrative Templates > Windows Components > Windows Update**. @@ -42,10 +42,10 @@ Follow these steps on a device running the Remote Server Administration Tools or ### Set up a ring 1. Start Group Policy Management Console (gpmc.msc). -2. Expand **Forest > Domains > *\*. +2. Expand **Forest > Domains > *\**. 3. Right-click *\* and select **Create a GPO in this domain and link it here**. 4. In the **New GPO** dialog box, enter *Windows Update for Business - Group 1* as the name of the new Group Policy Object. -5. Right-click the **Windows Update for Business - Group 1" object, and then select **Edit**. +5. Right-click the **"Windows Update for Business - Group 1"** object, and then select **Edit**. 6. In the Group Policy Management Editor, go to **Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update**. You are now ready to start assigning policies to this ring (group) of devices. diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md index 89b24aea50..613250332f 100644 --- a/windows/deployment/update/windows-as-a-service.md +++ b/windows/deployment/update/windows-as-a-service.md @@ -1,7 +1,6 @@ --- title: Windows as a service -ms.prod: windows-10 -layout: LandingPage +ms.prod: windows-10 ms.topic: landing-page ms.manager: elizapo audience: itpro diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md index 39568ae5ae..e94b61083c 100644 --- a/windows/deployment/update/windows-update-troubleshooting.md +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -60,7 +60,7 @@ The Settings UI is talking to the Update Orchestrator service which in turn is t On computers running [Windows 10 1709 or higher](#BKMK_DCAT) configured to update from Windows Update (usually WUfB scenario) servicing and definition updates are being installed successfully, but feature updates are never offered. Checking the WindowsUpdate.log reveals the following error: -``` +```console YYYY/MM/DD HH:mm:ss:SSS PID TID Agent * START * Finding updates CallerId = Update;taskhostw Id = 25 YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Online = Yes; Interactive = No; AllowCachedResults = No; Ignore download priority = No YYYY/MM/DD HH:mm:ss:SSS PID TID Agent ServiceID = {855E8A7C-ECB4-4CA3-B045-1DFA50104289} Third party service @@ -85,7 +85,7 @@ YYYY/MM/DD HH:mm:ss:SSS PID TID Agent * END * Finding updates Caller ``` The 0x80070426 error code translates to: -``` +```console ERROR_SERVICE_NOT_ACTIVE - # The service has not been started. ``` @@ -98,7 +98,7 @@ Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download u To fix this issue, configure a proxy in WinHTTP by using the following netsh command: -``` +```console netsh winhttp set proxy ProxyServerName:PortNumber ``` @@ -128,15 +128,15 @@ The most common reasons for this error are described in the following table: ## Issues related to firewall configuration Error that may be seen in the WU logs: -``` +```console DownloadManager Error 0x800706d9 occurred while downloading update; notifying dependent calls. ``` Or -``` +```console [DownloadManager] BITS job {A4AC06DD-D6E6-4420-8720-7407734FDAF2} hit a transient error, updateId = {D053C08A-6250-4C43-A111-56C5198FE142}.200 , error = 0x800706D9 ``` Or -``` +```console DownloadManager [0]12F4.1FE8::09/29/2017-13:45:08.530 [agent]DO job {C6E2F6DC-5B78-4608-B6F1-0678C23614BD} hit a transient error, updateId = 5537BD35-BB74-40B2-A8C3-B696D3C97CBA.201 , error = 0x80D0000A ``` @@ -150,17 +150,17 @@ See [How to configure automatic updates by using Group Policy or registry settin ## Device cannot access update files Check that your device can access these Windows Update endpoints: -- http://windowsupdate.microsoft.com -- http://*.windowsupdate.microsoft.com -- https://*.windowsupdate.microsoft.com -- http://*.update.microsoft.com -- https://*.update.microsoft.com -- http://*.windowsupdate.com -- http://download.windowsupdate.com -- https://download.microsoft.com -- http://*.download.windowsupdate.com -- http://wustat.windows.com -- http://ntservicepack.microsoft.com +- `http://windowsupdate.microsoft.com` +- `http://*.windowsupdate.microsoft.com` +- `https://*.windowsupdate.microsoft.com` +- `http://*.update.microsoft.com` +- `https://*.update.microsoft.com` +- `http://*.windowsupdate.com` +- `http://download.windowsupdate.com` +- `https://download.microsoft.com` +- `http://*.download.windowsupdate.com` +- `http://wustat.windows.com` +- `http://ntservicepack.microsoft.com` Whitelist these endpoints for future use. @@ -183,13 +183,13 @@ Check the output for the Name and OffersWindowsUPdates parameters, which you can ## You have a bad setup in the environment If we look at the GPO being set through registry, the system is configured to use WSUS to download updates: -``` +```console HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] "UseWUServer"=dword:00000001 ===================================> it says use WSUS server. ``` From the WU logs: -``` +```console 2018-08-06 09:33:31:085 480 1118 Agent ** START ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] 2018-08-06 09:33:31:085 480 1118 Agent ********* 2018-08-06 09:33:31:085 480 1118 Agent * Include potentially superseded updates @@ -206,7 +206,7 @@ In the above log snippet, we see that the Criteria = "IsHidden = 0 AND Deploymen Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are 0 updates to install or download. This is due to bad setup or configuration in the environment. The WSUS side should approve the patches for WU so that it fetches the updates and installs it on the specified time according to the policy. Since this scenario doesn't include SCCM, there's no way to install unapproved updates. And that is the problem you are facing. You expect that the scan should be done by the operational insight agent and automatically trigger download and install but that won’t happen here. -``` +```console 2018-08-06 10:58:45:992 480 5d8 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] 2018-08-06 10:58:45:992 480 5d8 Agent ********* 2018-08-06 10:58:45:992 480 5d8 Agent * Online = Yes; Ignore download priority = No @@ -224,12 +224,12 @@ Users may see that Windows 10 is consuming all the bandwidth in the different of The following group policies can help mitigate this: -- Blocking access to Windows Update servers: [Policy Turn off access to all Windows Update features](http://gpsearch.azurewebsites.net/#4728) (Set to enabled) -- Driver search: [Policy Specify search order for device driver source locations](http://gpsearch.azurewebsites.net/#183) (Set to "Do not search Windows Update") -- Windows Store automatic update: [Policy Turn off Automatic Download and Install of updates](http://gpsearch.azurewebsites.net/#10876) (Set to enabled) +- Blocking access to Windows Update servers: [Policy Turn off access to all Windows Update features](https://gpsearch.azurewebsites.net/#4728) (Set to enabled) +- Driver search: [Policy Specify search order for device driver source locations](https://gpsearch.azurewebsites.net/#183) (Set to "Do not search Windows Update") +- Windows Store automatic update: [Policy Turn off Automatic Download and Install of updates](https://gpsearch.azurewebsites.net/#10876) (Set to enabled) Other components that reach out to the internet: -- Windows Spotlight: [Policy Configure Windows spotlight on lock screen](http://gpsearch.azurewebsites.net/#13362) (Set to disabled) -- Consumer experiences: [Policy Turn off Microsoft consumer experiences](http://gpsearch.azurewebsites.net/#13329) (Set to enabled) -- Background traffic from Windows apps: [Policy Let Windows apps run in the background](http://gpsearch.azurewebsites.net/#13571) +- Windows Spotlight: [Policy Configure Windows spotlight on lock screen](https://gpsearch.azurewebsites.net/#13362) (Set to disabled) +- Consumer experiences: [Policy Turn off Microsoft consumer experiences](https://gpsearch.azurewebsites.net/#13329) (Set to enabled) +- Background traffic from Windows apps: [Policy Let Windows apps run in the background](https://gpsearch.azurewebsites.net/#13571) diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md index 8168e90730..b58c711dbf 100644 --- a/windows/deployment/usmt/usmt-identify-users.md +++ b/windows/deployment/usmt/usmt-identify-users.md @@ -1,90 +1,66 @@ ---- -title: Identify Users (Windows 10) -description: Identify Users -ms.assetid: 957a4fe9-79fd-44a2-8c26-33e50f71f9de -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Identify Users - - -It is important to carefully consider how you plan to migrate users. By default, all users are migrated by User State Migration Tool (USMT) 5.0. You must specify which users to include by using the command line. You cannot specify users in the .xml files. For instructions on how to migrate users, see [Migrate User Accounts](usmt-migrate-user-accounts.md). - -## In This Topic - - -- [Migrating Local Accounts](#bkmk-8) - -- [Migrating Domain Accounts](#bkmk-9) - -- [Command-Line Options](#bkmk-7) - -## Migrating Local Accounts - - -Before migrating local accounts, note the following: - -- [You must explicitly specify that local accounts that are not on the destination computer should be migrated.](#bkmk-8) If you are migrating local accounts and the local account does not exist on the destination computer, you must use the/lac option when using the LoadState command. If the **/lac** option is not specified, no local user accounts will be migrated. - -- [Consider whether to enable user accounts that are new to the destination computer.](#bkmk-8) The **/lae** option enables the account that was created with the **/lac** option. However, if you create a disabled local account by using only the **/lac** option, a local administrator must enable the account on the destination computer. - -- [Be careful when specifying a password for local accounts.](#bkmk-8) If you create the local account with a blank password, anyone could log on to that account on the destination computer. If you create the local account with a password, the password is available to anyone with access to the USMT command-line tools. - - **Note** - If there are multiple users on a computer, and you specify a password with the **/lac** option, all migrated users will have the same password. - - - -## Migrating Domain Accounts - - -The source and destination computers do not need to be connected to the domain for domain user profiles to be migrated. - -## Command-Line Options - - -USMT provides several options to migrate multiple users on a single computer. The following command-line options specify which users to migrate. - -- [Specifying users.](#bkmk-8) You can specify which users to migrate with the **/all**, **/ui**, **/uel**, and **/ue** options with both the ScanState and LoadState command-line tools. - - **Important**   - The **/uel** option excludes users based on the **LastModified** date of the Ntuser.dat file. The **/uel** option is not valid in offline migrations. - - - -- [Moving users to another domain.](#bkmk-8) You can move user accounts to another domain using the **/md** option with the LoadState command-line tool. - -- [Creating local accounts.](#bkmk-8) You can create and enable local accounts using the **/lac** and **/lae** options with the LoadState command-line tool. - -- [Renaming user accounts.](#bkmk-8) You can rename user accounts using the **/mu** option. - - **Note**   - By default, if a user name is not specified in any of the command-line options, the user will be migrated. - - - -## Related topics - - -[Determine What to Migrate](usmt-determine-what-to-migrate.md) - -[ScanState Syntax](usmt-scanstate-syntax.md) - -[LoadState Syntax](usmt-loadstate-syntax.md) - - - - - - - - - +--- +title: Identify Users (Windows 10) +description: Identify Users +ms.assetid: 957a4fe9-79fd-44a2-8c26-33e50f71f9de +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.topic: article +ms.localizationpriority: medium +--- + +# Identify Users + +It is important to carefully consider how you plan to migrate users. By default, all users are migrated by User State Migration Tool (USMT) 5.0. You must specify which users to include by using the command line. You cannot specify users in the .xml files. For instructions on how to migrate users, see [Migrate User Accounts](usmt-migrate-user-accounts.md). + +## In This Topic + +- [Migrating Local Accounts](#bkmk-8) +- [Migrating Domain Accounts](#bkmk-9) +- [Command-Line Options](#bkmk-7) + +## Migrating Local Accounts + +Before migrating local accounts, note the following: + +- [You must explicitly specify that local accounts that are not on the destination computer should be migrated.](#bkmk-8) If you are migrating local accounts and the local account does not exist on the destination computer, you must use the **/lac** option when using the LoadState command. If the **/lac** option is not specified, no local user accounts will be migrated. + +- [Consider whether to enable user accounts that are new to the destination computer.](#bkmk-8) The **/lae** option enables the account that was created with the **/lac** option. However, if you create a disabled local account by using only the **/lac** option, a local administrator must enable the account on the destination computer. + +- [Be careful when specifying a password for local accounts.](#bkmk-8) If you create the local account with a blank password, anyone could log on to that account on the destination computer. If you create the local account with a password, the password is available to anyone with access to the USMT command-line tools. + +>[!NOTE] +>If there are multiple users on a computer, and you specify a password with the **/lac** option, all migrated users will have the same password. + +## Migrating Domain Accounts + +The source and destination computers do not need to be connected to the domain for domain user profiles to be migrated. + +## Command-Line Options + +USMT provides several options to migrate multiple users on a single computer. The following command-line options specify which users to migrate. + +- [Specifying users.](#bkmk-8) You can specify which users to migrate with the **/all**, **/ui**, **/uel**, and **/ue** options with both the ScanState and LoadState command-line tools. + + >[!IMPORTANT] + >The **/uel** option excludes users based on the **LastModified** date of the Ntuser.dat file. The **/uel** option is not valid in offline migrations. + +- [Moving users to another domain.](#bkmk-8) You can move user accounts to another domain using the **/md** option with the LoadState command-line tool. + +- [Creating local accounts.](#bkmk-8) You can create and enable local accounts using the **/lac** and **/lae** options with the LoadState command-line tool. + +- [Renaming user accounts.](#bkmk-8) You can rename user accounts using the **/mu** option. + + >[!NOTE] + >By default, if a user name is not specified in any of the command-line options, the user will be migrated. + +## Related topics + +[Determine What to Migrate](usmt-determine-what-to-migrate.md)
+[ScanState Syntax](usmt-scanstate-syntax.md)
+[LoadState Syntax](usmt-loadstate-syntax.md) diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md index 9a229185cc..fa6196d4f9 100644 --- a/windows/deployment/volume-activation/install-vamt.md +++ b/windows/deployment/volume-activation/install-vamt.md @@ -9,7 +9,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay ms.localizationpriority: medium ms.date: 03/11/2019 ms.topic: article @@ -31,11 +32,12 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for ### Requirements -- [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access and all updates applied -- [Windows 10, version 1809 ADK](https://go.microsoft.com/fwlink/?linkid=2026036) +- [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied +- [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) - [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) +- alternatively any full SQL instance e.g. SQL Server 2014 or newer incl. CU / SP -### Install SQL Server 2017 Express +### Install SQL Server 2017 Express / alternatively use any Full SQL instance e.g. SQL Server 2014 or newer 1. Download and open the [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package. 2. Select **Basic**. @@ -46,20 +48,23 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for ### Install VAMT using the ADK -1. Download and open the [Windows 10, version 1809 ADK](https://go.microsoft.com/fwlink/?linkid=2026036) package. +1. Download and open the [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) package. +Reminder: There won't be new ADK release for 1909. 2. Enter an install location or use the default path, and then select **Next**. 3. Select a privacy setting, and then select **Next**. 4. Accept the license terms. 5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.) 6. On the completion page, select **Close**. -### Configure VAMT to connect to SQL Server 2017 Express +### Configure VAMT to connect to SQL Server 2017 Express or full SQL Server 1. Open **Volume Active Management Tool 3.1** from the Start menu. -2. Enter the server instance name and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example. +2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL. ![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png) +for remote SQL Server use +servername.yourdomain.com diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md index e674b3196e..cb55dd325b 100644 --- a/windows/deployment/windows-autopilot/add-devices.md +++ b/windows/deployment/windows-autopilot/add-devices.md @@ -135,7 +135,7 @@ A summary of each platform's capabilities is provided below.
-Microsoft Store for Business4 +Microsoft Store for Business YES - 1000 at a time max YES4 4K HH @@ -153,7 +153,8 @@ A summary of each platform's capabilities is provided below.
>1Microsoft recommended platform to use
>2Intune license required
>3Feature capabilities are limited
->4To be retired
+>4Device profile assignment will be retired from MSfB and Partner Center in the coming months
+ Also see the following topics for more information about device IDs: - [Device identification](#device-identification) diff --git a/windows/deployment/windows-autopilot/white-glove.md b/windows/deployment/windows-autopilot/white-glove.md index 9fd9e87869..a0bef4bb0b 100644 --- a/windows/deployment/windows-autopilot/white-glove.md +++ b/windows/deployment/windows-autopilot/white-glove.md @@ -59,7 +59,7 @@ To enable white glove deployment, an additional Autopilot profile setting must b ![allow white glove](images/allow-white-glove-oobe.png) -The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune. That includes certificates, security templates, settings, apps, and more – anything targeting the device. Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed. +The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune. That includes certificates, security templates, settings, apps, and more – anything targeting the device. Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed. Please make sure not to target both win32 and LOB apps to the same device. >[!NOTE] >Other user-targeted policies will not apply until the user signs into the device. To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users. diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md index 338d548271..0e9d529823 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -101,6 +101,9 @@ To provide needed Azure Active Directory (automatic MDM enrollment and company b - [Intune for Education subscriptions](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features. - [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/cloud-platform/microsoft-intune) (or an alternative MDM service). +> [!NOTE] +> Even when using Microsoft 365 subscriptions, you still need to [assign Intune licenses to the users](https://docs.microsoft.com/intune/fundamentals/licenses-assign). + Additionally, the following are also recommended (but not required): - [Office 365 ProPlus](https://www.microsoft.com/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services). - [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise. diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index 50ebcf0f14..3631daf619 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -140,7 +140,7 @@ Windows 10, version 1803 and later, allows users to change their diagnostic data #### 2.3.7 Diagnostic data: Managing device-based data delete -Windows 10, version 1809 and later, allows a user to delete diagnostic data collected from their device by going into **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button. An IT administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet script. +Windows 10, version 1803 and later, allows a user to delete diagnostic data collected from their device by going into **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button. An IT administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet script. An administrator can disable a user’s ability to delete their device’s diagnostic data by setting the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Disable deleting diagnostic data** or the MDM policy `DisableDeviceDelete`. diff --git a/windows/release-information/resolved-issues-windows-10-1507.yml b/windows/release-information/resolved-issues-windows-10-1507.yml index 1469d2dcf0..7df978985d 100644 --- a/windows/release-information/resolved-issues-windows-10-1507.yml +++ b/windows/release-information/resolved-issues-windows-10-1507.yml @@ -33,8 +33,6 @@ sections: text: " - -
SummaryOriginating updateStatusDate resolved
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		OS Build 10240.18334

September 23, 2019
KB4522009		Resolved
KB4520011		October 08, 2019
10:00 AM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >		OS Build 10240.18305

August 13, 2019
KB4512497		Resolved
KB4517276		August 17, 2019
02:00 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >		OS Build 10240.18244

June 11, 2019
KB4503291		Resolved External
August 09, 2019
07:03 PM PT
" @@ -53,13 +51,3 @@ sections:
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520011.

Back to topOS Build 10240.18334

September 23, 2019
KB4522009Resolved
KB4520011Resolved:
October 08, 2019
10:00 AM PT

Opened:
September 30, 2019
06:26 PM PT " - -- title: August 2019 -- items: - - type: markdown - text: " - - - -
DetailsOriginating updateStatusHistory
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512497, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517276. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4517276 and install. For instructions, see Update Windows 10.

Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).

Back to top		OS Build 10240.18305

August 13, 2019
KB4512497		Resolved
KB4517276		Resolved:
August 17, 2019
02:00 PM PT

Opened:
August 14, 2019
03:34 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503291) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 10240.18244

June 11, 2019
KB4503291		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
- " diff --git a/windows/release-information/resolved-issues-windows-10-1607.yml b/windows/release-information/resolved-issues-windows-10-1607.yml index 829cea21b4..5585df19da 100644 --- a/windows/release-information/resolved-issues-windows-10-1607.yml +++ b/windows/release-information/resolved-issues-windows-10-1607.yml @@ -36,11 +36,6 @@ sections:
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >OS Build 14393.3206

September 23, 2019
KB4522010Resolved
KB4519998October 08, 2019
10:00 AM PT
IME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.

See details >OS Build 14393.3204

September 10, 2019
KB4516044Resolved
September 17, 2019
04:47 PM PT
Apps and scripts using the NetQueryDisplayInformation API may fail with error
Applications and scripts that call NetQueryDisplayInformation may fail to return results after the first page of data.

See details >OS Build 14393.3053

June 18, 2019
KB4503294Resolved
KB4516044September 10, 2019
10:00 AM PT -
Domain connected devices that use MIT Kerberos realms will not start up
Devices may not start after updating when connected to a domain that is configured to use MIT Kerberos realms.

See details >OS Build 14393.3115

July 16, 2019
KB4507459Resolved
KB4512517August 13, 2019
10:00 AM PT -
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >OS Build 14393.3025

June 11, 2019
KB4503267Resolved
KB4512495August 17, 2019
02:00 PM PT -
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >OS Build 14393.3144

August 13, 2019
KB4512517Resolved
KB4512495August 17, 2019
02:00 PM PT -
Internet Explorer 11 and apps using the WebBrowser control may fail to render
JavaScript may fail to render as expected in IE11 and in apps using JavaScript or the WebBrowser control.

See details >OS Build 14393.3085

July 09, 2019
KB4507460Resolved
KB4512517August 13, 2019
10:00 AM PT -
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >OS Build 14393.3025

June 11, 2019
KB4503267Resolved External
August 09, 2019
07:03 PM PT " @@ -67,20 +62,6 @@ sections: text: " - - -
DetailsOriginating updateStatusHistory
Apps and scripts using the NetQueryDisplayInformation API may fail with error
 Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.”

Affected platforms:
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4516044.

Back to top		OS Build 14393.3053

June 18, 2019
KB4503294		Resolved
KB4516044		Resolved:
September 10, 2019
10:00 AM PT

Opened:
August 01, 2019
05:00 PM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512517, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512495. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512495 and install. For instructions, see Update Windows 10.

Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).

Back to top		OS Build 14393.3144

August 13, 2019
KB4512517		Resolved
KB4512495		Resolved:
August 17, 2019
02:00 PM PT

Opened:
August 14, 2019
03:34 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503267) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 14393.3025

June 11, 2019
KB4503267		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
- " - -- title: July 2019 -- items: - - type: markdown - text: " - - - -
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507459. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
-

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512517 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903.

Back to top		OS Build 14393.3115

July 16, 2019
KB4507459		Resolved
KB4512517		Resolved:
August 13, 2019
10:00 AM PT

Opened:
July 25, 2019
06:10 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503267 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Resolution: This issue was resolved in KB4512495.

Back to top		OS Build 14393.3025

June 11, 2019
KB4503267		Resolved
KB4512495		Resolved:
August 17, 2019
02:00 PM PT

Opened:
July 10, 2019
02:51 PM PT
Internet Explorer 11 and apps using the WebBrowser control may fail to render
Internet Explorer 11 may fail to render some JavaScript after installing KB4507460. You may also have issues with apps using JavaScript or the WebBrowser control, such as the present PowerPoint feature of Skype Meeting Broadcast.

Affected platforms:
  • Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server 2016
Resolution: This issue was resolved in KB4512517.

Back to top		OS Build 14393.3085

July 09, 2019
KB4507460		Resolved
KB4512517		Resolved:
August 13, 2019
10:00 AM PT

Opened:
July 26, 2019
04:58 PM PT
" diff --git a/windows/release-information/resolved-issues-windows-10-1709.yml b/windows/release-information/resolved-issues-windows-10-1709.yml index 82bf0df89e..c85bdd82e9 100644 --- a/windows/release-information/resolved-issues-windows-10-1709.yml +++ b/windows/release-information/resolved-issues-windows-10-1709.yml @@ -35,10 +35,6 @@ sections:
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

See details >OS Build 16299.1387

September 10, 2019
KB4516066Resolved
KB4534318January 23, 2020
02:00 PM PT
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >OS Build 16299.1392

September 23, 2019
KB4522012Resolved
KB4520004October 08, 2019
10:00 AM PT
IME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.

See details >OS Build 16299.1387

September 10, 2019
KB4516066Resolved
September 19, 2019
04:08 PM PT -
Domain connected devices that use MIT Kerberos realms will not start up
Devices may not start after updating when connected to a domain that is configured to use MIT Kerberos realms.

See details >OS Build 16299.1296

July 16, 2019
KB4507465Resolved
KB4512516August 13, 2019
10:00 AM PT -
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >OS Build 16299.1217

June 11, 2019
KB4503284Resolved
KB4512494August 16, 2019
02:00 PM PT -
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >OS Build 16299.1331

August 13, 2019
KB4512516Resolved
KB4512494August 16, 2019
02:00 PM PT -
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >OS Build 16299.1217

June 11, 2019
KB4503284Resolved External
August 09, 2019
07:03 PM PT " @@ -67,24 +63,3 @@ sections:
IME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard.


Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016

Resolution: Due to security related changes in KB4516066, this issue may occur when Touch Keyboard and Handwriting Panel Service is not configured to its default startup type of Manual. To resolve the issue, perform the following steps:
  1. Select the Start button and type Services.
  2. Locate Touch Keyboard and Handwriting Panel Service and double click on it or long press and select Properties.
  3. Locate Startup type: and change it to Manual
  4. Select Ok
  5. The TabletInputService service is now in the default configuration and IME should work as expected.

Back to topOS Build 16299.1387

September 10, 2019
KB4516066Resolved
Resolved:
September 19, 2019
04:08 PM PT

Opened:
September 13, 2019
05:25 PM PT " - -- title: August 2019 -- items: - - type: markdown - text: " - - - -
DetailsOriginating updateStatusHistory
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512516, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512494. The ‘optional’ update will be available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512494 and install. For instructions, see Update Windows 10.

Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).

Back to top		OS Build 16299.1331

August 13, 2019
KB4512516		Resolved
KB4512494		Resolved:
August 16, 2019
02:00 PM PT

Opened:
August 14, 2019
03:34 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503284) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 16299.1217

June 11, 2019
KB4503284		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
- " - -- title: July 2019 -- items: - - type: markdown - text: " - - - -
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507465. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
-

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512516 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903.

Back to top		OS Build 16299.1296

July 16, 2019
KB4507465		Resolved
KB4512516		Resolved:
August 13, 2019
10:00 AM PT

Opened:
July 25, 2019
06:10 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503284 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Resolution: This issue was resolved in KB4512494.

Back to top		OS Build 16299.1217

June 11, 2019
KB4503284		Resolved
KB4512494		Resolved:
August 16, 2019
02:00 PM PT

Opened:
July 10, 2019
02:51 PM PT
- " diff --git a/windows/release-information/resolved-issues-windows-10-1803.yml b/windows/release-information/resolved-issues-windows-10-1803.yml index bdf3c62854..63b5bd826c 100644 --- a/windows/release-information/resolved-issues-windows-10-1803.yml +++ b/windows/release-information/resolved-issues-windows-10-1803.yml @@ -37,11 +37,7 @@ sections:
Startup to a black screen after installing updates
Your device may startup to a black screen during the first logon after installing updates.

See details >OS Build 17134.829

June 11, 2019
KB4503286Resolved
KB4519978October 15, 2019
10:00 AM PT
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >OS Build 17134.1009

September 23, 2019
KB4522014Resolved
KB4520008October 08, 2019
10:00 AM PT
IME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.

See details >OS Build 17134.1006

September 10, 2019
KB4516058Resolved
September 19, 2019
04:08 PM PT -
Domain connected devices that use MIT Kerberos realms will not start up
Devices may not start after updating when connected to a domain that is configured to use MIT Kerberos realms.

See details >OS Build 17134.915

July 16, 2019
KB4507466Resolved
KB4512501August 13, 2019
10:00 AM PT
Notification issue: \"Your device is missing important security and quality fixes.\"
Some users may have incorrectly received the notification \"Your device is missing important security and quality fixes.\"

See details >N/A

Resolved
September 03, 2019
12:32 PM PT -
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >OS Build 17134.829

June 11, 2019
KB4503286Resolved
KB4512509August 19, 2019
02:00 PM PT -
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >OS Build 17134.950

August 13, 2019
KB4512501Resolved
KB4512509August 19, 2019
02:00 PM PT -
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >OS Build 17134.829

June 11, 2019
KB4503286Resolved External
August 09, 2019
07:03 PM PT " @@ -73,27 +69,6 @@ sections: " -- title: August 2019 -- items: - - type: markdown - text: " - - - -
DetailsOriginating updateStatusHistory
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512501, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512509. The ‘optional’ update will be available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512509 and install. For instructions, see Update Windows 10.

Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).

Back to top		OS Build 17134.950

August 13, 2019
KB4512501		Resolved
KB4512509		Resolved:
August 19, 2019
02:00 PM PT

Opened:
August 14, 2019
03:34 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503286) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 17134.829

June 11, 2019
KB4503286		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
- " - -- title: July 2019 -- items: - - type: markdown - text: " - - - -
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507466. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
-

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512501 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903.

Back to top		OS Build 17134.915

July 16, 2019
KB4507466		Resolved
KB4512501		Resolved:
August 13, 2019
10:00 AM PT

Opened:
July 25, 2019
06:10 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503286 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Resolution: This issue was resolved in KB4512509.

Back to top		OS Build 17134.829

June 11, 2019
KB4503286		Resolved
KB4512509		Resolved:
August 19, 2019
02:00 PM PT

Opened:
July 10, 2019
02:51 PM PT
- " - - title: June 2019 - items: - type: markdown diff --git a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml index d113831f80..2eb42f02b4 100644 --- a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml @@ -39,10 +39,6 @@ sections:
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >OS Build 17763.740

September 23, 2019
KB4522015Resolved
KB4519338October 08, 2019
10:00 AM PT
Apps and scripts using the NetQueryDisplayInformation API may fail with error
Applications and scripts that call NetQueryDisplayInformation may fail to return results after the first page of data.

See details >OS Build 17763.55

October 09, 2018
KB4464330Resolved
KB4516077September 24, 2019
10:00 AM PT
IME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.

See details >OS Build 17763.737

September 10, 2019
KB4512578Resolved
September 19, 2019
04:08 PM PT -
Domain connected devices that use MIT Kerberos realms will not start up
Devices may not start after updating when connected to a domain that is configured to use MIT Kerberos realms.

See details >OS Build 17763.652

July 22, 2019
KB4505658Resolved
KB4511553August 13, 2019
10:00 AM PT -
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >OS Build 17763.557

June 11, 2019
KB4503327Resolved
KB4512534August 17, 2019
02:00 PM PT -
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >OS Build 17763.678

August 13, 2019
KB4511553Resolved
KB4512534August 17, 2019
02:00 PM PT -
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >OS Build 17763.557

June 11, 2019
KB4503327Resolved External
August 09, 2019
07:03 PM PT " @@ -80,19 +76,6 @@ sections: text: " - - -
DetailsOriginating updateStatusHistory
Apps and scripts using the NetQueryDisplayInformation API may fail with error
 Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.”

Affected platforms:
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4516077.

Back to top		OS Build 17763.55

October 09, 2018
KB4464330		Resolved
KB4516077		Resolved:
September 24, 2019
10:00 AM PT

Opened:
August 01, 2019
05:00 PM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4511553, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512534. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512534 and install. For instructions, see Update Windows 10.

Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).

Back to top		OS Build 17763.678

August 13, 2019
KB4511553		Resolved
KB4512534		Resolved:
August 17, 2019
02:00 PM PT

Opened:
August 14, 2019
03:34 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503327) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 17763.557

June 11, 2019
KB4503327		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
- " - -- title: July 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4505658. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
-

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4511553 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903.

Back to top		OS Build 17763.652

July 22, 2019
KB4505658		Resolved
KB4511553		Resolved:
August 13, 2019
10:00 AM PT

Opened:
July 25, 2019
06:10 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503327 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Resolution: This issue was resolved in KB4512534.

Back to top		OS Build 17763.557

June 11, 2019
KB4503327		Resolved
KB4512534		Resolved:
August 17, 2019
02:00 PM PT

Opened:
July 10, 2019
02:51 PM PT
" diff --git a/windows/release-information/resolved-issues-windows-10-1903.yml b/windows/release-information/resolved-issues-windows-10-1903.yml index 0554cb4e28..a5729004b1 100644 --- a/windows/release-information/resolved-issues-windows-10-1903.yml +++ b/windows/release-information/resolved-issues-windows-10-1903.yml @@ -52,7 +52,6 @@ sections:
Initiating a Remote Desktop connection may result in black screen
When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen.

See details >OS Build 18362.145

May 29, 2019
KB4497935Resolved
KB4512941August 30, 2019
10:00 AM PT
Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start on devices in which the operating system language was changed between updates.

See details >OS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4512941August 30, 2019
10:00 AM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >OS Build 18362.175

June 11, 2019
KB4503293Resolved
KB4512941August 30, 2019
10:00 AM PT -
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >OS Build 18362.175

June 11, 2019
KB4503293Resolved External
August 09, 2019
07:03 PM PT " @@ -95,7 +94,6 @@ sections: -
DetailsOriginating updateStatusHistory
Updates may fail to install and you may receive Error 0x80073701
Installation of updates may fail and you may receive the error message, \"Updates Failed, There were problems installing some updates, but we'll try again later\" or \"Error 0x80073701\" on the Windows Update dialog or within Update history.

Affected platforms:
  • Client: Windows 10, version 1903
  • Server: Windows Server, version 1903
Resolution: This issue has been resolved for most users. If you are still having issues, please see KB4528159.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
Resolved:
November 12, 2019
08:11 AM PT

Opened:
August 16, 2019
01:41 PM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512508, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512941. The ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512941 and install. For instructions, see Update Windows 10.

Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).

Back to top		OS Build 18362.295

August 13, 2019
KB4512508		Resolved
KB4512941		Resolved:
August 30, 2019
10:00 AM PT

Opened:
August 14, 2019
03:34 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503293) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 18362.175

June 11, 2019
KB4503293		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" diff --git a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml index 9856117a73..3e723fd5a0 100644 --- a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml @@ -32,14 +32,12 @@ sections: - type: markdown text: " + + - - - -
SummaryOriginating updateStatusDate resolved
After installing an update and restarting, you might receive an error
You might receive the error, “Failure to configure Windows updates. Reverting Changes.” or \"Failed\" in Update History.

See details >		February 11, 2020
KB4537820		Resolved
February 12, 2020
05:37 PM PT
Custom wallpaper displays as black
Using a custom image set to \"Stretch\" might not display as expected.

See details >		January 14, 2020
KB4534310		Resolved
KB4539601		February 07, 2020
10:00 AM PT
MSRT might fail to install and be re-offered from Windows Update or WSUS
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.

See details >
Resolved
January 23, 2020
02:08 PM PT
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		September 24, 2019
KB4516048		Resolved
KB4519976		October 08, 2019
10:00 AM PT
You may receive an error when opening or using the Toshiba Qosmio AV Center
Toshiba Qosmio AV Center may error when opening and you may also receive an error in Event Log related to cryptnet.dll.

See details >		August 13, 2019
KB4512506		Resolved
KB4516048		September 24, 2019
10:00 AM PT
Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Windows updates that are SHA-2 signed are not available with Symantec or Norton antivirus program installed

See details >		August 13, 2019
KB4512506		Resolved External
August 27, 2019
02:29 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		June 11, 2019
KB4503292		Resolved
KB4512514		August 17, 2019
02:00 PM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >		August 13, 2019
KB4512506		Resolved
KB4517297		August 16, 2019
02:00 PM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices running certain McAfee Endpoint security applications may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493472		Resolved External
August 13, 2019
06:59 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >		June 11, 2019
KB4503292		Resolved External
August 09, 2019
07:03 PM PT
" @@ -50,6 +48,24 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
After installing an update and restarting, you might receive an error
After installing KB4537820 and restarting your device, you might receive the error, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer,” and the update might show as Failed in Update History.

Affected platforms:
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This is expected in the following circumstances:
  • If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see KB4497181.
  • If you do not have an ESU MAK add-on key installed and activated. 
If you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this blog post. For information on the prerequisites, see the \"How to get this update\" section of this article.

Back to top		February 11, 2020
KB4537820		Resolved
Resolved:
February 12, 2020
05:37 PM PT

Opened:
February 12, 2020
03:47 PM PT
+ " + +- title: January 2020 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
Custom wallpaper displays as black
After installing KB4534310, your desktop wallpaper when set to \"Stretch\" might display as black.

Affected platforms:
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1
Resolution: This issue was resolved in KB4539601, if you are using Monthly Rollups. If you are using Security Only updates, see KB4539602. These updates are available for all customers running Windows 7 SP1 and Windows Server 2008 R2 SP1.

Back to top		January 14, 2020
KB4534310		Resolved
KB4539601		Resolved:
February 07, 2020
10:00 AM PT

Opened:
January 24, 2020
09:15 AM PT
+ " + - title: November 2019 - items: - type: markdown @@ -64,7 +80,7 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4519976. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.

Back to top		September 24, 2019
KB4516048		Resolved
KB4519976		Resolved:
October 08, 2019
10:00 AM PT

Opened:
September 30, 2019
06:26 PM PT
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4519976. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.

Back to top		September 24, 2019
KB4516048		Resolved
KB4519976		Resolved:
October 08, 2019
10:00 AM PT

Opened:
September 30, 2019
06:26 PM PT
You may receive an error when opening or using the Toshiba Qosmio AV Center
After installing KB4512506, you may receive an error when opening or using the Toshiba Qosmio AV Center. You may also receive an error in Event Log related to cryptnet.dll.

Affected platforms:
  • Client: Windows 7 SP1
Resolution: This issue was resolved in KB4516048.

Back to top		August 13, 2019
KB4512506		Resolved
KB4516048		Resolved:
September 24, 2019
10:00 AM PT

Opened:
September 10, 2019
09:48 AM PT
" @@ -75,25 +91,5 @@ sections: text: " - - -
DetailsOriginating updateStatusHistory
Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Symantec identified the potential for a negative interaction that may occur after Windows Updates code signed with SHA-2 only certificates are installed on devices with Symantec or Norton antivirus programs installed. The software may not correctly identify files included in the update as code signed by Microsoft, putting the device at risk for a delayed or incomplete update.

Affected platforms:
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1
Resolution: The safeguard hold has been removed. Symantec has completed its evaluation of the impact of this update and future updates to Windows 7/Windows 2008 R2 and has determined that there is no increased risk of a false positive detection for all in-field versions of Symantec Endpoint Protection and Norton antivirus programs. See the Symantec support article for additional detail and please reach out to Symantec or Norton support if you encounter any issues.

Back to top		August 13, 2019
KB4512506		Resolved External
Last updated:
August 27, 2019
02:29 PM PT

Opened:
August 13, 2019
10:05 AM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512506, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517297. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).

Back to top		August 13, 2019
KB4512506		Resolved
KB4517297		Resolved:
August 16, 2019
02:00 PM PT

Opened:
August 14, 2019
03:34 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503292) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		June 11, 2019
KB4503292		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
- " - -- title: July 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503292 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Resolution: This issue was resolved in KB4512514.

Back to top		June 11, 2019
KB4503292		Resolved
KB4512514		Resolved:
August 17, 2019
02:00 PM PT

Opened:
July 10, 2019
02:51 PM PT
- " - -- title: April 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles: 

Back to top		April 09, 2019
KB4493472		Resolved External
Last updated:
August 13, 2019
06:59 PM PT

Opened:
April 09, 2019
10:00 AM PT
" diff --git a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml index d7ed2c1633..bcebc8ddb6 100644 --- a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml +++ b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml @@ -35,10 +35,6 @@ sections:
Printing from 32-bit apps might fail on a 64-bit OS
When attempting to print, you may receive an error or the application may stop responding or close.

See details >August 13, 2019
KB4512489Resolved
KB4525250November 12, 2019
10:00 AM PT
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >September 24, 2019
KB4516041Resolved
KB4520005October 08, 2019
10:00 AM PT
Windows RT 8.1 devices may have issues opening Internet Explorer 11
On Windows RT 8.1 devices, Internet Explorer 11 may not open and you may receive an error.

See details >September 10, 2019
KB4516067Resolved
KB4516041September 24, 2019
10:00 AM PT -
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >June 11, 2019
KB4503276Resolved
KB4512478August 17, 2019
02:00 PM PT -
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >August 13, 2019
KB4512488Resolved
KB4517298August 16, 2019
02:00 PM PT -
System may be unresponsive after restart with certain McAfee antivirus products
Devices running certain McAfee Endpoint security applications may be slow or unresponsive at startup.

See details >April 09, 2019
KB4493446Resolved External
August 13, 2019
06:59 PM PT -
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >June 11, 2019
KB4503276Resolved External
August 09, 2019
07:03 PM PT " @@ -63,35 +59,7 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520005. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.

Back to top		September 24, 2019
KB4516041		Resolved
KB4520005		Resolved:
October 08, 2019
10:00 AM PT

Opened:
September 30, 2019
06:26 PM PT
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520005. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.

Back to top		September 24, 2019
KB4516041		Resolved
KB4520005		Resolved:
October 08, 2019
10:00 AM PT

Opened:
September 30, 2019
06:26 PM PT
Windows RT 8.1 devices may have issues opening Internet Explorer 11
On Windows 8.1 RT devices, Internet Explorer 11 may not open and you may receive the error, \"C:\\Program Files\\Internet Explorer\\iexplore.exe: A certificate was explicitly revoked by its issuer.\"


Affected platforms:
  • Client: Windows RT 8.1
Resolution: This issue was resolved in KB4516041.

Back to top		September 10, 2019
KB4516067		Resolved
KB4516041		Resolved:
September 24, 2019
10:00 AM PT

Opened:
September 13, 2019
05:25 PM PT
" - -- title: August 2019 -- items: - - type: markdown - text: " - - - -
DetailsOriginating updateStatusHistory
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512488, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517298. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).

Back to top		August 13, 2019
KB4512488		Resolved
KB4517298		Resolved:
August 16, 2019
02:00 PM PT

Opened:
August 14, 2019
03:34 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503276) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		June 11, 2019
KB4503276		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
- " - -- title: July 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503276 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Resolution: This issue was resolved in KB4512478.

Back to top		June 11, 2019
KB4503276		Resolved
KB4512478		Resolved:
August 17, 2019
02:00 PM PT

Opened:
July 10, 2019
02:51 PM PT
- " - -- title: April 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:  

Back to top		April 09, 2019
KB4493446		Resolved External
Last updated:
August 13, 2019
06:59 PM PT

Opened:
April 09, 2019
10:00 AM PT
- " diff --git a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml index 8f891fdf1a..8c0739bd8e 100644 --- a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml +++ b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml @@ -32,12 +32,10 @@ sections: - type: markdown text: " + - - -
SummaryOriginating updateStatusDate resolved
After installing an update and restarting, you might receive an error
You might receive the error, “Failure to configure Windows updates. Reverting Changes.” or \"Failed\" in Update History.

See details >		February 11, 2020
KB4537810		Resolved
February 12, 2020
05:37 PM PT
MSRT might fail to install and be re-offered from Windows Update or WSUS
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.

See details >
Resolved
January 23, 2020
02:08 PM PT
Issues manually installing updates by double-clicking the .msu file
You may encounter issues manually installing updates by double-clicking the .msu file and may receive an error.

See details >		September 10, 2019
KB4474419		Resolved
KB4474419		September 23, 2019
10:00 AM PT
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		September 24, 2019
KB4516030		Resolved
KB4520002		October 08, 2019
10:00 AM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		June 11, 2019
KB4503273		Resolved
KB4512499		August 17, 2019
02:00 PM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >		August 13, 2019
KB4512476		Resolved
KB4517301		August 16, 2019
02:00 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >		June 11, 2019
KB4503273		Resolved External
August 09, 2019
07:03 PM PT
" @@ -48,6 +46,15 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
After installing an update and restarting, you might receive an error
After installing KB4537810 and restarting your device, you might receive the error, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer,” and the update might show as Failed in Update History.

Affected platforms:
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This is expected in the following circumstances:
  • If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see KB4497181.
  • If you do not have an ESU MAK add-on key installed and activated. 
If you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this blog post. For information on the prerequisites, see the \"How to get this update\" section of this article.

Back to top		February 11, 2020
KB4537810		Resolved
Resolved:
February 12, 2020
05:37 PM PT

Opened:
February 12, 2020
03:47 PM PT
+ " + - title: November 2019 - items: - type: markdown @@ -63,25 +70,6 @@ sections: text: " - -
DetailsOriginating updateStatusHistory
Issues manually installing updates by double-clicking the .msu file
After installing the SHA-2 update (KB4474419) released on September 10, 2019, you may encounter issues manually installing updates by double-clicking on the .msu file and may receive the error, \"Installer encountered an error: 0x80073afc. The resource loader failed to find MUI file.\"

Affected platforms:
  • Server: Windows Server 2008 SP2
Workaround: Open a command prompt and use the following command (replacing <msu location> with the actual location and filename of the update): wusa.exe <msu location> /quiet

Resolution: This issue is resolved in KB4474419 released October 8, 2019. It will install automatically from Windows Update and Windows Server Update Services (WSUS). If you need to install this update manually, you will need to use the workaround above.

Note If you previously installed KB4474419 released September 23, 2019, then you already have the latest version of this update and do not need to reinstall.

Back to top		September 10, 2019
KB4474419		Resolved
KB4474419		Resolved:
September 23, 2019
10:00 AM PT

Opened:
September 20, 2019
04:57 PM PT
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520002. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.

Back to top		September 24, 2019
KB4516030		Resolved
KB4520002		Resolved:
October 08, 2019
10:00 AM PT

Opened:
September 30, 2019
06:26 PM PT
- " - -- title: August 2019 -- items: - - type: markdown - text: " - - - -
DetailsOriginating updateStatusHistory
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512476, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517301. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).

Back to top		August 13, 2019
KB4512476		Resolved
KB4517301		Resolved:
August 16, 2019
02:00 PM PT

Opened:
August 14, 2019
03:34 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503273) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		June 11, 2019
KB4503273		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
- " - -- title: July 2019 -- items: - - type: markdown - text: " - - +
DetailsOriginating updateStatusHistory
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503273 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Resolution: This issue was resolved in KB4512499.

Back to top		June 11, 2019
KB4503273		Resolved
KB4512499		Resolved:
August 17, 2019
02:00 PM PT

Opened:
July 10, 2019
02:51 PM PT
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520002. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.

Back to top		September 24, 2019
KB4516030		Resolved
KB4520002		Resolved:
October 08, 2019
10:00 AM PT

Opened:
September 30, 2019
06:26 PM PT
" diff --git a/windows/release-information/resolved-issues-windows-server-2012.yml b/windows/release-information/resolved-issues-windows-server-2012.yml index c2bef06cf8..87c57cef75 100644 --- a/windows/release-information/resolved-issues-windows-server-2012.yml +++ b/windows/release-information/resolved-issues-windows-server-2012.yml @@ -34,9 +34,6 @@ sections: - - -
SummaryOriginating updateStatusDate resolved
Printing from 32-bit apps might fail on a 64-bit OS
When attempting to print, you may receive an error or the application may stop responding or close.

See details >		August 13, 2019
KB4512482		Resolved
KB4525253		November 12, 2019
10:00 AM PT
Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.

See details >		September 24, 2019
KB4516069		Resolved
KB4520007		October 08, 2019
10:00 AM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		June 11, 2019
KB4503285		Resolved
KB4512512		August 17, 2019
02:00 PM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

See details >		August 13, 2019
KB4512518		Resolved
KB4517302		August 16, 2019
02:00 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

See details >		June 11, 2019
KB4503285		Resolved External
August 09, 2019
07:03 PM PT
" @@ -61,25 +58,6 @@ sections: - type: markdown text: " - -
DetailsOriginating updateStatusHistory
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520007. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.

Back to top		September 24, 2019
KB4516069		Resolved
KB4520007		Resolved:
October 08, 2019
10:00 AM PT

Opened:
September 30, 2019
06:26 PM PT
- " - -- title: August 2019 -- items: - - type: markdown - text: " - - - -
DetailsOriginating updateStatusHistory
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512518, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517302. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).

Back to top		August 13, 2019
KB4512518		Resolved
KB4517302		Resolved:
August 16, 2019
02:00 PM PT

Opened:
August 14, 2019
03:34 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503285) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		June 11, 2019
KB4503285		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
- " - -- title: July 2019 -- items: - - type: markdown - text: " - - +
DetailsOriginating updateStatusHistory
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503285 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Resolution: This issue was resolved in KB4512512.

Back to top		June 11, 2019
KB4503285		Resolved
KB4512512		Resolved:
August 17, 2019
02:00 PM PT

Opened:
July 10, 2019
02:51 PM PT
Intermittent issues when printing
Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
  • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
  • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4520007. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.

Back to top		September 24, 2019
KB4516069		Resolved
KB4520007		Resolved:
October 08, 2019
10:00 AM PT

Opened:
September 30, 2019
06:26 PM PT
" diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml index 9891ddf467..9c9ab15b4e 100644 --- a/windows/release-information/status-windows-10-1507.yml +++ b/windows/release-information/status-windows-10-1507.yml @@ -29,11 +29,11 @@ sections: columns: 3 items: - - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/ - html: Find out what you need to know > + - href: https://aka.ms/Windows7ESU + html: Stay protected with Extended Security Updates > image: - src: https://docs.microsoft.com/media/common/i_alert.svg - title: Windows 7 has reached end of support + src: https://docs.microsoft.com/media/common/i_subscription.svg + title: Still have devices running Windows 7 in your enterprise? - href: https://aka.ms/1909mechanics html: Explore the improvements > image: @@ -60,6 +60,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+
SummaryOriginating updateStatusLast updated
You might encounter issues with KB4502496
You might encounter issues trying to install or after installing KB4502496

See details >		N/A
February 11, 2020
KB4502496		Mitigated
February 15, 2020
01:22 AM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		OS Build 10240.18368

October 08, 2019
KB4520011		Mitigated External
November 05, 2019
03:36 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

See details >		OS Build 10240.18094

January 08, 2019
KB4480962		Mitigated
April 25, 2019
02:00 PM PT
@@ -72,6 +73,15 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
You might encounter issues with KB4502496
You might encounter issues trying to install or after installing KB4502496.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4502496) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.

If this update is installed and you are experiencing issues, you can uninstall this update.
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4502496 and select the Uninstall button.
  4. Restart your device.
 
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2020
KB4502496		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
+ " + - title: November 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml index 4a3d572494..a70457e0ab 100644 --- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml +++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml @@ -29,11 +29,11 @@ sections: columns: 3 items: - - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/ - html: Find out what you need to know > + - href: https://aka.ms/Windows7ESU + html: Stay protected with Extended Security Updates > image: - src: https://docs.microsoft.com/media/common/i_alert.svg - title: Windows 7 has reached end of support + src: https://docs.microsoft.com/media/common/i_subscription.svg + title: Still have devices running Windows 7 in your enterprise? - href: https://aka.ms/1909mechanics html: Explore the improvements > image: @@ -60,6 +60,8 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ + @@ -74,6 +76,16 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " +
SummaryOriginating updateStatusLast updated
“Reset this PC” feature might fail
“Reset this PC” feature is also called “Push Button Reset” or PBR.

See details >		N/A
February 11, 2020
KB4524244		Mitigated
February 15, 2020
01:22 AM PT
You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244

See details >		N/A
February 11, 2020
KB4524244		Mitigated
February 15, 2020
01:22 AM PT
Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM
Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.

See details >		OS Build 14393.2608

November 13, 2018
KB4467691		Resolved External
January 23, 2020
02:08 PM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		OS Build 14393.3274

October 08, 2019
KB4519998		Mitigated External
November 05, 2019
03:36 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

See details >		OS Build 14393.2724

January 08, 2019
KB4480961		Mitigated
April 25, 2019
02:00 PM PT
+ + +
DetailsOriginating updateStatusHistory
“Reset this PC” feature might fail
Using the “Reset this PC” feature, also called “Push Button Reset” or PBR, might fail. You might restart into recovery with “Choose an option” at the top of the screen with various options or you might restart to your desktop and receive the error “There was a problem resetting your PC”.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Workaround: The standalone security update, KB4524244 has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update.

If you have installed this update and are experiencing this issue, the following steps should allow you to reset your device:
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
  4. Restart your device.
  5. Upon restart use the “Reset this PC” feature and you should not encounter this issue.

Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2020
KB4524244		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4524244) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.

If this update is installed and you are experiencing issues, you can uninstall this update.
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
  4. Restart your device.
 
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2020
KB4524244		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
+ " + - title: November 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml index 47169eb98d..de65b88d9b 100644 --- a/windows/release-information/status-windows-10-1709.yml +++ b/windows/release-information/status-windows-10-1709.yml @@ -29,11 +29,11 @@ sections: columns: 3 items: - - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/ - html: Find out what you need to know > + - href: https://aka.ms/Windows7ESU + html: Stay protected with Extended Security Updates > image: - src: https://docs.microsoft.com/media/common/i_alert.svg - title: Windows 7 has reached end of support + src: https://docs.microsoft.com/media/common/i_subscription.svg + title: Still have devices running Windows 7 in your enterprise? - href: https://aka.ms/1909mechanics html: Explore the improvements > image: @@ -60,6 +60,8 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ + @@ -73,6 +75,16 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " +
SummaryOriginating updateStatusLast updated
“Reset this PC” feature might fail
“Reset this PC” feature is also called “Push Button Reset” or PBR.

See details >		N/A
February 11, 2020
KB4524244		Mitigated
February 15, 2020
01:22 AM PT
You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244

See details >		N/A
February 11, 2020
KB4524244		Mitigated
February 15, 2020
01:22 AM PT
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

See details >		OS Build 16299.1387

September 10, 2019
KB4516066		Resolved
KB4534318		January 23, 2020
02:00 PM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		OS Build 16299.1451

October 08, 2019
KB4520004		Mitigated External
November 05, 2019
03:36 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

See details >		OS Build 16299.904

January 08, 2019
KB4480978		Mitigated
April 25, 2019
02:00 PM PT
+ + +
DetailsOriginating updateStatusHistory
“Reset this PC” feature might fail
Using the “Reset this PC” feature, also called “Push Button Reset” or PBR, might fail. You might restart into recovery with “Choose an option” at the top of the screen with various options or you might restart to your desktop and receive the error “There was a problem resetting your PC”.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Workaround: The standalone security update, KB4524244 has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update.

If you have installed this update and are experiencing this issue, the following steps should allow you to reset your device:
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
  4. Restart your device.
  5. Upon restart use the “Reset this PC” feature and you should not encounter this issue.

Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2020
KB4524244		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4524244) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.

If this update is installed and you are experiencing issues, you can uninstall this update.
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
  4. Restart your device.
 
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2020
KB4524244		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
+ " + - title: November 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml index 9f10885c6c..db738bc8ee 100644 --- a/windows/release-information/status-windows-10-1803.yml +++ b/windows/release-information/status-windows-10-1803.yml @@ -33,11 +33,11 @@ sections: columns: 3 items: - - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/ - html: Find out what you need to know > + - href: https://aka.ms/Windows7ESU + html: Stay protected with Extended Security Updates > image: - src: https://docs.microsoft.com/media/common/i_alert.svg - title: Windows 7 has reached end of support + src: https://docs.microsoft.com/media/common/i_subscription.svg + title: Still have devices running Windows 7 in your enterprise? - href: https://aka.ms/1909mechanics html: Explore the improvements > image: @@ -64,6 +64,8 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ + @@ -77,6 +79,16 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " +
SummaryOriginating updateStatusLast updated
“Reset this PC” feature might fail
“Reset this PC” feature is also called “Push Button Reset” or PBR.

See details >		N/A
February 11, 2020
KB4524244		Mitigated
February 15, 2020
01:22 AM PT
You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244

See details >		N/A
February 11, 2020
KB4524244		Mitigated
February 15, 2020
01:22 AM PT
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

See details >		OS Build 17134.1006

September 10, 2019
KB4516058		Resolved
KB4534308		January 23, 2020
02:00 PM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		OS Build 17134.1069

October 08, 2019
KB4520008		Mitigated External
November 05, 2019
03:36 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

See details >		OS Build 17134.523

January 08, 2019
KB4480966		Mitigated
April 25, 2019
02:00 PM PT
+ + +
DetailsOriginating updateStatusHistory
“Reset this PC” feature might fail
Using the “Reset this PC” feature, also called “Push Button Reset” or PBR, might fail. You might restart into recovery with “Choose an option” at the top of the screen with various options or you might restart to your desktop and receive the error “There was a problem resetting your PC”.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Workaround: The standalone security update, KB4524244 has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update.

If you have installed this update and are experiencing this issue, the following steps should allow you to reset your device:
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
  4. Restart your device.
  5. Upon restart use the “Reset this PC” feature and you should not encounter this issue.

Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2020
KB4524244		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4524244) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.

If this update is installed and you are experiencing issues, you can uninstall this update.
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
  4. Restart your device.
 
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2020
KB4524244		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
+ " + - title: November 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml index 2e9516660f..b1fc3e7ceb 100644 --- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml @@ -33,11 +33,11 @@ sections: columns: 3 items: - - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/ - html: Find out what you need to know > + - href: https://aka.ms/Windows7ESU + html: Stay protected with Extended Security Updates > image: - src: https://docs.microsoft.com/media/common/i_alert.svg - title: Windows 7 has reached end of support + src: https://docs.microsoft.com/media/common/i_subscription.svg + title: Still have devices running Windows 7 in your enterprise? - href: https://aka.ms/1909mechanics html: Explore the improvements > image: @@ -64,6 +64,8 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ + @@ -78,6 +80,16 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " +
SummaryOriginating updateStatusLast updated
“Reset this PC” feature might fail
“Reset this PC” feature is also called “Push Button Reset” or PBR.

See details >		N/A
February 11, 2020
KB4524244		Mitigated
February 15, 2020
01:22 AM PT
You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244

See details >		N/A
February 11, 2020
KB4524244		Mitigated
February 15, 2020
01:22 AM PT
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

See details >		OS Build 17763.737

September 10, 2019
KB4512578		Resolved
KB4534321		January 23, 2020
02:00 PM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		OS Build 17763.805

October 08, 2019
KB4519338		Mitigated External
November 05, 2019
03:36 PM PT
Devices with some Asian language packs installed may receive an error
Devices with Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"

See details >		OS Build 17763.437

April 09, 2019
KB4493509		Mitigated
May 03, 2019
10:59 AM PT
+ + +
DetailsOriginating updateStatusHistory
“Reset this PC” feature might fail
Using the “Reset this PC” feature, also called “Push Button Reset” or PBR, might fail. You might restart into recovery with “Choose an option” at the top of the screen with various options or you might restart to your desktop and receive the error “There was a problem resetting your PC”.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Workaround: The standalone security update, KB4524244 has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update.

If you have installed this update and are experiencing this issue, the following steps should allow you to reset your device:
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
  4. Restart your device.
  5. Upon restart use the “Reset this PC” feature and you should not encounter this issue.

Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2020
KB4524244		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4524244) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.

If this update is installed and you are experiencing issues, you can uninstall this update.
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
  4. Restart your device.
 
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2020
KB4524244		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
+ " + - title: November 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml index b1bf959c78..4fe4e28478 100644 --- a/windows/release-information/status-windows-10-1903.yml +++ b/windows/release-information/status-windows-10-1903.yml @@ -33,11 +33,11 @@ sections: columns: 3 items: - - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/ - html: Find out what you need to know > + - href: https://aka.ms/Windows7ESU + html: Stay protected with Extended Security Updates > image: - src: https://docs.microsoft.com/media/common/i_alert.svg - title: Windows 7 has reached end of support + src: https://docs.microsoft.com/media/common/i_subscription.svg + title: Still have devices running Windows 7 in your enterprise? - href: https://aka.ms/1909mechanics html: Explore the improvements > image: @@ -64,6 +64,8 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ +
SummaryOriginating updateStatusLast updated
“Reset this PC” feature might fail
“Reset this PC” feature is also called “Push Button Reset” or PBR.

See details >		N/A
February 11, 2020
KB4524244		Mitigated
February 15, 2020
01:22 AM PT
You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244

See details >		N/A
February 11, 2020
KB4524244		Mitigated
February 15, 2020
01:22 AM PT
Issues with some older versions of Avast and AVG anti-virus products
Microsoft and Avast has identified compatibility issues with some versions of Avast and AVG Antivirus.

See details >		N/A

Mitigated External
November 25, 2019
05:25 PM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		OS Build 18362.418

October 08, 2019
KB4517389		Mitigated External
November 05, 2019
03:36 PM PT
@@ -76,6 +78,16 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " + + + +
DetailsOriginating updateStatusHistory
“Reset this PC” feature might fail
Using the “Reset this PC” feature, also called “Push Button Reset” or PBR, might fail. You might restart into recovery with “Choose an option” at the top of the screen with various options or you might restart to your desktop and receive the error “There was a problem resetting your PC”.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Workaround: The standalone security update, KB4524244 has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update.

If you have installed this update and are experiencing this issue, the following steps should allow you to reset your device:
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
  4. Restart your device.
  5. Upon restart use the “Reset this PC” feature and you should not encounter this issue.

Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2020
KB4524244		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4524244) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.

If this update is installed and you are experiencing issues, you can uninstall this update.
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
  4. Restart your device.
 
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2020
KB4524244		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
+ " + - title: November 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1909.yml b/windows/release-information/status-windows-10-1909.yml index 36288e57f2..6029fe13f7 100644 --- a/windows/release-information/status-windows-10-1909.yml +++ b/windows/release-information/status-windows-10-1909.yml @@ -33,11 +33,11 @@ sections: columns: 3 items: - - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/ - html: Find out what you need to know > + - href: https://aka.ms/Windows7ESU + html: Stay protected with Extended Security Updates > image: - src: https://docs.microsoft.com/media/common/i_alert.svg - title: Windows 7 has reached end of support + src: https://docs.microsoft.com/media/common/i_subscription.svg + title: Still have devices running Windows 7 in your enterprise? - href: https://aka.ms/1909mechanics html: Explore the improvements > image: @@ -64,6 +64,8 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ +
SummaryOriginating updateStatusLast updated
“Reset this PC” feature might fail
“Reset this PC” feature is also called “Push Button Reset” or PBR.

See details >		N/A
February 11, 2020
KB4524244		Mitigated
February 15, 2020
01:22 AM PT
You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244

See details >		N/A
February 11, 2020
KB4524244		Mitigated
February 15, 2020
01:22 AM PT
Issues with some older versions of Avast and AVG anti-virus products
Microsoft and Avast has identified compatibility issues with some versions of Avast and AVG Antivirus.

See details >		N/A

Mitigated External
November 25, 2019
05:25 PM PT
" @@ -75,6 +77,16 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " + + + +
DetailsOriginating updateStatusHistory
“Reset this PC” feature might fail
Using the “Reset this PC” feature, also called “Push Button Reset” or PBR, might fail. You might restart into recovery with “Choose an option” at the top of the screen with various options or you might restart to your desktop and receive the error “There was a problem resetting your PC”.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Workaround: The standalone security update, KB4524244 has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update.

If you have installed this update and are experiencing this issue, the following steps should allow you to reset your device:
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
  4. Restart your device.
  5. Upon restart use the “Reset this PC” feature and you should not encounter this issue.

Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2020
KB4524244		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4524244) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.

If this update is installed and you are experiencing issues, you can uninstall this update.
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
  4. Restart your device.
 
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		N/A
February 11, 2020
KB4524244		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
+ " + - title: November 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml index 10ac2c6e75..d47c63c516 100644 --- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml @@ -29,11 +29,11 @@ sections: columns: 3 items: - - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/ - html: Find out what you need to know > + - href: https://aka.ms/Windows7ESU + html: Stay protected with Extended Security Updates > image: - src: https://docs.microsoft.com/media/common/i_alert.svg - title: Windows 7 has reached end of support + src: https://docs.microsoft.com/media/common/i_subscription.svg + title: Still have devices running Windows 7 in your enterprise? - href: https://aka.ms/1909mechanics html: Explore the improvements > image: @@ -60,7 +60,8 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- + + @@ -74,12 +75,21 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " +
SummaryOriginating updateStatusLast updated
Custom wallpaper displays as black
Using a custom image set to \"Stretch\" might not display as expected.

See details >		January 14, 2020
KB4534310		Mitigated
KB4539601		January 27, 2020
12:27 PM PT
After installing an update and restarting, you might receive an error
You might receive the error, “Failure to configure Windows updates. Reverting Changes.” or \"Failed\" in Update History.

See details >		February 11, 2020
KB4537820		Resolved
February 12, 2020
05:37 PM PT
Custom wallpaper displays as black
Using a custom image set to \"Stretch\" might not display as expected.

See details >		January 14, 2020
KB4534310		Resolved
KB4539601		February 07, 2020
10:00 AM PT
MSRT might fail to install and be re-offered from Windows Update or WSUS
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.

See details >
Resolved
January 23, 2020
02:08 PM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		October 08, 2019
KB4519976		Mitigated External
November 05, 2019
03:36 PM PT
IA64 and x64 devices may fail to start after installing updates
After installing updates released on or after August 13, 2019, IA64 and x64 devices using EFI Boot may fail to start.

See details >		August 13, 2019
KB4512506		Mitigated
August 17, 2019
12:59 PM PT
+ +
DetailsOriginating updateStatusHistory
After installing an update and restarting, you might receive an error
After installing KB4537820 and restarting your device, you might receive the error, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer,” and the update might show as Failed in Update History.

Affected platforms:
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This is expected in the following circumstances:
  • If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see KB4497181.
  • If you do not have an ESU MAK add-on key installed and activated. 
If you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this blog post. For information on the prerequisites, see the \"How to get this update\" section of this article.

Back to top		February 11, 2020
KB4537820		Resolved
Resolved:
February 12, 2020
05:37 PM PT

Opened:
February 12, 2020
03:47 PM PT
+ " + - title: January 2020 - items: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
Custom wallpaper displays as black
After installing KB4534310, your desktop wallpaper when set to \"Stretch\" might display as black.

Affected platforms:
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1
Workaround: To mitigate the issue, you can do one of the following:
  • Set your custom image to an option other than \"Stretch\", such as “Fill”, “Fit”, “Tile”, or “Center”, or
  • Choose a custom wallpaper that matches the resolution of your desktop.
Next steps: We are working on a resolution and estimate a solution will be available mid-February, which will be released to all customers running Windows 7 and Windows Server 2008 R2 SP1.

Back to top		January 14, 2020
KB4534310		Mitigated
KB4539601		Last updated:
January 27, 2020
12:27 PM PT

Opened:
January 24, 2020
09:15 AM PT
Custom wallpaper displays as black
After installing KB4534310, your desktop wallpaper when set to \"Stretch\" might display as black.

Affected platforms:
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1
Resolution: This issue was resolved in KB4539601, if you are using Monthly Rollups. If you are using Security Only updates, see KB4539602. These updates are available for all customers running Windows 7 SP1 and Windows Server 2008 R2 SP1.

Back to top		January 14, 2020
KB4534310		Resolved
KB4539601		Resolved:
February 07, 2020
10:00 AM PT

Opened:
January 24, 2020
09:15 AM PT
" diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml index 388b55fa0a..1d522d681a 100644 --- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml +++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml @@ -29,11 +29,11 @@ sections: columns: 3 items: - - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/ - html: Find out what you need to know > + - href: https://aka.ms/Windows7ESU + html: Stay protected with Extended Security Updates > image: - src: https://docs.microsoft.com/media/common/i_alert.svg - title: Windows 7 has reached end of support + src: https://docs.microsoft.com/media/common/i_subscription.svg + title: Still have devices running Windows 7 in your enterprise? - href: https://aka.ms/1909mechanics html: Explore the improvements > image: @@ -60,6 +60,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ @@ -73,6 +74,15 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " +
SummaryOriginating updateStatusLast updated
You might encounter issues with KB4502496
You might encounter issues trying to install or after installing KB4502496

See details >		February 11, 2020
KB4502496		Mitigated
February 15, 2020
01:22 AM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		October 08, 2019
KB4520005		Mitigated External
November 05, 2019
03:36 PM PT
Japanese IME doesn't show the new Japanese Era name as a text input option
With previous dictionary updates installed, the Japanese IME doesn't show the new Japanese Era name as an input option.

See details >		April 25, 2019
KB4493443		Mitigated
May 15, 2019
05:53 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

See details >		January 08, 2019
KB4480963		Mitigated
April 25, 2019
02:00 PM PT
+ +
DetailsOriginating updateStatusHistory
You might encounter issues with KB4502496
You might encounter issues trying to install or after installing KB4502496.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4502496) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.

If this update is installed and you are experiencing issues, you can uninstall this update.
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4502496 and select the Uninstall button.
  4. Restart your device.
 
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		February 11, 2020
KB4502496		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
+ " + - title: November 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-server-2008-sp2.yml b/windows/release-information/status-windows-server-2008-sp2.yml index 2ea115dab7..44b16a1a5e 100644 --- a/windows/release-information/status-windows-server-2008-sp2.yml +++ b/windows/release-information/status-windows-server-2008-sp2.yml @@ -29,11 +29,11 @@ sections: columns: 3 items: - - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/ - html: Find out what you need to know > + - href: https://aka.ms/Windows7ESU + html: Stay protected with Extended Security Updates > image: - src: https://docs.microsoft.com/media/common/i_alert.svg - title: Windows 7 has reached end of support + src: https://docs.microsoft.com/media/common/i_subscription.svg + title: Still have devices running Windows 7 in your enterprise? - href: https://aka.ms/1909mechanics html: Explore the improvements > image: @@ -60,6 +60,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+
SummaryOriginating updateStatusLast updated
After installing an update and restarting, you might receive an error
You might receive the error, “Failure to configure Windows updates. Reverting Changes.” or \"Failed\" in Update History.

See details >		February 11, 2020
KB4537810		Resolved
February 12, 2020
05:37 PM PT
MSRT might fail to install and be re-offered from Windows Update or WSUS
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.

See details >
Resolved
January 23, 2020
02:08 PM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		October 08, 2019
KB4520002		Mitigated External
November 05, 2019
03:36 PM PT
@@ -72,6 +73,15 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
After installing an update and restarting, you might receive an error
After installing KB4537810 and restarting your device, you might receive the error, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer,” and the update might show as Failed in Update History.

Affected platforms:
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This is expected in the following circumstances:
  • If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see KB4497181.
  • If you do not have an ESU MAK add-on key installed and activated. 
If you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this blog post. For information on the prerequisites, see the \"How to get this update\" section of this article.

Back to top		February 11, 2020
KB4537810		Resolved
Resolved:
February 12, 2020
05:37 PM PT

Opened:
February 12, 2020
03:47 PM PT
+ " + - title: November 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml index 96c3cad5e2..cba7737955 100644 --- a/windows/release-information/status-windows-server-2012.yml +++ b/windows/release-information/status-windows-server-2012.yml @@ -29,11 +29,11 @@ sections: columns: 3 items: - - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/ - html: Find out what you need to know > + - href: https://aka.ms/Windows7ESU + html: Stay protected with Extended Security Updates > image: - src: https://docs.microsoft.com/media/common/i_alert.svg - title: Windows 7 has reached end of support + src: https://docs.microsoft.com/media/common/i_subscription.svg + title: Still have devices running Windows 7 in your enterprise? - href: https://aka.ms/1909mechanics html: Explore the improvements > image: @@ -60,6 +60,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ @@ -73,6 +74,15 @@ sections:
" +- title: February 2020 +- items: + - type: markdown + text: " +
SummaryOriginating updateStatusLast updated
You might encounter issues with KB4502496
You might encounter issues trying to install or after installing KB4502496

See details >		February 11, 2020
KB4502496		Mitigated
February 15, 2020
01:22 AM PT
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

See details >		October 08, 2019
KB4520007		Mitigated External
November 05, 2019
03:36 PM PT
Japanese IME doesn't show the new Japanese Era name as a text input option
With previous dictionary updates installed, the Japanese IME doesn't show the new Japanese Era name as an input option.

See details >		April 25, 2019
KB4493462		Mitigated
May 15, 2019
05:53 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

See details >		January 08, 2019
KB4480975		Mitigated
April 25, 2019
02:00 PM PT
+ +
DetailsOriginating updateStatusHistory
You might encounter issues with KB4502496
You might encounter issues trying to install or after installing KB4502496.

Affected platforms:
  • Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
  • Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update (KB4502496) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.

If this update is installed and you are experiencing issues, you can uninstall this update.
  1. Select the start button or Windows Desktop Search and type update history and select View your Update history.
  2. On the Settings/View update history dialog window, Select Uninstall Updates.
  3. On the Installed Updates dialog window, find and select KB4502496 and select the Uninstall button.
  4. Restart your device.
 
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.

Back to top		February 11, 2020
KB4502496		Mitigated
Last updated:
February 15, 2020
01:22 AM PT

Opened:
February 15, 2020
12:02 AM PT
+ " + - title: November 2019 - items: - type: markdown diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml index 6cba12b21c..30fd3229a9 100644 --- a/windows/release-information/windows-message-center.yml +++ b/windows/release-information/windows-message-center.yml @@ -23,11 +23,11 @@ sections: columns: 2 items: - - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/ - html: Find out what you need to know > + - href: https://aka.ms/Windows7ESU + html: Stay protected with Extended Security Updates > image: - src: https://docs.microsoft.com/media/common/i_alert.svg - title: Windows 7 has reached end of support + src: https://docs.microsoft.com/media/common/i_subscription.svg + title: Still have devices running Windows 7 in your enterprise? - href: https://aka.ms/1909mechanics html: Explore the improvements > image: @@ -50,7 +50,11 @@ sections: text: " - + + + + + @@ -80,18 +84,6 @@ sections: - - - - - - - - - - - -
MessageDate
Windows Search shows blank box
We are aware of a temporary server-side issue causing Windows search to show a blank box. This issue has been resolved for most users and in some cases, you might need to restart your device. We are working diligently to fully resolve the issue and will provide an update once resolved. 
February 05, 2020
09:32 AM PT
Status of February 2020 “C” release
The optional monthly “C” release for February 2020 for all supported versions of Windows and Windows Server prior to Windows 10, version 1903 and Windows Server, version 1903 will be available in the near term. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
February 21, 2020
12:00 PM PT
Compatibility issue with some Windows Server container images
If you are encountering issues with Windows Server container images, please see KB4542617.
February 13, 2020
03:21 PM PT
Take action: February 2020 security update available for all supported versions of Windows
The February 2020 security update release, referred to as our “B” release, is now available for Windows 10, version 1909 and all supported versions of Windows. We recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
February 11, 2020
08:00 AM PT
Take action: ESU security updates available for Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2
Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2 reached end of support on January 14, 2020. For customers who have purchased Extended Security Updates (ESU), the first monthly ESU security updates are now available. If your organization has not yet been able to complete your transition to Windows 10, Windows Server 2016, or Windows Server 2019 and want to continue to receive security updates for your current version of Windows, you will need to purchase Extended Security Updates. For information on how to do so, please see How to get Extended Security Updates for eligible Windows devices, Windows 7 ESU frequently ask questions, and Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 ESU frequently asked questions.

We recommend ESU customers review the applicable KB article below for prerequisites and other important information you will need to deploy these updates.

The following updates were released today for Windows Server 2008 SP2:
The following updates were released today for Windows 7 SP1 and Windows Server 2008 R2 SP1:
February 11, 2020
08:00 AM PT
Resolved: Windows Search shows blank box
We are aware of a temporary server-side issue causing Windows search to show a blank box. This issue has been resolved for most users and in some cases, you might need to restart your device. We are working diligently to fully resolve the issue and will provide an update once resolved. 

This issue was resolved at 12:00 PM PST. If you are still experiencing issues, please restart your device. In rare cases, to mitigate this issue you may need to manually end the SearchUI.exe or SearchApp.exe process via Task Manager. (To locate these processes, select CTRL + Shift + Esc then select the Details tab.) If you have restarted and tried the previous mitigations and are still encountering issues with Windows Search, you are not experiencing the issue described here. Please see Fix problems in Windows Search for other mitigations.
February 05, 2020
12:00 PM PT
January 2020 Windows 10, version 1909 \"D\" optional release is available.
The January 2020 optional monthly “D” release for Windows 10, version 1909 and Windows 10, version 1903 is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
January 28, 2020
08:00 AM PT
January 2020 Windows \"C\" optional release is available.
The January 2020 optional monthly “C” release for all supported versions of Windows is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
January 23, 2020
12:00 PM PT
Windows 7 has reached end of support
Windows 7 reached end of support on January 14, 2020. If your organization has not yet been able to complete your transition from Windows 7 to Windows 10, and want to continue to receive security updates while you complete your upgrade projects, please read How to get Extended Security Updates for eligible Windows devices. For more information on end of service dates for currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
January 15, 2020
10:00 AM PT
Take Action: Internet Explorer 11 now available on Windows Update/WSUS for Windows Server 2012 and Windows Embedded 8 Standard
Internet Explorer 11 (KB 4492872) is now available via Windows Update (WU) and Windows Server Update Services (WSUS) for commercial customers running Windows Server 2012 and Windows Embedded 8 Standard. For details about these changes and end of support for IE10, please refer to the IT Pro blog
August 29, 2019
08:00 AM PT
Take action: SHA-2 code signing support guidance for Windows 7 SP1 and Windows Server 2008 RS2 SP1
Windows 7 SP1 and Windows Server 2008 R2 SP1 update signatures are now SHA-2 based signatures and requires that SHA-2 support to be installed. For important customer guidance on installation and troubleshooting tips, please read the knowledge base article 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.
August 23, 2019
03:35 PM PT
Take action: Windows 10, version 1703 (the Windows 10 Creators Update) reaches end of life on October 9, 2019
The Enterprise and Education editions of Windows 10, version 1703 (the Windows 10 Creators Update) will reach end of life on October 9, 2019. The Home, Pro, Pro for Workstations, and IoT Core editions reached end of service on October 8, 2018.

There is no extended support available for any edition of Windows 10, version 1703. Therefore, it will no longer be supported after October 9, 2019 and will not receive monthly security and quality updates containing protections from the latest security threats.

To continue receiving security and quality updates, Microsoft recommends that you update your devices to the latest version of Windows 10. For more information on end of service dates and currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
August 23, 2019
02:17 PM PT
Resolved: Delays starting Internet Explorer 11
On August 16, 2019 at 7:16 AM a server required for downloading the Internet Explorer 11 (IE11) startup page, went down. As a result of the server outage, IE 11 became unresponsive for some customers who had not yet installed the August 2019 security updates. Customers who had the August 2019 security update installed were not affected. In order to ensure your devices remain in a serviced and secure state, we recommend you install the latest monthly update.

This issue was resolved on the server side at 1:00 pm PST. 
August 16, 2019
04:00 PM PT
August 2019 security update now available for Windows 10, version 1903 and all supported versions of Windows
The August 2019 security update release, referred to as our “B” release, is now available for Windows 10, version 1903 and all supported versions of Windows. A “B” release is the primary, regular update event for each month and is the only regular release that contains security fixes. As a result, we recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
August 13, 2019
10:00 AM PT
Advisory: Bluetooth encryption key size vulnerability disclosed (CVE-2019-9506)
On August 13, 2019, Microsoft released security updates to address a Bluetooth key length encryption vulnerability. To exploit this vulnerability, an attacker would need specialized hardware and would be limited by the signal range of the Bluetooth devices in use. For more information about this industry-wide issue, see CVE-2019-9506 | Bluetooth Encryption Key Size Vulnerability in the Microsoft Security Update Guide and important guidance for IT pros in KB4514157. (Note: we are documenting this vulnerability together with guidance for IT admins as part of a coordinated industry disclosure effort.)
August 13, 2019
10:00 AM PT
Advisory: Windows Advanced Local Procedure Call Elevation of Privilege vulnerability disclosed (CVE-2019-1162)
On August 13, 2019, Google Project Zero (GPZ) disclosed an Elevation of Privilege (EoP) vulnerability in how Windows handles calls to Advanced Local Procedure Call (ALPC) that affects Windows operating systems, versions 8.1 and higher. An attacker must already have code execution on the target system to leverage these vulnerabilities. Microsoft released security updates on August 13, 2019 that partially address this issue. Other items disclosed by GPZ require more time to address and we are working to release a resolution in mid-September. For more information, see CVE-2019-1162 | Windows ALPC Elevation of Privilege Vulnerability
August 13, 2019
10:00 AM PT
Take action: Windows 10, version 1803 (the April 2018 Update) reaches end of service on November 12, 2019
Windows 10, version 1803 (the April 2018 Update) will reach end of service on November 12, 2019 for Home and Pro editions. We will begin updating devices running Windows 10, version 1803 to Windows 10, version 1903 (the May 2019 Update) starting July 16, 2019 to help ensure that these devices remain in a serviced and secure state. For more information, see the Windows 10, version 1903 section of the Windows release health dashboard.
August 13, 2019
10:00 AM PT
Advisory: Windows Kernel Information Disclosure Vulnerability (CVE-2019-1125)
On July 9, 2019, Microsoft released a security update for a Windows kernel information disclosure vulnerability (CVE-2019-1125). Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically; no further configuration is necessary. For more information, see CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability in the Microsoft Security Update Guide. (Note: we are documenting this mitigation publicly today, instead of back in July, as part of a coordinated industry disclosure effort.)
August 06, 2019
10:00 AM PT
Resolved August 1, 2019 16:00 PT: Microsoft Store users may encounter blank screens when clicking on certain buttons
Some customers running the version of the Microsoft Store app released on July 29, 2019 encountered a blank screen when selecting “Switch out of S mode,” “Get Genuine,” or some “Upgrade to [version]” OS upgrade options. This issue has now been resolved and a new version of the Microsoft Store app has been released. Users who encountered this issue will need to update the Microsoft Store app on their device. If you are still encountering an issue, please see Fix problems with apps from Microsoft Store.
August 01, 2019
02:00 PM PT
Status update: Windows 10, version 1903 “D” release now available
The optional monthly “D” release for Windows 10, version 1903 is now available. Follow @WindowsUpdate for the latest on the availability of this release.
July 26, 2019
02:00 PM PT
Plan for change: Microsoft Silverlight will reach end of support on October 12, 2021
After this date, Silverlight will not receive any future quality or security updates. Microsoft will continue to ship updates to the Silverlight 5 Developer Runtime for supported browsers and versions (Internet Explorer 10 and Internet Explorer 11); however, please note that support for Internet Explorer 10 will end on 31 January 2020. See the Silverlight end of support FAQ for more details.
July 19, 2019
12:00 AM PT
Evolving Windows 10 servicing and quality
Find out how we plan to further optimize the delivery of the next Windows 10 feature update for devices running Windows 10, version 1903. If you're a commercial customer, please see the Windows IT Pro Blog for more details on how to plan for this new update option in your environment.
July 01, 2019
02:00 PM PT
Windows 10, version 1903 starting to roll out to devices running Windows 10, version 1803 and earlier
We are now beginning to build and train the machine learning (ML) based rollout process to update devices running Windows 10, version 1803 (the April 2018 Update) and earlier versions of Windows 10, to ensure we can continue to service these devices and provide the latest updates, security updates, and improvements.
June 18, 2019
02:00 PM PT
Windows 10, version 1903 available by selecting “Check for updates”
Windows 10, version 1903 is now available for any user who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel.
June 06, 2019
06:00 PM PT
Windows 10, version 1903 rollout begins
The Windows 10 May 2019 Update (Windows 10, version 1903) is available today to commercial customers via Windows Server Update Services (WSUS), Windows Update for Business, and the Volume Licensing Service Center (VLSC)—and to end users who manually select “Check for updates.” We are slowly throttling up availability while we carefully monitor data and feedback.		May 21, 2019
10:00 AM PT
" diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index 33ef3a0add..2c744d7f98 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -73,7 +73,7 @@ The Administrator account has full control of the files, directories, services, The default Administrator account cannot be deleted or locked out, but it can be renamed or disabled. -In Windows 10 and Windows Server 20016, Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. Members of the Administrators groups can run apps with elevated permissions without using the **Run as Administrator** option. Fast User Switching is more secure than using Runas or different-user elevation. +In Windows 10 and Windows Server 2016, Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. Members of the Administrators groups can run apps with elevated permissions without using the **Run as Administrator** option. Fast User Switching is more secure than using Runas or different-user elevation. **Account group membership** diff --git a/windows/security/identity-protection/access-control/service-accounts.md b/windows/security/identity-protection/access-control/service-accounts.md index bc52668527..7a95b60584 100644 --- a/windows/security/identity-protection/access-control/service-accounts.md +++ b/windows/security/identity-protection/access-control/service-accounts.md @@ -114,5 +114,5 @@ The following table provides links to additional resources that are related to s | Content type | References | |---------------|-------------| | **Product evaluation** | [What's New for Managed Service Accounts](https://technet.microsoft.com/library/hh831451(v=ws.11).aspx)
[Getting Started with Group Managed Service Accounts](https://technet.microsoft.com/library/jj128431(v=ws.11).aspx) | -| **Deployment** | [Windows Server 2012: Group Managed Service Accounts - Ask Premier Field Engineering (PFE) Platforms - Site Home - TechNet Blogs](http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx) | +| **Deployment** | [Windows Server 2012: Group Managed Service Accounts - Ask Premier Field Engineering (PFE) Platforms - Site Home - TechNet Blogs](https://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx) | | **Related technologies** | [Security Principals](security-principals.md)
[What's new in Active Directory Domain Services](https://technet.microsoft.com/library/mt163897.aspx) | diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 69155363d3..a7532b9ecf 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -141,7 +141,7 @@ You can also check that Windows Defender Credential Guard is running by using th DG_Readiness_Tool_v3.6.ps1 -Ready ``` > [!IMPORTANT] -> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSAch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. +> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. > This is a known issue. > [!NOTE] diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index d0124ff8cf..5aef81711f 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -31,7 +31,7 @@ For Windows Defender Credential Guard to provide protection, the computers you a To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses: - Support for Virtualization-based security (required) - Secure boot (required) -- TPM 1.2 or 2.0, either discrete or firmware (preferred - provides binding to hardware) +- TPM 1.2 or 2.0 (preferred - provides binding to hardware), either discrete or firmware - UEFI lock (preferred - prevents attacker from disabling with a simple registry key change) The Virtualization-based security requires: @@ -48,9 +48,9 @@ Credential Guard can protect secrets in a Hyper-V virtual machine, just as it wo - The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607. - The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and be running at least Windows Server 2016 or Windows 10. -For information about other host platforms, see [Enabling Windows Server 2016 and Hyper-V virtualization based security features on other platforms](https://blogs.technet.microsoft.com/windowsserver/2016/09/29/enabling-windows-server-2016-and-hyper-v-virtualization-based-security-features-on-other-platforms/) +For information about other host platforms, see [Enabling Windows Server 2016 and Hyper-V virtualization based security features on other platforms](https://blogs.technet.microsoft.com/windowsserver/2016/09/29/enabling-windows-server-2016-and-hyper-v-virtualization-based-security-features-on-other-platforms/). -For information about Windows Defender Remote Credential Guard hardware and software requirements, see [Windows Defender Remote Credential Guard requirements](https://docs.microsoft.com/windows/access-protection/remote-credential-guard#hardware-and-software-requirements) +For information about Windows Defender Remote Credential Guard hardware and software requirements, see [Windows Defender Remote Credential Guard requirements](https://docs.microsoft.com/windows/access-protection/remote-credential-guard#hardware-and-software-requirements). ## Application requirements @@ -85,8 +85,9 @@ Computers that meet additional qualifications can provide additional protections The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. > [!NOTE] -> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers.
-> If you are an OEM, see [PC OEM requirements for Windows Defender Device Guard and Windows Defender Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
+> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers. +> +> If you are an OEM, see [PC OEM requirements for Windows Defender Device Guard and Windows Defender Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx). ### Baseline protections diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index 57b0ea0add..07be2bbf3d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -31,7 +31,7 @@ Microsoft is committed to its vision of a world without passwords. We rec RDP currently does not support key based authentication and does not support self signed certificates. RDP with Windows Hello for Business is currently only supported with certificate based deployments. ## Can I deploy Windows Hello for Business using Microsoft Endpoint Configuration Manager? -Windows Hello for Business deployments using Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using Configuration Manager will no longer be supported after November 2018. +Windows Hello for Business deployments using Configuration Manager should use the hybrid deployment model that uses Active Directory Federation Services. Starting in Configuration Manager version 1910, certificate-based authentication with Windows Hello for Business settings isn't supported. Key-based authentication is still valid with Configuration Manager. For more information, see [Windows Hello for Business settings in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-hello-for-business-settings). ## How many users can enroll for Windows Hello for Business on a single Windows 10 computer? The maximum number of supported enrollments on a single Windows 10 computer is 10. That enables 10 users to each enroll their face and up to 10 fingerprints. While we support 10 enrollments, we will strongly encourage the use of Windows Hello security keys for the shared computer scenario when they become available. @@ -51,7 +51,7 @@ It is currently possible to set a convenience PIN on Azure Active Directory Join No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further. ## What is the password-less strategy? -Watch Principal Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less** +Watch Principal Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**. [Microsoft's password-less strategy](hello-videos.md#microsofts-passwordless-strategy) @@ -93,7 +93,7 @@ The **key trust** model authenticates to Active Directory using a raw key. Wind The **certificate trust** model authenticates to Active Directory using a certificate. Because this authentication uses a certificate, domain controllers running previous versions of Windows Server can authenticate the user. Therefore, you need to issue certificates to your end users, but you do not need Windows Server 2016 domain controllers. The certificate used in certificate trust uses the TPM protected private key to request a certificate from your enterprise's issuing certificate authority. ## Do I need Windows Server 2016 domain controllers? -There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you have deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment +There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you have deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment. ## What attributes are synchronized by Azure AD Connect with Windows Hello for Business? Review [Azure AD Connect sync: Attributes synchronized to Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that are sync based on scenarios. The base scenarios that include Windows Hello for Business are [Windows 10](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include additional attributes. @@ -111,7 +111,7 @@ Starting in Windows 10, version 1709, you can use multi-factor unlock to require Windows Hello represents the biometric framework provided in Windows 10. Windows Hello enables users to use biometrics to sign into their devices by securely storing their user name and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate. ## Why can't I enroll biometrics for my local built-in Administrator? -Windows 10 does not allow the local administrator to enroll biometric gestures(face or fingerprint). +Windows 10 does not allow the local administrator to enroll biometric gestures (face or fingerprint). ## I have extended Active Directory to Azure Active Directory. Can I use the on-premises deployment model? No. If your organization is federated or using on-line services, such as Azure AD Connect, Office 365, or OneDrive, then you must use a hybrid deployment model. On-premises deployments are exclusive to organization who need more time before moving to the cloud and exclusively use Active Directory. @@ -144,7 +144,7 @@ The smart card emulation feature of Windows Hello for Business verifies the PIN No. The movement away from passwords is accomplished by gradually reducing the use of the password. In the occurrence where you cannot authenticate with biometrics, you need a fall back mechanism that is not a password. The PIN is the fall back mechanism. Disabling or hiding the PIN credential provider disabled the use of biometrics. ## How are keys protected? -Wherever possible, Windows Hello for Business takes advantage of trusted platform module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business does not require a TPM. Administrators can choose to allow key operations in software +Wherever possible, Windows Hello for Business takes advantage of trusted platform module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business does not require a TPM. Administrators can choose to allow key operations in software. Whenever possible, Microsoft strongly recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to re-authenticate to the IDP before the IDP allows him or her to re-register). @@ -155,7 +155,7 @@ Yes. You can use the on-premises Windows Hello for Business deployment and comb Yes, if you are federated hybrid deployment, you can use any third-party that provides an Active Directory Federation Services (AD FS) multi-factor authentication adapter. A list of third-party MFA adapters can be found [here](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods). ## Does Windows Hello for Business work with third party federation servers? -Windows Hello for Business can work with any third-party federation servers that support the protocols used during provisioning experience. Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration) +Windows Hello for Business can work with any third-party federation servers that support the protocols used during provisioning experience. Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration). | Protocol | Description | | :---: | :--- | @@ -165,5 +165,5 @@ Windows Hello for Business can work with any third-party federation servers that | [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](https://msdn.microsoft.com/library/mt766592.aspx) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define additional claims to carry information about the end user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define additional provider meta-data that enable the discovery of the issuer of access tokens and give additional information about provider capabilities. | ## Does Windows Hello for Business work with Mac and Linux clients? -Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third parties who are interested in moving these platforms away from passwords. Interested third parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration) +Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third parties who are interested in moving these platforms away from passwords. Interested third parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration). diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 7dffe7b0a9..17f9e5e49f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -65,7 +65,7 @@ The hybrid deployment model is for organizations that: * Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources > [!Important] -> Hybrid deployments support non-destructive PIN reset that only works with the certificate trust model.
+> Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
> **Requirements:**
> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md index f107a2346a..9cb4e34436 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md @@ -65,7 +65,7 @@ This policy setting controls the behavior of the elevation prompt for standard u This policy setting controls the behavior of application installation detection for the computer. - **Enabled** (Default) When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -- **Disabled** App installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Group Policy or System Center Configuration Manager should disable this policy setting. In this case, installer detection is unnecessary. +- **Disabled** App installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Group Policy or Microsoft Endpoint Configuration Manager should disable this policy setting. In this case, installer detection is unnecessary. ## User Account Control: Only elevate executable files that are signed and validated diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md index cb25136eb0..bb1cf1508f 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md @@ -38,9 +38,9 @@ The Create command sets up new virtual smart cards on the user’s system. It re | /AdminKey | Indicates the desired administrator key that can be used to reset the PIN of the card if the user forgets the PIN.
**DEFAULT** Specifies the default value of 010203040506070801020304050607080102030405060708.
**PROMPT**  Prompts the user to enter a value for the administrator key.
**RANDOM**  Results in a random setting for the administrator key for a card that is not returned to the user. This creates a card that might not be manageable by using smart card management tools. When generated with RANDOM, the administrator key must be entered as 48 hexadecimal characters. | | /PIN | Indicates desired user PIN value.
**DEFAULT**  Specifies the default PIN of 12345678.
**PROMPT**  Prompts the user to enter a PIN at the command line. The PIN must be a minimum of eight characters, and it can contain numerals, characters, and special characters. | | /PUK | Indicates the desired PIN Unlock Key (PUK) value. The PUK value must be a minimum of eight characters, and it can contain numerals, characters, and special characters. If the parameter is omitted, the card is created without a PUK.
**DEFAULT**  Specifies the default PUK of 12345678.
**PROMPT**  Prompts the user to enter a PUK at the command line. | -| /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it is equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft System Center Configuration Manager. | +| /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it is equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft Endpoint Configuration Manager. | | /machine | Allows you to specify the name of a remote computer on which the virtual smart card can be created. This can be used in a domain environment only, and it relies on DCOM. For the command to succeed in creating a virtual smart card on a different computer, the user running this command must be a member in the local administrators group on the remote computer. | -| /pinpolicy | If **/pin prompt** is used, **/pinpolicy** allows you to specify the following PIN policy options:
**minlen** <minimum PIN length>
   If not specificed, defaults to 8. The lower bound is 4.
**maxlen** <maximum PIN length>
   If not specificed, defaults to 127. The upper bound is 127.
**uppercase**  Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**
**lowercase**  Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**
**digits**  Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**
**specialchars**  Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**

When using **/pinpolicy**, PIN characters must be printable ASCII characters. | +| /pinpolicy | If **/pin prompt** is used, **/pinpolicy** allows you to specify the following PIN policy options:
**minlen** <minimum PIN length>
   If not specified, defaults to 8. The lower bound is 4.
**maxlen** <maximum PIN length>
   If not specified, defaults to 127. The upper bound is 127.
**uppercase**  Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**
**lowercase**  Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**
**digits**  Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**
**specialchars**  Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**

When using **/pinpolicy**, PIN characters must be printable ASCII characters. | | /attestation | Configures attestation (subject only). This attestation uses an [Attestation Identity Key (AIK) certificate](https://msdn.microsoft.com/library/mt766230.aspx#gt_89a2ba3c-80af-4d1f-88b3-06ec3489fd5a) as a trust anchor to vouch that the virtual smart card keys and certificates are truly hardware bound. The attestation methods are:
**AIK_AND_CERT**  Creates an AIK and obtains an AIK certificate from the Microsoft cloud certification authority (CA). This requires the device to have a TPM with an [EK certificate](https://msdn.microsoft.com/library/cc249746.aspx#gt_6aaaff7f-d380-44fb-91d3-b985e458eb6d). If this option is specified and there is no network connectivity, it is possible that creation of the virtual smart card will fail.
**AIK_ONLY**  Creates an AIK but does not obtain an AIK certificate. | | /? | Displays Help for this command. | diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md index db7f20bb3e..0737f18fec 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md @@ -48,7 +48,7 @@ Virtual smart cards can also be created and deleted by using APIs. For more info - [ITPMVirtualSmartCardManagerStatusCallBack](https://msdn.microsoft.com/library/windows/desktop/hh707161(v=vs.85).aspx) -You can use APIs that were introduced in the Windows.Device.SmartCards namespace in Windows Server 2012 R2 and Windows 8.1 to build Microsoft Store apps to manage the full lifecycle of virtual smart cards. For information about how to build an app to do this, see [Strong Authentication: Building Apps That Leverage Virtual Smart Cards in Enterprise, BYOD, and Consumer Environments | Build 2013 | Channel 9](http://channel9.msdn.com/events/build/2013/2-041). +You can use APIs that were introduced in the Windows.Device.SmartCards namespace in Windows Server 2012 R2 and Windows 8.1 to build Microsoft Store apps to manage the full lifecycle of virtual smart cards. For information about how to build an app to do this, see [Strong Authentication: Building Apps That Leverage Virtual Smart Cards in Enterprise, BYOD, and Consumer Environments | Build 2013 | Channel 9](https://channel9.msdn.com/events/build/2013/2-041). The following table describes the features that can be developed in a Microsoft Store app: diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md index 0206bbd776..3d0fdc211e 100644 --- a/windows/security/identity-protection/vpn/vpn-profile-options.md +++ b/windows/security/identity-protection/vpn/vpn-profile-options.md @@ -20,7 +20,7 @@ ms.date: 05/17/2018 - Windows 10 - Windows 10 Mobile -Most of the VPN settings in Windows 10 can be configured in VPN profiles using Microsoft Intune or System Center Configuration Manager. All VPN settings in Windows 10 can be configued using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx). +Most of the VPN settings in Windows 10 can be configured in VPN profiles using Microsoft Intune or Microsoft Endpoint Configuration Manager. All VPN settings in Windows 10 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx). >[!NOTE] >If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers) first. diff --git a/windows/security/includes/improve-request-performance.md b/windows/security/includes/improve-request-performance.md index ddff438e13..c2499cf092 100644 --- a/windows/security/includes/improve-request-performance.md +++ b/windows/security/includes/improve-request-performance.md @@ -18,6 +18,6 @@ ms.topic: article >[!NOTE] >For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +> - api-us.securitycenter.microsoft.com +> - api-eu.securitycenter.microsoft.com +> - api-uk.securitycenter.microsoft.com diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md index 31855ca5b2..c3c19ee400 100644 --- a/windows/security/information-protection/TOC.md +++ b/windows/security/information-protection/TOC.md @@ -47,8 +47,8 @@ ##### [Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md) #### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md) #### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md) -### [Create a WIP policy using System Center Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md) -#### [Create and deploy a WIP policy using System Center Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md) +### [Create a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md) +#### [Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md) #### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md) #### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md) ### [Mandatory tasks and settings required to turn on WIP](windows-information-protection\mandatory-settings-for-wip.md) diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index e4fb0170b4..7560239ff8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -126,13 +126,13 @@ Part of the Microsoft Desktop Optimization Pack, MBAM makes it easier to manage * Enables administrators to automate the process of encrypting volumes on client computers across the enterprise. * Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself. -* Provides centralized reporting and hardware management with Microsoft System Center Configuration Manager. +* Provides centralized reporting and hardware management with Microsoft Microsoft Endpoint Configuration Manager. * Reduces the workload on the help desk to assist end users with BitLocker recovery requests. * Enables end users to recover encrypted devices independently by using the Self-Service Portal. * Enables security officers to easily audit access to recovery key information. * Empowers Windows Enterprise users to continue working anywhere with the assurance that their corporate data is protected. * Enforces the BitLocker encryption policy options that you set for your enterprise. -* Integrates with existing management tools, such as System Center Configuration Manager. +* Integrates with existing management tools, such as Microsoft Endpoint Configuration Manager. * Offers an IT-customizable recovery user experience. * Supports Windows 10. diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index 7cdd7f45b1..56c13ecbbe 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -55,7 +55,8 @@ Network Unlock must meet mandatory hardware and software requirements before the The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus, so you need to confirm that the network stack has been enabled in the BIOS before starting the computer. ->**Note:**  To properly support DHCP within UEFI, the UEFI-based system should be in native mode without a compatibility support module (CSM) enabled. +> [!NOTE] +> To properly support DHCP within UEFI, the UEFI-based system should be in native mode without a compatibility support module (CSM) enabled. For Network Unlock to work reliably on computers running Windows 8 and later, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP and used for Network Unlock. This is especially worth noting when you have multiple adapters, and you wish to configure one without DHCP, such as for a lights-out management protocol. This configuration is necessary because Network Unlock will stop enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter does not support DHCP, is not plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock will fail. @@ -243,7 +244,8 @@ The following steps describe how to enable the Group Policy setting that is a re The following steps describe how to deploy the required Group Policy setting: ->**Note:**  The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012. +> [!NOTE] +> The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012. 1. Copy the .cer file created for Network Unlock to the domain controller. 2. On the domain controller, launch Group Policy Management Console (gpmc.msc). @@ -254,10 +256,12 @@ The following steps describe how to deploy the required Group Policy setting: 2. Right-click the folder and choose **Add Network Unlock Certificate**. 3. Follow the wizard steps and import the .cer file that was copied earlier. ->**Note:**  Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer. +> [!NOTE] +> Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer. 5. Reboot the clients after deploying the group policy. - >**Note:** The **Network (Certificate Based)** protector will be added only after a reboot with the policy enabled and a valid certificate present in the FVE_NKP store. + > [!NOTE] + > The **Network (Certificate Based)** protector will be added only after a reboot with the policy enabled and a valid certificate present in the FVE_NKP store. ### Subnet policy configuration files on WDS Server (Optional) @@ -276,7 +280,8 @@ SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more usef ``` Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define subnets clients can be unlocked from with that certificate. ->**Note:**  When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint the subnet configuration will fail because the thumbprint will not be recognized as valid. +> [!NOTE] +> When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint the subnet configuration will fail because the thumbprint will not be recognized as valid. Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnet is listed in a certificate section, then only those subnets listed are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section. Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon. @@ -295,7 +300,8 @@ To disallow the use of a certificate altogether, its subnet list may contain the To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors the **Allow Network Unlock at startup** Group Policy setting should be disabled. When this policy setting is updated to disabled on client computers any Network Unlock key protectors on the computer will be deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain. ->**Note:**  Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server. +> [!NOTE] +> Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server. ## Update Network Unlock certificates @@ -311,12 +317,13 @@ Troubleshooting Network Unlock issues begins by verifying the environment. Many - Group policy for Network Unlock is enabled and linked to the appropriate domains. - Verify group policy is reaching the clients properly. This can be done using the GPRESULT.exe or RSOP.msc utilities. - Verify the clients were rebooted after applying the policy. -- Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the lcoal computer: +- Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the local computer: ```powershell manage-bde -protectors -get C: ``` - >**Note:** Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock + > [!NOTE] + > Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock Files to gather when troubleshooting BitLocker Network Unlock include: diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md index cb9490e9cd..2f83a67ca2 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md @@ -109,9 +109,9 @@ list volume ``` ![Output of the list volume command in the Diskpart app](./images/4509195-en-1.png) -If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from System Center Configuration Manager). +If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager). -![Windows image configuration in System Center Configuration Manager](./images/sccm-imageconfig.jpg) +![Windows image configuration in Microsoft Endpoint Configuration Manager](./images/sccm-imageconfig.jpg) #### Step 2: Verify the status of WinRE diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index a6029ffb2a..d2a77a72e2 100644 --- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -47,7 +47,7 @@ The recovery process included in this topic only works for desktop devices. WIP >[!Important] >Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. -4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [System Center Configuration Manager](create-wip-policy-using-sccm.md). +4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md). > [!NOTE] > This certificate can be used in Intune for policies both _with_ device enrollment (MDM) and _without_ device enrollment (MAM). @@ -147,7 +147,7 @@ After signing in, the necessary WIP key info is automatically downloaded and emp - [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md) -- [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) +- [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md) - [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md index 288347b3aa..9d1178639c 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -25,7 +25,7 @@ ms.date: 01/09/2020 - Windows 10 Mobile, version 1607 and later - Microsoft Endpoint Configuration Manager -Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. +Microsoft Endpoint Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. ## Add a WIP policy After you’ve installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. @@ -46,7 +46,7 @@ The **Create Configuration Item Wizard** starts. 3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. -4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Configuration Manager for device management, and then click **Next**. +4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Microsoft Endpoint Configuration Manager for device management, and then click **Next**. - **Settings for devices managed with the Configuration Manager client:** Windows 10 @@ -65,7 +65,8 @@ The **Create Configuration Item Wizard** starts. The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization. ## Add app rules to your policy -During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. + +During the policy-creation process in Microsoft Endpoint Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. @@ -298,9 +299,10 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* ``` -12. After you’ve created your XML file, you need to import it by using Configuration Manager. +12. After you’ve created your XML file, you need to import it by using Microsoft Endpoint Configuration Manager. **To import your Applocker policy file app rule using Configuration Manager** + 1. From the **App rules** area, click **Add**. The **Add app rule** box appears. diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index 37be2ff41c..8879dec483 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -73,8 +73,8 @@ Microsoft has made a concerted effort to enlighten several of our more popular a - Microsoft Remote Desktop ->[!NOTE] ->Microsoft Visio and Microsoft Project are not enlightended apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioining. +> [!NOTE] +> Microsoft Visio, Microsoft Office Access and Microsoft Project are not enlightended apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioining. ## List of WIP-work only apps from Microsoft Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with WIP and MAM solutions. @@ -86,7 +86,7 @@ Microsoft still has apps that are unenlightened, but which have been tested and > [!NOTE] > As of January 2019 it is no longer necessary to add Intune Company Portal as an exempt app since it is now included in the default list of protected apps. -You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and System Center Configuration Manager. +You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and Microsoft Endpoint Configuration Manager. | Product name | App info | diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md index 116ddd8e14..47d4db6ed7 100644 --- a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md +++ b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md @@ -110,7 +110,7 @@ You can see sensitive information types in Microsoft 365 compliance under **Clas - Auto labelling requires Windows 10, version 1903 - Devices need to be onboarded to [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection), which scans content for a label and applies WIP policy - [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in Microsoft 365 compliance center -- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [System Center Configuration Manager (SCCM)](overview-create-wip-policy-sccm.md) +- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](overview-create-wip-policy-sccm.md) diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 7cdf0d2dfd..8b5a188647 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -114,8 +114,8 @@ This table provides info about the most common problems you might encounter whil
  • SavedGames
    • - WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using System Center Configuration Manager. - Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders.

    If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see     Can't open files offline when you use Offline Files and Windows Information Protection. + WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager. + Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders. You can configure this parameter, as described here.

    If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see Can't open files offline when you use Offline Files and Windows Information Protection. @@ -138,5 +138,7 @@ This table provides info about the most common problems you might encounter whil > When corporate data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files. > [!NOTE] -> Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +> Chromium-based versions of Microsoft Edge (versions since 79) don't fully support WIP yet. The functionality could be partially enabled by going to the local page **edge://flags/#edge-dataprotection** and setting the **Windows Information Protection** flag to **enabled**. +> [!NOTE] +> Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md index e8ad475fda..fc7e101613 100644 --- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md +++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md @@ -1,6 +1,6 @@ --- -title: Create a Windows Information Protection (WIP) policy using System Center Configuration Manager (Windows 10) -description: System Center Configuration Manager helps you create & deploy your enterprise data protection (WIP) policy. +title: Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager (Windows 10) +description: Microsoft Endpoint Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6 ms.reviewer: ms.prod: w10 @@ -17,17 +17,17 @@ ms.topic: conceptual ms.date: 02/26/2019 --- -# Create a Windows Information Protection (WIP) policy using System Center Configuration Manager +# Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager **Applies to:** - Windows 10, version 1607 and later - Windows 10 Mobile, version 1607 and later -System Center Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. +Microsoft Endpoint Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. ## In this section |Topic |Description | |------|------------| -|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |System Center Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | +|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md) |Microsoft Endpoint Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. | |[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). | diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md index 3338a0ebab..e40c2405a1 100644 --- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md +++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md @@ -1,6 +1,6 @@ --- title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10) -description: Microsoft Intune and System Center Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy. +description: Microsoft Intune and Microsoft Endpoint Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy. ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6 ms.reviewer: ms.prod: w10 diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md index fc2050b5d2..0de8771fac 100644 --- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -42,7 +42,7 @@ You’ll need this software to run WIP in your enterprise: |Operating system | Management solution | |-----------------|---------------------| -|Windows 10, version 1607 or later | Microsoft Intune

    -OR-

    System Center Configuration Manager

    -OR-

    Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt697634.aspx) documentation.| +|Windows 10, version 1607 or later | Microsoft Intune

    -OR-

    Microsoft Endpoint Configuration Manager

    -OR-

    Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt697634.aspx) documentation.| ## What is enterprise data control? Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people can’t share anything and it’s all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure. @@ -79,7 +79,7 @@ WIP provides: - Use of audit reports for tracking issues and remedial actions. -- Integration with your existing management system (Microsoft Intune, System Center Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage WIP for your company. +- Integration with your existing management system (Microsoft Intune, Microsoft Endpoint Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage WIP for your company. ## Why use WIP? WIP is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune). @@ -110,7 +110,7 @@ WIP is the mobile application management (MAM) mechanism on Windows 10. WIP give - **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable. >[!NOTE] - >For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.
    System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device. + >For management of Surface devices it is recommended that you use the Current Branch of Microsoft Endpoint Configuration Manager.
    Microsoft Endpoint Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device. ## How WIP works WIP helps address your everyday challenges in the enterprise. Including: diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md index c3e7e88640..fee621245c 100644 --- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md @@ -33,12 +33,14 @@ This table includes the recommended URLs to add to your Enterprise Cloud Resourc |If your organization uses... |Add these entries to your Enterprise Cloud Resources network setting
    (Replace "contoso" with your domain name(s)| |-----------------------------|---------------------------------------------------------------------| -|Office 365 for Business |
    • contoso.sharepoint.com
    • contoso-my.sharepoint.com
    • contoso-files.sharepoint.com
    • tasks.office.com
    • protection.office.com
    • meet.lync.com
    • teams.microsoft.com
    | +|Sharepoint Online |
    • contoso.sharepoint.com
    • contoso-my.sharepoint.com
    • contoso-files.sharepoint.com
    | |Yammer |
    • www.yammer.com
    • yammer.com
    • persona.yammer.com
    | |Outlook Web Access (OWA) |
    • outlook.office.com
    • outlook.office365.com
    • attachments.office.net
    | |Microsoft Dynamics |contoso.crm.dynamics.com | |Visual Studio Online |contoso.visualstudio.com | |Power BI |contoso.powerbi.com | +|Microsoft Teams |teams.microsoft.com | +|Other Office 365 services |
    • tasks.office.com
    • protection.office.com
    • meet.lync.com
    • project.microsoft.com
    | You can add other work-only apps to the Cloud Resource list, or you can create a packaged app rule for the .exe file to protect every file the app creates or modifies. Depending on how the app is accessed, you might want to add both. diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md index d056e573c8..7cb66960c1 100644 --- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -56,7 +56,7 @@ You can try any of the processes included in these scenarios, but you should foc Create work documents in enterprise-allowed apps. For desktop:

    For mobile:

      diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index e37e6d8711..b541b24f03 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -44,7 +44,7 @@ #### [Attack surface reduction](microsoft-defender-atp/attack-surface-reduction.md) #### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) -### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) +### [Next-generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) #### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md) ### [Endpoint detection and response]() @@ -76,7 +76,7 @@ ##### [Take response actions on a machine]() ###### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md) ###### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags) -###### [Initiate Automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation) +###### [Initiate an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation) ###### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session) ###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines) ###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines) @@ -103,12 +103,11 @@ ###### [Investigate entities on machines](microsoft-defender-atp/live-response.md) ###### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md) -### [Automated investigation and remediation]() -#### [Automated investigation and remediation overview](microsoft-defender-atp/automated-investigations.md) -#### [Learn about the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation.md) -##### [Manage actions related to automated investigation and remediation](microsoft-defender-atp/auto-investigation-action-center.md) +### [Automated investigation and remediation (AIR)]() +#### [Overview of AIR](microsoft-defender-atp/automated-investigations.md) +#### [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md) +#### [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md) -### [Secure score](microsoft-defender-atp/overview-secure-score.md) ### [Threat analytics](microsoft-defender-atp/threat-analytics.md) ### [Advanced hunting]() @@ -187,7 +186,7 @@ ##### [Controlled folder access](microsoft-defender-atp/evaluate-controlled-folder-access.md) ##### [Attack surface reduction](microsoft-defender-atp/evaluate-attack-surface-reduction.md) ##### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md) -##### [Evaluate next generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md) +##### [Evaluate next-generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md) ### [Access the Windows Defender Security Center Community Center](microsoft-defender-atp/community.md) @@ -231,7 +230,7 @@ -### [Configure next generation protection]() +### [Configure next-generation protection]() #### [Configure Windows Defender Antivirus features](windows-defender-antivirus/configure-windows-defender-antivirus-features.md) #### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) @@ -291,7 +290,7 @@ #### [Manage antivirus in your business]() ##### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md) ##### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md) -##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md) +##### [Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md) ##### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md) ##### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md) ##### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) @@ -315,15 +314,15 @@ ##### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md) ##### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md) -#### [Manage next generation protection in your business]() +#### [Manage next-generation protection in your business]() +##### [Handle false positives/negatives in Windows Defender Antivirus](windows-defender-antivirus/antivirus-false-positives-negatives.md) ##### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md) -##### [Use Microsoft Intune and System Center Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md) +##### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md) ##### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md) ##### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md) ##### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md) ##### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) - ### [Microsoft Defender Advanced Threat Protection for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md) #### [What's New](microsoft-defender-atp/mac-whatsnew.md) #### [Deploy]() @@ -342,9 +341,6 @@ #### [Privacy](microsoft-defender-atp/mac-privacy.md) #### [Resources](microsoft-defender-atp/mac-resources.md) - -### [Configure Secure score dashboard security controls](microsoft-defender-atp/secure-score-dashboard.md) - ### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md) ### [Management and API support]() @@ -354,7 +350,7 @@ ##### [Onboard Windows 10 machines]() ###### [Onboarding tools and methods](microsoft-defender-atp/configure-endpoints.md) ###### [Onboard machines using Group Policy](microsoft-defender-atp/configure-endpoints-gp.md) -###### [Onboard machines using System Center Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm.md) +###### [Onboard machines using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm.md) ###### [Onboard machines using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm.md) ###### [Onboard machines using a local script](microsoft-defender-atp/configure-endpoints-script.md) ###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](microsoft-defender-atp/configure-endpoints-vdi.md) @@ -373,7 +369,7 @@ ###### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md) #### [Microsoft Defender ATP API]() -##### [Get started with Microsoft Defender ATP APIs]() +##### [Get started]() ###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md) ###### [Access the Microsoft Defender ATP APIs](microsoft-defender-atp/apis-intro.md) ###### [Hello World](microsoft-defender-atp/api-hello-world.md) @@ -383,6 +379,7 @@ ##### [Microsoft Defender ATP APIs Schema]() ###### [Supported Microsoft Defender ATP APIs](microsoft-defender-atp/exposed-apis-list.md) +###### [Common REST API error codes](microsoft-defender-atp/common-errors.md) ###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md) ###### [Alert]() @@ -460,7 +457,7 @@ ####### [Score methods and properties](microsoft-defender-atp/score.md) ####### [List exposure score by machine group](microsoft-defender-atp/get-machine-group-exposure-score.md) ####### [Get exposure score](microsoft-defender-atp/get-exposure-score.md) -####### [Get device secure score](microsoft-defender-atp/get-device-secure-score.md) +####### [Get machine secure score](microsoft-defender-atp/get-device-secure-score.md) ###### [Software]() ####### [Software methods and properties](microsoft-defender-atp/software.md) @@ -472,7 +469,7 @@ ###### [Vulnerability]() ####### [Vulnerability methods and properties](microsoft-defender-atp/vulnerability.md) -####### [Get all vulnerabilities](microsoft-defender-atp/get-all-vulnerabilities.md) +####### [List vulnerabilities](microsoft-defender-atp/get-all-vulnerabilities.md) ####### [Get vulnerability by Id](microsoft-defender-atp/get-vulnerability-by-id.md) ####### [List machines by vulnerability](microsoft-defender-atp/get-machines-by-vulnerability.md) @@ -481,8 +478,8 @@ ####### [List all recommendations](microsoft-defender-atp/get-all-recommendations.md) ####### [Get recommendation by Id](microsoft-defender-atp/get-recommendation-by-id.md) ####### [Get recommendation by software](microsoft-defender-atp/get-recommendation-software.md) -####### [Get recommendation by machines](microsoft-defender-atp/get-recommendation-machines.md) -####### [Get recommendation by vulnerabilities](microsoft-defender-atp/get-recommendation-vulnerabilities.md) +####### [List machines by recommendation](microsoft-defender-atp/get-recommendation-machines.md) +####### [List vulnerabilities by recommendation](microsoft-defender-atp/get-recommendation-vulnerabilities.md) ##### [How to use APIs - Samples]() ###### [Microsoft Flow](microsoft-defender-atp/api-microsoft-flow.md) @@ -560,7 +557,6 @@ #### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md) #### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md) #### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports.md) -#### [Enable Secure score security controls](microsoft-defender-atp/enable-secure-score.md) #### [Configure advanced features](microsoft-defender-atp/advanced-features.md) ### [Permissions]() @@ -611,7 +607,7 @@ #### [Network protection](microsoft-defender-atp/troubleshoot-np.md) #### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md) -### [Troubleshoot next generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md) +### [Troubleshoot next-generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md index bb4d048a5f..b13bec6cbc 100644 --- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md @@ -25,9 +25,9 @@ Audit Authorization Policy Change allows you to audit assignment and removal of | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.
      However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
      If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
      This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.
      However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
      If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
      This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.
      However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
      If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
      This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Domain Controller | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.
      However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
      If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
      This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.
      However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
      If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
      This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.
      However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
      If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
      This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | **Events List:** diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md index 4103970aa4..204a9b6320 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md @@ -32,14 +32,6 @@ Audit Filtering Platform Policy Change allows you to audit events generated by c Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs). -This subcategory is outside the scope of this document. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------| -| Domain Controller | - | - | - | - | This subcategory is outside the scope of this document. | -| Member Server | - | - | - | - | This subcategory is outside the scope of this document. | -| Workstation | - | - | - | - | This subcategory is outside the scope of this document. | - - 4709(S): IPsec Services was started. - 4710(S): IPsec Services was disabled. diff --git a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md index a4fb47fef4..bb9d974920 100644 --- a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md +++ b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md @@ -1,6 +1,11 @@ --- title: Audit Token Right Adjusted (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Token Right Adjusted, which determines whether the operating system generates audit events when specific changes are made to the privileges of a token. +manager: dansimp +author: dansimp +ms.author: dansimp +ms.pagetype: security +ms.prod: w10 --- # Audit Token Right Adjusted @@ -16,9 +21,9 @@ For more information, see [Security Monitoring: A Possible New Way to Detect Pri | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.
      However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
      If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
      This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.
      However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
      If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
      This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.
      However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
      If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
      This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Domain Controller | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.
      However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
      If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
      This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.
      However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
      If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
      This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.
      However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
      If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
      This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | **Events List:** diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md index 1eaf9e6b79..d9b5265f75 100644 --- a/windows/security/threat-protection/auditing/event-4624.md +++ b/windows/security/threat-protection/auditing/event-4624.md @@ -158,7 +158,7 @@ This event generates when a logon session is created (on destination machine). I - **Restricted Admin Mode** \[Version 2\] \[Type = UnicodeString\]**:** Only populated for **RemoteInteractive** logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10. - Reference: . + Reference: . If not a **RemoteInteractive** logon, then this will be "-" string. diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md index a04ae9c4c5..5c8f7fcc36 100644 --- a/windows/security/threat-protection/auditing/event-4703.md +++ b/windows/security/threat-protection/auditing/event-4703.md @@ -26,7 +26,7 @@ ms.author: dansimp ***Event Description:*** -This event generates when [token privileges](https://msdn.microsoft.com/library/windows/desktop/aa446619(v=vs.85).aspx) were enabled or disabled for a specific account’s token. As of Windows 10, event 4703 is also logged by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory (Audit Authorization Policy Change), or work with a very high volume of event 4703. +This event generates when [token privileges](https://msdn.microsoft.com/library/windows/desktop/aa446619(v=vs.85).aspx) were enabled or disabled for a specific account’s token. As of Windows 10, event 4703 is also logged by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory (Audit Authorization Policy Change), or work with a very high volume of event 4703. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -185,7 +185,7 @@ Token privileges provide the ability to take certain system-level actions that y For 4703(S): A user right was adjusted. -As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory, [Audit Authorization Policy Change](audit-authorization-policy-change.md), or work with a very high volume of event 4703. +As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory, [Audit Authorization Policy Change](audit-authorization-policy-change.md), or work with a very high volume of event 4703. Otherwise, see the recommendations in the following table. diff --git a/windows/security/threat-protection/auditing/event-4793.md b/windows/security/threat-protection/auditing/event-4793.md index 50099438ee..f2bdc2b09f 100644 --- a/windows/security/threat-protection/auditing/event-4793.md +++ b/windows/security/threat-protection/auditing/event-4793.md @@ -30,7 +30,7 @@ This event generates each time the [Password Policy Checking API](https://msdn.m The Password Policy Checking API allows an application to check password compliance against an application-provided account database or single account and verify that passwords meet the complexity, aging, minimum length, and history reuse requirements of a password policy. -This event, for example, generates during Directory Services Restore Mode ([DSRM](http://blogs.technet.com/b/askds/archive/2009/03/11/ds-restore-mode-password-maintenance.aspx)) account password reset procedure to check new DSRM password. +This event, for example, generates during Directory Services Restore Mode ([DSRM](https://blogs.technet.com/b/askds/archive/2009/03/11/ds-restore-mode-password-maintenance.aspx)) account password reset procedure to check new DSRM password. This event generates on the computer where Password Policy Checking API was called. diff --git a/windows/security/threat-protection/auditing/event-4908.md b/windows/security/threat-protection/auditing/event-4908.md index a832d5c983..847263668e 100644 --- a/windows/security/threat-protection/auditing/event-4908.md +++ b/windows/security/threat-protection/auditing/event-4908.md @@ -34,7 +34,7 @@ This event is always logged regardless of the "Audit Policy Change" sub-category More information about Special Groups auditing can be found here: - + diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md index d385a72649..bbd17b1660 100644 --- a/windows/security/threat-protection/auditing/event-4911.md +++ b/windows/security/threat-protection/auditing/event-4911.md @@ -26,7 +26,7 @@ ms.author: dansimp ***Event Description:*** -This event generates when [resource attributes](http://blogs.technet.com/b/canitpro/archive/2013/05/07/step-by-step-protecting-your-information-with-dynamic-access-control.aspx) of the file system object were changed. +This event generates when [resource attributes](https://blogs.technet.com/b/canitpro/archive/2013/05/07/step-by-step-protecting-your-information-with-dynamic-access-control.aspx) of the file system object were changed. Resource attributes for file or folder can be changed, for example, using Windows File Explorer (object’s Properties->Classification tab). diff --git a/windows/security/threat-protection/auditing/event-4964.md b/windows/security/threat-protection/auditing/event-4964.md index e178696465..4cd9707147 100644 --- a/windows/security/threat-protection/auditing/event-4964.md +++ b/windows/security/threat-protection/auditing/event-4964.md @@ -26,7 +26,7 @@ ms.author: dansimp ***Event Description:*** -This event occurs when an account that is a member of any defined [Special Group](http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) logs in. +This event occurs when an account that is a member of any defined [Special Group](https://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) logs in. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -94,7 +94,7 @@ This event occurs when an account that is a member of any defined [Special Group > S-1-5-32-544;S-1-5-32-123-54-65 -> For more information see: +> For more information see: ***Field Descriptions:*** diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md index 408ac0608b..a675d79c58 100644 --- a/windows/security/threat-protection/auditing/event-5056.md +++ b/windows/security/threat-protection/auditing/event-5056.md @@ -28,9 +28,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -- +- -- +- This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. diff --git a/windows/security/threat-protection/auditing/event-5057.md b/windows/security/threat-protection/auditing/event-5057.md index 483df27b13..eb3cc568ab 100644 --- a/windows/security/threat-protection/auditing/event-5057.md +++ b/windows/security/threat-protection/auditing/event-5057.md @@ -28,9 +28,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -- +- -- +- This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md index 54471b87c2..bd0414e3ca 100644 --- a/windows/security/threat-protection/auditing/event-5060.md +++ b/windows/security/threat-protection/auditing/event-5060.md @@ -28,9 +28,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -- +- -- +- This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. diff --git a/windows/security/threat-protection/auditing/event-5063.md b/windows/security/threat-protection/auditing/event-5063.md index 1563a51f1b..159cda1e2b 100644 --- a/windows/security/threat-protection/auditing/event-5063.md +++ b/windows/security/threat-protection/auditing/event-5063.md @@ -28,9 +28,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -- +- -- +- This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. diff --git a/windows/security/threat-protection/auditing/event-5064.md b/windows/security/threat-protection/auditing/event-5064.md index 1225d34816..a5c3c577e0 100644 --- a/windows/security/threat-protection/auditing/event-5064.md +++ b/windows/security/threat-protection/auditing/event-5064.md @@ -28,9 +28,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -- +- -- +- This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md index 9722578bab..0f5d4dd997 100644 --- a/windows/security/threat-protection/auditing/event-5065.md +++ b/windows/security/threat-protection/auditing/event-5065.md @@ -28,9 +28,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -- +- -- +- This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. diff --git a/windows/security/threat-protection/auditing/event-5066.md b/windows/security/threat-protection/auditing/event-5066.md index 1560226341..9c5f389dcf 100644 --- a/windows/security/threat-protection/auditing/event-5066.md +++ b/windows/security/threat-protection/auditing/event-5066.md @@ -28,9 +28,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -- +- -- +- This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. diff --git a/windows/security/threat-protection/auditing/event-5067.md b/windows/security/threat-protection/auditing/event-5067.md index afbbb47736..6ab1f5a7c1 100644 --- a/windows/security/threat-protection/auditing/event-5067.md +++ b/windows/security/threat-protection/auditing/event-5067.md @@ -28,9 +28,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -- +- -- +- This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. diff --git a/windows/security/threat-protection/auditing/event-5068.md b/windows/security/threat-protection/auditing/event-5068.md index 3722edd66c..fb084fd8dd 100644 --- a/windows/security/threat-protection/auditing/event-5068.md +++ b/windows/security/threat-protection/auditing/event-5068.md @@ -26,9 +26,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -- +- -- +- This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. diff --git a/windows/security/threat-protection/auditing/event-5069.md b/windows/security/threat-protection/auditing/event-5069.md index 317e12299b..64dbd91086 100644 --- a/windows/security/threat-protection/auditing/event-5069.md +++ b/windows/security/threat-protection/auditing/event-5069.md @@ -28,9 +28,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -- +- -- +- This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. diff --git a/windows/security/threat-protection/auditing/event-5070.md b/windows/security/threat-protection/auditing/event-5070.md index e5fd12760a..ce069a495c 100644 --- a/windows/security/threat-protection/auditing/event-5070.md +++ b/windows/security/threat-protection/auditing/event-5070.md @@ -28,9 +28,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -- +- -- +- This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md index 7be96ce69b..fac29703cb 100644 --- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md +++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md @@ -1,6 +1,6 @@ --- title: Monitor central access policies on a file server (Windows 10) -description: Learn how to monitor changes to the central access policies that apply to a file server, when using advanced security auditing options. +description: Learn how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options. ms.assetid: 126b051e-c20d-41f1-b42f-6cff24dcf20c ms.reviewer: ms.author: dansimp @@ -22,40 +22,42 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. Central access policies are created on a domain controller and then applied to file servers through Group Policy management. +This article describes how to monitor changes to the central access policies (CAPs) that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. CAPs are created on a domain controller and then applied to file servers through Group Policy management. -Use the following procedures to configure and verify security auditing settings that are used to monitor changes to the set of central access policies on a file server. The following procedures assume that you have configured and deployed dynamic access control, including central access policies, and claims in your network. If you have not yet deployed dynamic access control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](https://technet.microsoft.com/library/hh846167.aspx). +Use the following procedures to configure and verify security auditing settings that are used to monitor changes to the set of CAPs on a file server. The following procedures assume that you have configured and deployed dynamic access control, including CAPs and claims, in your network. If you have not yet deployed dynamic access control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](https://technet.microsoft.com/library/hh846167.aspx). **To configure settings to monitor changes to central access policies** 1. Sign in to your domain controller by using domain administrator credentials. -2. In Server Manager, point to **Tools**, and then click **Group Policy Management**. -3. In the console tree, right-click the flexible access Group Policy Object, and then click **Edit**. -4. Double-click **Computer Configuration**, double-click **Security Settings**, double-click **Advanced Audit Policy Configuration**, double-click **Policy Change**, and then double-click **Other Policy Change Events**. +2. In Server Manager, point to **Tools**, and then select **Group Policy Management**. +3. In the console tree, select the flexible access Group Policy Object, and then select **Edit**. +4. Select **Computer Configuration** > **Security Settings** > **Advanced Audit Policy Configuration** > **Policy Change** > **Other Policy Change Events**. - >**Note:**  This policy setting monitors policy changes that might not be captured otherwise, such as central access policy changes or trusted platform module configuration changes. + > [!NOTE] + > This policy setting monitors policy changes that might not be captured otherwise, such as CAP changes or trusted platform module configuration changes.   -5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**. +5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then select **OK**. -After you modify the central access policies on the domain controller, verify that the changes have been applied to the file server and that the proper events are logged. +After you modify the CAPs on the domain controller, verify that the changes have been applied to the file server and that the proper events are logged. **To verify changes to the central access policies** 1. Sign in to your domain controller by using domain administrator credentials. 2. Open the Group Policy Management Console. -3. Right-click **Default domain policy**, and then click **Edit**. -4. Double-click **Computer Configuration**, double-click **Policies**, and then double-click **Windows Settings**. -5. Double-click **Security Settings**, right-click **File system**, and then click **Manage CAPs**. -6. In the wizard that appears, follow the instructions to add a new central access policy (CAP), and then click **OK**. -7. Use local administrator credentials to sign in to the server that hosts resources that are subject to the central access policies you changed. -8. Press the Windows key + R, then type **cmd** to open a Command Prompt window. +3. Select **Default domain policy**, and then select **Edit**. +4. Select **Computer Configuration** > **Policies**, and then select **Windows Settings**. +5. Select **Security Settings** > **File system**, and then select **Manage CAPs**. +6. In the wizard that appears, follow the instructions to add a new CAP, and then select **OK**. +7. Use local administrator credentials to sign in to the server that hosts resources that are subject to the CAPs you changed. +8. Select the Windows logo key+R, and then type **cmd** to open a command prompt window. - >**Note:**  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. + > [!NOTE] + > If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.   -9. Type **gpupdate /force**, and press ENTER. -10. In Server Manager, click **Tools**, and then click **Event Viewer**. -11. Expand **Windows Logs**, and then click **Security**. Verify that event 4819 appears in the security log. +9. Type **gpupdate /force**, and then select the Enter key. +10. In Server Manager, select **Tools**, and then select **Event Viewer**. +11. Expand **Windows Logs**, and then select **Security**. Verify that event 4819 appears in the security log. -## Related resource +## Related resources - [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 1edd7842a6..a3b27f24c3 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -26,15 +26,12 @@ This can cause devices or software to malfunction and in rare cases may result i If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. >[!NOTE] ->HVCI works with modern 7th gen CPUs or higher and its equivalent on AMD. CPU new feature is required *Mode based execution control (MBE) Virtualization*. AMD CPUs do not have MBE. - ->[!TIP] -> "The Secure Kernel relies on the Mode-Based Execution Control (MBEC) feature, if present in hardware, which enhances the SLAT with a user/kernel executable bit, or the hypervisor’s software emulation of this feature, called Restricted User Mode (RUM)." Mark Russinovich and Alex Ionescu. Windows Internals 7th Edition book +>Because it makes use of *Mode Based Execution Control*, HVCI works better with Intel Kaby Lake or AMD Zen 2 CPUs and newer. Processors without MBEC will rely on an emulation of this feature, called *Restricted User Mode*, which has a bigger impact on performance. ## HVCI Features -* HVCI protects modification of the Code Flow Guard (CFG) bitmap. -* HVCI also ensure your other Truslets, like Credential Guard have a valid certificate. +* HVCI protects modification of the Control Flow Guard (CFG) bitmap. +* HVCI also ensure your other Truslets, like Credential Guard, have a valid certificate. * Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI. ## How to turn on HVCI in Windows 10 @@ -43,7 +40,7 @@ To enable HVCI on Windows 10 devices with supporting hardware throughout an ente - [Windows Security app](#windows-security-app) - [Microsoft Intune (or another MDM provider)](#enable-hvci-using-intune) - [Group Policy](#enable-hvci-using-group-policy) -- [System Center Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/) +- [Microsoft Endpoint Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/) - [Registry](#use-registry-keys-to-enable-virtualization-based-protection-of-code-integrity) ### Windows Security app diff --git a/windows/security/threat-protection/get-support-for-security-baselines.md b/windows/security/threat-protection/get-support-for-security-baselines.md index d9eda2847f..81f5a796f3 100644 --- a/windows/security/threat-protection/get-support-for-security-baselines.md +++ b/windows/security/threat-protection/get-support-for-security-baselines.md @@ -40,7 +40,7 @@ The toolkit supports formats created by the Windows GPO backup feature (.pol, .i Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We are currently developing a tool to provide customers with these features. -**Does SCT support the creation of System Center Configuration Manager (SCCM) DCM packs?** +**Does SCT support the creation of Microsoft Endpoint Configuration Manager DCM packs?** No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=40855). A tool that supports conversion of GPO backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement). diff --git a/windows/security/threat-protection/images/AR_icon.png b/windows/security/threat-protection/images/AR_icon.png deleted file mode 100644 index fa8836ea1f..0000000000 Binary files a/windows/security/threat-protection/images/AR_icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/ASR_icon.png b/windows/security/threat-protection/images/ASR_icon.png deleted file mode 100644 index dd521d492a..0000000000 Binary files a/windows/security/threat-protection/images/ASR_icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/EDR_icon.png b/windows/security/threat-protection/images/EDR_icon.png deleted file mode 100644 index f2622cbc2b..0000000000 Binary files a/windows/security/threat-protection/images/EDR_icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/MTE_icon.png b/windows/security/threat-protection/images/MTE_icon.png deleted file mode 100644 index d5b9b48086..0000000000 Binary files a/windows/security/threat-protection/images/MTE_icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/NGP_icon.png b/windows/security/threat-protection/images/NGP_icon.png deleted file mode 100644 index 6066f305a2..0000000000 Binary files a/windows/security/threat-protection/images/NGP_icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/air-icon.png b/windows/security/threat-protection/images/air-icon.png new file mode 100644 index 0000000000..985e3e4429 Binary files /dev/null and b/windows/security/threat-protection/images/air-icon.png differ diff --git a/windows/security/threat-protection/images/asr-icon.png b/windows/security/threat-protection/images/asr-icon.png new file mode 100644 index 0000000000..bf649e87ec Binary files /dev/null and b/windows/security/threat-protection/images/asr-icon.png differ diff --git a/windows/security/threat-protection/images/edr-icon.png b/windows/security/threat-protection/images/edr-icon.png new file mode 100644 index 0000000000..8c750dee42 Binary files /dev/null and b/windows/security/threat-protection/images/edr-icon.png differ diff --git a/windows/security/threat-protection/images/mte-icon.png b/windows/security/threat-protection/images/mte-icon.png new file mode 100644 index 0000000000..1d5693a399 Binary files /dev/null and b/windows/security/threat-protection/images/mte-icon.png differ diff --git a/windows/security/threat-protection/images/ngp-icon.png b/windows/security/threat-protection/images/ngp-icon.png new file mode 100644 index 0000000000..9aca3db517 Binary files /dev/null and b/windows/security/threat-protection/images/ngp-icon.png differ diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 014429c82a..c4257e755a 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -1,7 +1,7 @@ --- title: Threat Protection (Windows 10) description: Learn how Microsoft Defender ATP helps protect against threats. -keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, secure score, advanced hunting, cyber threat hunting, web threat protection +keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, configuration score, advanced hunting, cyber threat hunting, web threat protection search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -23,12 +23,11 @@ ms.topic: conceptual - - - - - - + + + + +

      Threat & Vulnerability Management

      Attack surface reduction

      Next generation protection

      Endpoint detection and response

      Automated investigation and remediation

      Secure score

      Microsoft Threat Experts

      Attack surface reduction

      Next generation protection

      Endpoint detection and response

      Automated investigation and remediation

      Microsoft Threat Experts
      @@ -101,20 +100,17 @@ Endpoint detection and response capabilities are put in place to detect, investi In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. - [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md) -- [Threat remediation](microsoft-defender-atp/automated-investigations.md#how-threats-are-remediated) -- [Manage automated investigation](microsoft-defender-atp/manage-auto-investigation.md) -- [Analyze automated investigation](microsoft-defender-atp/manage-auto-investigation.md#analyze-automated-investigations) +- [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md) +- [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md) -**[Secure score](microsoft-defender-atp/overview-secure-score.md)**
      +**[Configuration Score](microsoft-defender-atp/configuration-score.md)**
      >[!NOTE] -> Secure score is now part of [Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) as [Configuration score](microsoft-defender-atp/configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page. +> Secure score is now part of [Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) as [Configuration score](microsoft-defender-atp/configuration-score.md). -Microsoft Defender ATP includes a secure score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. -- [Asset inventory](microsoft-defender-atp/secure-score-dashboard.md) -- [Recommended improvement actions](microsoft-defender-atp/secure-score-dashboard.md) -- [Secure score](microsoft-defender-atp/overview-secure-score.md) +Microsoft Defender ATP includes a configuration score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. +- [Configuration score](microsoft-defender-atp/configuration-score.md) - [Threat analytics](microsoft-defender-atp/threat-analytics.md) @@ -148,4 +144,4 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf **[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**
      - With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks. \ No newline at end of file + With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index bf486af90d..2326198e30 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -108,6 +108,10 @@ The integration with Azure Advanced Threat Protection allows you to pivot direct >[!NOTE] >You'll need to have the appropriate license to enable this feature. +## Microsoft Secure Score + +Forwards Microsoft Defender ATP signals to Microsoft Secure Score in the Microsoft 365 security center. Turning this feature on gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data. + ### Enable the Microsoft Defender ATP integration from the Azure ATP portal To receive contextual machine integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal. @@ -185,4 +189,3 @@ You'll have access to upcoming features which you can provide feedback on to hel - [Update data retention settings](data-retention-settings.md) - [Configure alert notifications](configure-email-notifications.md) - [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) -- [Enable Secure Score security controls](enable-secure-score.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md index 73a0af658e..5e5df96421 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md @@ -29,8 +29,12 @@ Advanced hunting is a query-based threat-hunting tool that lets you explore up t You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured machines. ## Get started with advanced hunting +Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast. +

      -We recommend going through several steps to quickly get up and running with advanced hunting. +> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqo] + +You can also go through each of the following steps to ramp up your advanced hunting knowledge. | Learning goal | Description | Resource | |--|--|--| diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md index 5323e67ad0..0dcf6e3af5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md @@ -40,7 +40,7 @@ For information on other tables in the advanced hunting schema, see [the advance | `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | | `OSVersion` | string | Version of the operating system running on the machine | | `OSArchitecture` | string | Architecture of the operating system running on the machine | -| `SoftwareVendor` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape | +| `SoftwareVendor` | string | Name of the software vendor | | `SoftwareName` | string | Name of the software product | | `SoftwareVersion` | string | Version number of the software product | | `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system | diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md index 589b46db48..1c6f356099 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md +++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md @@ -26,6 +26,9 @@ ms.topic: conceptual Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). +Watch this video for a quick overview of Microsoft Defender ATP's APIs. +>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4d73M] + In general, you’ll need to take the following steps to use the APIs: - Create an AAD application - Get an access token using this application diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 363a0b815b..49e8e3074a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -81,7 +81,7 @@ The "engine version" of attack surface reduction events in the event log, is gen ## Attack surface reduction rules -The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use System Center Configuration Manager or Microsoft Intune, you do not need the GUIDs: +The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs: Rule name | GUID | File & folder exclusions -----------|------|-------------------------- @@ -110,11 +110,11 @@ This rule blocks the following file types from launching from email in Microsoft * Executable files (such as .exe, .dll, or .scr) * Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) -This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 +This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Microsoft Endpoint Configuration Manager CB 1710 Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions) -SCCM name: Block executable content from email client and webmail +Microsoft Endpoint Configuration Manager name: Block executable content from email client and webmail GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 @@ -124,19 +124,19 @@ This rule blocks Office apps from creating child processes. This includes Word, This is a typical malware behavior, especially malware that abuses Office as a vector, using VBA macros and exploit code to download and attempt to run additional payload. Some legitimate line-of-business applications might also use behaviors like this, including spawning a command prompt or using PowerShell to configure registry settings. -This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 +This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710 Intune name: Office apps launching child processes -SCCM name: Block Office application from creating child processes +Configuration Manager name: Block Office application from creating child processes GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A ### Block Office applications from creating executable content -This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content. +This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk. -This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk. + Malware that abuse Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique. This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 @@ -152,11 +152,11 @@ Attackers might attempt to use Office apps to migrate malicious code into other This rule applies to Word, Excel, and PowerPoint. -This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 +This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710 Intune name: Office apps injecting code into other processes (no exceptions) -SCCM name: Block Office applications from injecting code into other processes +Configuration Manager name: Block Office applications from injecting code into other processes GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 @@ -169,11 +169,11 @@ Malware written in JavaScript or VBS often acts as a downloader to fetch and lau > [!IMPORTANT] > File and folder exclusions don't apply to this attack surface reduction rule. -This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 +This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710 Intune name: js/vbs executing payload downloaded from Internet (no exceptions) -SCCM name: Block JavaScript or VBScript from launching downloaded executable content +Configuration Manager name: Block JavaScript or VBScript from launching downloaded executable content GUID: D3E037E1-3EB8-44C8-A917-57927947596D @@ -181,11 +181,11 @@ GUID: D3E037E1-3EB8-44C8-A917-57927947596D Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. This rule detects suspicious properties within an obfuscated script. -This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 +This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710 Intune name: Obfuscated js/vbs/ps/macro code -SCCM name: Block execution of potentially obfuscated scripts. +Configuration Manager name: Block execution of potentially obfuscated scripts. GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC @@ -193,11 +193,11 @@ GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Office VBA provides the ability to use Win32 API calls, which malicious code can abuse. Most organizations don't use this functionality, but might still rely on using other macro capabilities. This rule allows you to prevent using Win32 APIs in VBA macros, which reduces the attack surface. -This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 +This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710 Intune name: Win32 imports from Office macro code -SCCM name: Block Win32 API calls from Office macros +Configuration Manager name: Block Win32 API calls from Office macros GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B @@ -215,11 +215,11 @@ This rule blocks the following file types from launching unless they either meet > >You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to. -This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802 +This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802 Intune name: Executables that don't meet a prevalence, age, or trusted list criteria. -SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria +Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25 @@ -230,11 +230,11 @@ This rule provides an extra layer of protection against ransomware. It scans exe > [!NOTE] > You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule. -This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802 +This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802 Intune name: Advanced ransomware protection -SCCM name: Use advanced protection against ransomware +Configuration Manager name: Use advanced protection against ransomware GUID: c1db55ab-c21a-4637-bb3f-a12568109d35 @@ -245,11 +245,11 @@ Local Security Authority Subsystem Service (LSASS) authenticates users who log i > [!NOTE] > In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat. -This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802 +This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802 Intune name: Flag credential stealing from the Windows local security authority subsystem -SCCM name: Block credential stealing from the Windows local security authority subsystem +Configuration Manager name: Block credential stealing from the Windows local security authority subsystem GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 @@ -261,13 +261,13 @@ This rule blocks processes through PsExec and WMI commands from running, to prev > File and folder exclusions do not apply to this attack surface reduction rule. > [!WARNING] -> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly. +> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly. This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019 Intune name: Process creation from PSExec and WMI commands -SCCM name: Not applicable +Configuration Manager name: Not applicable GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c @@ -278,11 +278,11 @@ With this rule, admins can prevent unsigned or untrusted executable files from r * Executable files (such as .exe, .dll, or .scr) * Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) -This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802 +This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802 Intune name: Untrusted and unsigned processes that run from USB -SCCM name: Block untrusted and unsigned processes that run from USB +Configuration Manager name: Block untrusted and unsigned processes that run from USB GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 @@ -297,7 +297,7 @@ This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Serve Intune name: Process creation from Office communication products (beta) -SCCM name: Not yet available +Configuration Manager name: Not yet available GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869 @@ -309,7 +309,7 @@ This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Serve Intune name: Process creation from Adobe Reader (beta) -SCCM name: Not yet available +Configuration Manager name: Not yet available GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c @@ -321,7 +321,7 @@ This rule was introduced in: Windows 10 1903, Windows Server 1903 Intune name: Block persistence through WMI event subscription -SCCM name: Not yet available +Configuration Manager name: Not yet available GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md index 67192e12e8..fdb2c392fa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -1,14 +1,14 @@ --- -title: Manage actions related to automated investigation and remediation -description: Use the action center to manage actions related to automated investigation and response +title: View details and results of automated investigations +description: Use the action center to view details and results following an automated investigation keywords: action, center, autoir, automated, investigation, response, remediation search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: macapara -author: mjcaparas +ms.author: deniseb +author: denisebmsft ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -16,36 +16,142 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Manage actions related to automated investigation and remediation +# View details and results of automated investigations -The Action center aggregates all investigations that require an action for an investigation to proceed or be completed. +Pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) are listed in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)). -![Image of Action center page](images/action-center.png) +>[!NOTE] +>If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation. -The action center consists of two main tabs: -- Pending actions - Displays a list of ongoing investigations that require attention. A recommended action is presented to the analyst, which they can approve or reject. -- History - Acts as an audit log for: - - All actions taken by AutoIR or approved by an analyst with ability to undo actions that support this capability (for example, quarantine file). - - All commands ran and remediation actions applied in Live Response with ability to undo actions that support this capability. - - Remediation actions applied by Windows Defender AV with ability to undo actions that support this capability. +## The Action center -Use the Customize columns drop-down menu to select columns that you'd like to show or hide. +![Action center page](images/action-center.png) + +The action center consists of two main tabs, as described in the following table. + +|Tab |Description | +|---------|---------| +|Pending actions |Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject.

      **NOTE**: The Pending tab appears only if there are pending actions to be approved (or rejected). | +|History |Acts as an audit log for all of the following:
      - All actions taken by automated investigation and remediation in Microsoft Defender ATP
      Actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone)
      - All commands ran and remediation actions that were applied in Live Response sessions (some actions can be undone)
      - Remediation actions that were applied by Windows Defender Antivirus (some actions can be undone) | + +Use the **Customize columns** menu to select columns that you'd like to show or hide. + +You can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages. + +## The Investigations page + +![Image of Auto investigations page](images/atp-auto-investigations-list.png) + +On the **Investigations** page, you'll find a list of all automated investigations. Select an item in the list to view additional information about that automated investigation. + +By default, the automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range. + +Use the **Customize columns** menu to select columns that you'd like to show or hide. From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages. +### Filters for the list of investigations ->[!NOTE] ->The tab will only appear if there are pending actions for that category. +On the **Investigations** page, you can view details and use filters to focus on specific information. The following table lists available filters: -### Approve or reject an action -You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed. +|Filter |Description | +|---------|---------| +|**Status** |(See [Automated investigation status](#automated-investigation-status)) | +|**Triggering alert** | The alert that initiated the automated investigation | +|**Detection source** |The source of the alert that initiated the automated investigation. | +|**Entities** | These can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that you might have created. | +|**Threat** |The category of threat detected during the automated investigation. | +|**Tags** |Filter using manually added tags that capture the context of an automated investigation.| +|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't.| -Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed. +## Automated investigation status -From the panel, you can click on the Open investigation page link to see the investigation details. +An automated investigation can be have one of the following status values: -You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations. +|Status |Description | +|---------|---------| +| No threats found | No malicious entities found during the investigation. | +| Failed | A problem has interrupted the investigation, preventing it from completing. | +| Partially remediated | A problem prevented the remediation of some malicious entities. | +| Pending action | Remediation actions require review and approval. | +| Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. | +| Queued | Investigation has been queued and will resume as soon as other remediation activities are completed. | +| Running | Investigation ongoing. Malicious entities found will be remediated. | +| Remediated | Malicious entities found were successfully remediated. | +| Terminated by system | Investigation was stopped by the system. | +| Terminated by user | A user stopped the investigation before it could complete. | +| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. | -## Related topics -- [Automated investigation and investigation](automated-investigations.md) -- [Learn about the automated investigations dashboard](manage-auto-investigation.md) +## View details about an automated investigation + +![Image of investigation details window](images/atp-analyze-auto-ir.png) + +You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information. + +In this view, you'll see the name of the investigation, when it started and ended. + +### Investigation graph + +The investigation graph provides a graphical representation of an automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information. + +A progress ring shows two status indicators: +- Orange ring - shows the pending portion of the investigation +- Green ring - shows the running time portion of the investigation + +![Image of start, end, and pending time for an automated investigation](images/atp-auto-investigation-pending.png) + +In the example image, the automated investigation started on 10:26:59 AM and ended on 10:56:26 AM. Therefore, the entire investigation was running for 29 minutes and 27 seconds. + +The pending time of 16 minutes and 51 seconds reflects two possible pending states: pending for asset (for example, the device might have disconnected from the network) or pending for approval. + +From this view, you can also view and add comments and tags about the investigation. + +### Alerts + +The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to. + +Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is ongoing. + +Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related machine, logged-on users, and comments and history. + +Clicking on an alert title brings you the alert page. + +### Machines + +The **Machines** tab Shows details the machine name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated. + +Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view. + +Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users. + +Clicking on an machine name brings you the machine page. + +### Evidence + +The **Evidence** tab shows details related to threats associated with this investigation. + +### Entities + +The **Entities** tab shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or determined to be clean. + +### Log + +The **Log** tab gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, machine name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration. + +As with other sections, you can customize columns, select the number of items to show per page, and filter the log. + +Available filters include action type, action, status, machine name, and description. + +You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data. + +### Pending actions + +If there are pending actions on an automated investigation, you'll see a pop up similar to the following image. + +![Image of pending actions](images/pending-actions.png) + +When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page from the navigation page by going to **automated investigation** > **Action center**. + +## Next steps + +[View and approve remediation actions](manage-auto-investigation.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 96cf4bd271..17a56b7252 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -19,6 +19,8 @@ ms.topic: conceptual # Overview of automated investigations +> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh] + Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple machines. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, Microsoft Defender ATP uses automated investigation and remediation capabilities to significantly reduce the volume of alerts that must be investigated individually. The automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when the investigation was initiated. @@ -26,10 +28,7 @@ The automated investigation feature leverages various inspection algorithms, and > [!TIP] > Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink) - -## Understand the automated investigation flow - -### How the automated investigation starts +## How the automated investigation starts When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a machine. When that file is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other machines in the organization. Details from the investigation, including verdicts (Malicious, Suspicious, and Clean) are available during and after the automated investigation. @@ -40,7 +39,7 @@ When an alert is triggered, a security playbook goes into effect. Depending on t >- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later >- Later versions of Windows 10 -### Details of an automated investigation +## Details of an automated investigation During and after an automated investigation, you can view details about the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Machines**, **Evidence**, **Entities**, and **Log** tabs. @@ -56,13 +55,13 @@ During and after an automated investigation, you can view details about the inve > [!IMPORTANT] > Go to the **Action center** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions. -### How an automated investigation expands its scope +## How an automated investigation expands its scope While an investigation is running, any other alerts generated from the machine are added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added to the investigation. If an incriminated entity is seen in another machine, the automated investigation process will expand its scope to include that machine, and a general security playbook will start on that machine. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view. -### How threats are remediated +## How threats are remediated Depending on how you set up the machine groups and their level of automation, the automated investigation will either require user approval (default) or automatically remediate threats. @@ -86,3 +85,9 @@ When a pending action is approved, the entity is then remediated and this new st ## Next step - [Learn about the automated investigations dashboard](manage-auto-investigation.md) + +## Related articles + +- [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air) + +- [Automated investigation and response in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/common-errors.md b/windows/security/threat-protection/microsoft-defender-atp/common-errors.md new file mode 100644 index 0000000000..bcc6ba7dc3 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/common-errors.md @@ -0,0 +1,83 @@ +--- +title: Common Microsoft Defender ATP API errors +description: List of common Microsoft Defender ATP API errors with descriptions. +keywords: apis, mdatp api, errors, troubleshooting +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Common REST API error codes + +* The error codes listed in the following table may be returned by an operation on any of Microsoft Defender ATP APIs. +* Note that in addition to the error code, every error response contains an error message which can help resolving the problem. +* Note that the message is a free text that can be changed. +* At the bottom of the page you can find response examples. + +Error code |HTTP status code |Message +:---|:---|:--- +BadRequest | BadRequest (400) | General Bad Request error message. +ODataError | BadRequest (400) | Invalid OData URI query (the specific error is specified). +InvalidInput | BadRequest (400) | Invalid input {the invalid input}. +InvalidRequestBody | BadRequest (400) | Invalid request body. +InvalidHashValue | BadRequest (400) | Hash value {the invalid hash} is invalid. +InvalidDomainName | BadRequest (400) | Domain name {the invalid domain} is invalid. +InvalidIpAddress | BadRequest (400) | IP address {the invalid IP} is invalid. +InvalidUrl | BadRequest (400) | URL {the invalid URL} is invalid. +MaximumBatchSizeExceeded | BadRequest (400) | Maximum batch size exceeded. Received: {batch size received}, allowed: {batch size allowed}. +MissingRequiredParameter | BadRequest (400) | Parameter {the missing parameter} is missing. +OsPlatformNotSupported | BadRequest (400) | OS Platform {the client OS Platform} is not supported for this action. +ClientVersionNotSupported | BadRequest (400) | {The requested action} is supported on client version {supported client version} and above. +Unauthorized | Unauthorized (401) | Unauthorized (usually invalid or expired authorization header). +Forbidden | Forbidden (403) | Forbidden (valid token but insufficient permission for the action). +DisabledFeature | Forbidden (403) | Tenant feature is not enabled. +DisallowedOperation | Forbidden (403) | {the disallowed operation and the reason}. +NotFound | Not Found (404) | General Not Found error message. +ResourceNotFound | Not Found (404) | Resource {the requested resource} was not found. +InternalServerError | Internal Server Error (500) | (No error message, try retry the operation or contact us if it does not resolved) + +## Body parameters are case sensitive + +The submitted body parameters are currently case sensitive. +
      If you experience an **InvalidRequestBody** or **MissingRequiredParameter** errors, it might be caused from a wrong parameter capital or lower-case letter. +
      It is recommended to go to the requested Api documentation page and check that the submitted parameters match the relevant example. + +## Correlation request ID + +Each error response contains a unique ID parameter for tracking. +
      The property name of this parameter is "target". +
      When contacting us about an error, attaching this ID will help find the root cause of the problem. + +## Examples + +```json +{ + "error": { + "code": "ResourceNotFound", + "message": "Machine 123123123 was not found", + "target": "43f4cb08-8fac-4b65-9db1-745c2ae65f3a" + } +} +``` + + +```json +{ + "error": { + "code": "InvalidRequestBody", + "message": "Request body is incorrect", + "target": "1fa66c0f-18bd-4133-b378-36d76f3a2ba0" + } +} +``` + + diff --git a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md index 9049705849..b58503a9c9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md @@ -28,6 +28,8 @@ ms.topic: article Conditional Access is a capability that helps you better protect your users and enterprise information by making sure that only secure devices have access to applications. +> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4byD1] + With Conditional Access, you can control access to enterprise information based on the risk level of a device. This helps keep trusted users on trusted devices using trusted applications. You can define security conditions under which devices and applications can run and access information from your network by enforcing policies to stop applications from running until a device returns to a compliant state. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md index a040722887..5b876f90b8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md @@ -1,6 +1,6 @@ --- title: Overview of Configuration score in Microsoft Defender Security Center -description: Expand your visibility into the overall security configuration posture of your organization +description: Your configuration score shows the collective security configuration state of your machines across application, operating system, network, accounts, and security controls keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -8,45 +8,50 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: dolmont -author: DulceMontemayor +ms.author: ellevin +author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/11/2019 --- # Configuration score + **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >[!NOTE] -> Secure score is now part of Threat & Vulnerability Management as Configuration score. The secure score page will be available for a few weeks. +> Secure score is now part of Threat & Vulnerability Management as Configuration score. -The Microsoft Defender Advanced Threat Protection Configuration score gives you visibility and control over the security posture of your organization based on security best practices. High configuration score means your endpoints are more resilient from cybersecurity threat attacks. +Your Configuration score is visible in the Threat & Vulnerability Management dashboard of the Microsoft Defender Security Center. It reflects the collective security configuration state of your machines across the following categories: -Your configuration score widget shows the collective security configuration state of your machines across the following categories: - Application - Operating system - Network - Accounts - Security controls -## How it works ->[!NOTE] -> Configuration score currently supports configurations set via Group Policy. Due to the current partial Intune support, configurations which might have been set through Intune might show up as misconfigured. Contact your IT Administrator to verify the actual configuration status in case your organization is using Intune for secure configuration management. +A higher configuration score means your endpoints are more resilient from cybersecurity threat attacks. + +## How it works + +>[!NOTE] +> Configuration score currently supports configurations set via Group Policy. Due to the current partial Intune support, configurations which might have been set through Intune might show up as misconfigured. Contact your IT Administrator to verify the actual configuration status in case your organization is using Intune for secure configuration management. + +The data in the configuration score card is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously: -The data in the configuration score widget is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously: - Compare collected configurations to the collected benchmarks to discover misconfigured assets - Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) by remediating the misconfiguration - Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams) - Collect and monitor changes of security control configuration state from all assets -From the widget, you'd be able to see which security aspect requires attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can act on them based on security benchmarks. +From the widget, you'd be able to see which security aspect requires attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can act on them based on security benchmarks. ## Improve your configuration score + The goal is to remediate the issues in the security recommendations list to improve your configuration score. You can filter the view based on: + - **Related component** — **Accounts**, **Application**, **Network**, **OS**, or **Security controls** - **Remediation type** — **Configuration change** or **Software update** @@ -64,6 +69,7 @@ See how you can [improve your security configuration](https://docs.microsoft.com >2. Key-in the security update KB number that you need to download, then click **Search**. ## Related topics + - [Supported operating systems and platforms](tvm-supported-os.md) - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) @@ -78,4 +84,3 @@ See how you can [improve your security configuration](https://docs.microsoft.com - [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software) - [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) - [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) - diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md index 74f4a1a451..b9b7d557f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md @@ -1,7 +1,7 @@ --- title: Configure Threat & Vulnerability Management in Microsoft Defender ATP ms.reviewer: -description: Configuring TVM's integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) helps security and IT admins collaborate seamlessly +description: Configure your Threat & Vulnerability Management to allow security administrators and IT administrators to collaborate seamlessly to remediate issues via Microsoft intune and Microsoft Endpoint Configuration Manager integrations. keywords: RBAC, Threat & Vulnerability Management configuration, Threat & Vulnerability Management integrations, Microsft Intune integration with TVM, SCCM integration with TVM search.product: Windows 10 search.appverid: met150 @@ -23,16 +23,16 @@ ms.topic: article [!include[Prerelease information](../../includes/prerelease.md)] -This section guides you through the steps you need to take to configure Threat & Vulnerability Management's integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM) for a seamless collaboration of issue remediation. +This section guides you through the steps you need to take to configure Threat & Vulnerability Management's integration with Microsoft Intune or Microsoft Endpoint Configuration Manager for a seamless collaboration of issue remediation. ### Before you begin > [!IMPORTANT] > Threat & Vulnerability Management data currently supports Windows 10 machines. Upgrade to Windows 10 to account for the rest of your devices’ threat and vulnerability exposure data.
      -Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM). +Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft Endpoint Configuration Manager. >[!WARNING] ->Only Intune and SCCM enrolled devices are supported in this scenario.
      +>Only Intune and Microsoft Endpoint Configuration Manager enrolled devices are supported in this scenario.
      >Use any of the following options to enroll devices in Intune: >- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) >- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md index 2373d0cf56..2cdb364929 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md @@ -23,7 +23,7 @@ ms.date: 07/01/2018 You can configure attack surface reduction with a number of tools, including: * Microsoft Intune -* System Center Configuration Manager +* Microsoft Endpoint Configuration Manager * Group Policy * PowerShell cmdlets diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md index 8fafbb0b85..96650774c3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md @@ -100,5 +100,4 @@ This section lists various issues that you may encounter when using email notifi ## Related topics - [Update data retention settings](data-retention-settings.md) - [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) -- [Enable Secure Score security controls](enable-secure-score.md) - [Configure advanced features](advanced-features.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md index 367c0685a8..00b5ca0b72 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md @@ -150,7 +150,7 @@ With Group Policy there isn’t an option to monitor deployment of policies on t ## Related topics -- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm.md) +- [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) - [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md) - [Onboard Windows 10 machines using a local script](configure-endpoints-script.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md index a91da9ad8c..09cd520b12 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md @@ -86,7 +86,7 @@ For more information on Microsoft Intune policy settings see, [Windows 10 policy ## Related topics - [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md) -- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm.md) +- [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) - [Onboard Windows 10 machines using a local script](configure-endpoints-script.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) - [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md index 60b3f33af2..28eb5db87f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md @@ -1,7 +1,7 @@ --- -title: Onboard Windows 10 machines using System Center Configuration Manager -description: Use System Center Configuration Manager to deploy the configuration package on machines so that they are onboarded to the service. -keywords: onboard machines using sccm, machine management, configure Windows ATP machines, configure Microsoft Defender Advanced Threat Protection machines, sccm +title: Onboard Windows 10 machines using Configuration Manager +description: Use Configuration Manager to deploy the configuration package on machines so that they are onboarded to the service. +keywords: onboard machines using sccm, machine management, configure Windows ATP machines, configure Microsoft Defender Advanced Threat Protection machines search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -15,43 +15,34 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/11/2018 +ms.date: 02/07/2020 --- -# Onboard Windows 10 machines using System Center Configuration Manager +# Onboard Windows 10 machines using Configuration Manager **Applies to:** - - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- System Center 2012 Configuration Manager or later versions - - +- Microsoft Endpoint Configuration Manager current branch +- System Center 2012 R2 Configuration Manager >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink) -## Onboard Windows 10 machines using System Center Configuration Manager (current branch) version 1606 -System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Microsoft Defender ATP on machines. For more information, see Support for Microsoft Defender Advanced Threat Protection service. ->[!NOTE] -> If you’re using SCCM client version 1606 with server version 1610 or above, you must upgrade the client version to match the server version. -> Starting with version 1606 of Configuration Manager, see [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/sccm/protect/deploy-use/windows-defender-advanced-threat-protection) for ATP configuration. +## Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager current branch +Configuration Manager current branch has integrated support to configure and manage Microsoft Defender ATP on managed devices. For more information, see [Microsoft Defender Advanced Threat Protection in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection). -## Onboard Windows 10 machines using System Center Configuration Manager earlier versions -You can use existing System Center Configuration Manager functionality to create a policy to configure your machines. This is supported in the following System Center Configuration Manager versions: -- System Center 2012 Configuration Manager -- System Center 2012 R2 Configuration Manager -- System Center Configuration Manager (current branch), version 1511 -- System Center Configuration Manager (current branch), version 1602 +## Onboard Windows 10 machines using earlier versions of System Center Configuration Manager + +You can use existing Configuration Manager functionality to create a policy to configure your machines. This action is supported in System Center 2012 R2 Configuration Manager. ### Onboard machines using System Center Configuration Manager - -1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): +1. Open the Configuration Manager configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Onboarding**. @@ -63,7 +54,7 @@ You can use existing System Center Configuration Manager functionality to create 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*. -3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs) topic. +3. Deploy the package by following the steps in the [Packages and Programs in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg699369\(v=technet.10\)) article. a. Choose a predefined device collection to deploy the package to. @@ -72,8 +63,16 @@ You can use existing System Center Configuration Manager functionality to create >[!TIP] > After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md). +> +> Note that it is possible to create a detection rule on a Configuration Manager application to continuously check if a machine has been onboarded. An application is a different type of object than a package and program. +> If a machine is not yet onboarded (due to pending OOBE completion or any other reason), Configuration Manager will retry to onboard the machine until the rule detects the status change. +> +> This behavior can be accomplished by creating a detection rule checking if the "OnboardingState" registry value (of type REG_DWORD) = 1. +> This registry value is located under "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status". +For more information, see [Configure Detection Methods in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682159\(v=technet.10\)#step-4-configure-detection-methods-to-indicate-the-presence-of-the-deployment-type). ### Configure sample collection settings + For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Microsoft Defender Security Center to submit a file for deep analysis. You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on a machine. @@ -94,17 +93,23 @@ Possible values are: The default value in case the registry key doesn’t exist is 1. -For more information about System Center Configuration Manager Compliance see [Get started with compliance settings in System Center Configuration Manager](https://docs.microsoft.com/sccm/compliance/get-started/get-started-with-compliance-settings). +For more information about System Center Configuration Manager Compliance see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)). -## Offboard machines using System Center Configuration Manager +## Offboard machines using Configuration Manager For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. > [!NOTE] > Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions. +### Offboard machines using Microsoft Endpoint Configuration Manager current branch + +If you use Microsoft Endpoint Configuration Manager current branch, see [Create an offboarding configuration file](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#create-an-offboarding-configuration-file). + +### Offboard machines using System Center 2012 R2 Configuration Manager + 1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Offboarding**. @@ -117,7 +122,7 @@ For security reasons, the package used to Offboard machines will expire 30 days 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. -3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs) topic. +3. Deploy the package by following the steps in the [Packages and Programs in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg699369\(v=technet.10\)) article. a. Choose a predefined device collection to deploy the package to. @@ -125,16 +130,19 @@ For security reasons, the package used to Offboard machines will expire 30 days > Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. -### Monitor machine configuration -Monitoring with SCCM consists of two parts: +## Monitor machine configuration + +If you're using Microsoft Endpoint Configuration Manager current branch, use the built-in Microsoft Defender ATP dashboard in the Configuration Manager console. For more information, see [Microsoft Defender Advanced Threat Protection - Monitor](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#monitor). + +If you're using System Center 2012 R2 Configuration Manager, monitoring consists of two parts: 1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the machines in your network. 2. Checking that the machines are compliant with the Microsoft Defender ATP service (this ensures the machine can complete the onboarding process and can continue to report data to the service). -**To confirm the configuration package has been correctly deployed:** +### Confirm the configuration package has been correctly deployed -1. In the SCCM console, click **Monitoring** at the bottom of the navigation pane. +1. In the Configuration Manager console, click **Monitoring** at the bottom of the navigation pane. 2. Click **Overview** and then **Deployments**. @@ -142,12 +150,13 @@ Monitoring with SCCM consists of two parts: 4. Review the status indicators under **Completion Statistics** and **Content Status**. -If there are failed deployments (machines with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the machines. For more information see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md). + If there are failed deployments (machines with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the machines. For more information see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md). -![SCCM showing successful deployment with no errors](images/sccm-deployment.png) + ![Configuration Manager showing successful deployment with no errors](images/sccm-deployment.png) -**Check that the machines are compliant with the Microsoft Defender ATP service:**
      -You can set a compliance rule for configuration item in System Center Configuration Manager to monitor your deployment. +### Check that the machines are compliant with the Microsoft Defender ATP service + +You can set a compliance rule for configuration item in System Center 2012 R2 Configuration Manager to monitor your deployment. This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted machines. @@ -157,7 +166,7 @@ Path: “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status” Name: “OnboardingState” Value: “1” ``` -For more information about System Center Configuration Manager Compliance see [Get started with compliance settings in System Center Configuration Manager](https://docs.microsoft.com/sccm/compliance/get-started/get-started-with-compliance-settings). +For more information, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)). ## Related topics - [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md index f290c1d7b3..baa161a42c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md @@ -136,7 +136,7 @@ Monitoring can also be done directly on the portal, or by using the different de ## Related topics - [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md) -- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm.md) +- [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) - [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) - [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md index 100bfd2636..449dd5010c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md @@ -97,7 +97,7 @@ The following steps will guide you through onboarding VDI machines and will high ## Related topics - [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md) -- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm.md) +- [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) - [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md) - [Onboard Windows 10 machines using a local script](configure-endpoints-script.md) - [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index 6140a832e2..c25ee5cfa4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -26,8 +26,9 @@ ms.topic: article ## Before you begin Ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up. ->[!NOTE] ->Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive targeted attack notifications and to collaborate with experts on demand. A Microsoft Threat Experts subscription is a prerequisite for experts on demand collaboration. +Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service. + +If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription. ## Register to Microsoft Threat Experts managed threat hunting service If you're already a Microsoft Defender ATP customer, you can apply through the Microsoft Defender ATP portal. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md index 301d635bef..ab87a6d7f1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md @@ -40,7 +40,7 @@ You'll need to take the following configuration steps to enable the managed secu The integration will allow MSSPs to take the following actions: -- Get access to MSSP customer's Windows Defender Security Center portal +- Get access to MSSP customer's Microsoft Defender Security Center portal - Get email notifications, and - Fetch alerts through security information and event management (SIEM) tools @@ -53,7 +53,7 @@ Typically, MSSP customers take the initial configuration steps to grant MSSPs ac In general, the following configuration steps need to be taken: -- **Grant the MSSP access to Windows Defender Security Center**
      +- **Grant the MSSP access to Microsoft Defender Security Center**
      This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Windows Defender ATP tenant. @@ -74,7 +74,7 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs. > These set of steps are directed towards the MSSP customer.
      > Access to the portal can only be done by the MSSP customer. -As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Windows Defender Security Center. +As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Microsoft Defender Security Center. Authentication and authorization of the MSSP user is built on top of Azure Active Directory (Azure AD) B2B functionality. @@ -82,7 +82,7 @@ Authentication and authorization of the MSSP user is built on top of Azure Activ You'll need to take the following 2 steps: - Add MSSP user to your tenant as a guest user -- Grant MSSP user access to Windows Defender Security Center +- Grant MSSP user access to Microsoft Defender Security Center ### Add MSSP user to your tenant as a guest user @@ -90,8 +90,8 @@ Add a user who is a member of the MSSP tenant to your tenant as a guest user. To grant portal access to the MSSP, you must add the MSSP user to your Azure AD as a guest user. For more information, see [Add Azure Active Directory B2B collaboration users in the Azure portal](https://docs.microsoft.com/azure/active-directory/b2b/add-users-administrator). -### Grant MSSP user access to Windows Defender Security Center -Grant the guest user access and permissions to your Windows Defender Security Center tenant. +### Grant MSSP user access to Microsoft Defender Security Center +Grant the guest user access and permissions to your Microsoft Defender Security Center tenant. Granting access to guest user is done the same way as granting access to a user who is a member of your tenant. @@ -108,12 +108,12 @@ It is recommended that groups are created for MSSPs to make authorization access As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the Azure AD user groups. -## Access the Windows Defender Security Center MSSP customer portal +## Access the Microsoft Defender Security Center MSSP customer portal >[!NOTE] >These set of steps are directed towards the MSSP. -By default, MSSP customers access their Windows Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`. +By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`. MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal. @@ -159,7 +159,7 @@ Step 1: Create a third-party application Step 2: Get access and refresh tokens from your customer's tenant -Step 3: Whitelist your application on Windows Defender Security Center +Step 3: Whitelist your application on Microsoft Defender Security Center @@ -279,8 +279,8 @@ After providing your credentials, you'll need to grant consent to the applicatio 8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector. -### Step 3: Whitelist your application on Windows Defender Security Center -You'll need to whitelist the application you created in Windows Defender Security Center. +### Step 3: Whitelist your application on Microsoft Defender Security Center +You'll need to whitelist the application you created in Microsoft Defender Security Center. You'll need to have **Manage portal system settings** permission to whitelist the application. Otherwise, you'll need to request your customer to whitelist the application for you. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index c8ddf79198..f810639c75 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -122,7 +122,7 @@ If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP ## Microsoft Defender ATP service backend IP range -If your network devices don't support the URLs white-listed in the prior section, you can use the following information. +If your network devices don't support the URLs added to an "allow" list in the prior section, you can use the following information. Microsoft Defender ATP is built on Azure cloud, deployed in the following regions: diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md index 2e5c7cec45..0a85cb240c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md @@ -24,8 +24,9 @@ ms.topic: article ## API description -Creates new [Alert](alerts.md). -
      Microsoft Defender ATP Event is a required parameter for the alert creation. +Creates new [Alert](alerts.md) on top of **Event**. +
      **Microsoft Defender ATP Event** is required for the alert creation. +
      You will need to supply 3 parameters from the Event in the request: **Event Time**, **Machine ID** and **Report ID**. See example below.
      You can use an event found in Advanced Hunting API or Portal.
      If there existing an open alert on the same Machine with the same Title, the new created alert will be merged with it.
      An automatic investigation starts automatically on alerts created via the API. @@ -68,13 +69,13 @@ In the request body, supply the following values (all are required): Property | Type | Description :---|:---|:--- +eventTime | DateTime(UTC) | The precise time of the event as string, as obtained from advanced hunting. e.g. ```2018-08-03T16:45:21.7115183Z``` **Required**. +reportId | String | The reportId of the event, as obtained from advanced hunting. **Required**. machineId | String | Id of the machine on which the event was identified. **Required**. severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**. title | String | Title for the alert. **Required**. description | String | Description of the alert. **Required**. recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. **Required**. -eventTime | DateTime(UTC) | The time of the event, as obtained from the advanced query. **Required**. -reportId | String | The reportId, as obtained from the advanced query. **Required**. category| String | Category of the alert. The property values are: "General", "CommandAndControl", "Collection", "CredentialAccess", "DefenseEvasion", "Discovery", "Exfiltration", "Exploit", "Execution", "InitialAccess", "LateralMovement", "Malware", "Persistence", "PrivilegeEscalation", "Ransomware", "SuspiciousActivity" **Required**. ## Response @@ -91,16 +92,16 @@ Here is an example of the request. ``` POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference -Content-Length: application/json - +``` +```json { - "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "severity": "Low", - "title": "test alert", - "description": "test alert", - "recommendedAction": "test alert", - "eventTime": "2018-08-03T16:45:21.7115183Z", - "reportId": "20776", - "category": "None" + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "severity": "Low", + "title": "example", + "description": "example alert", + "recommendedAction": "nothing", + "eventTime": "2018-08-03T16:45:21.7115183Z", + "reportId": "20776", + "category": "Exploit" } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md index 703b8a3412..d2df7a0c6e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md @@ -44,5 +44,4 @@ During the onboarding process, a wizard takes you through the general settings o - [Update data retention settings](data-retention-settings.md) - [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications.md) - [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) -- [Enable Secure Score security controls](enable-secure-score.md) - [Configure advanced features](advanced-features.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 1b8c03d660..70a68c00ed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -56,7 +56,7 @@ You can exclude files and folders from being evaluated by most attack surface re You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. -ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). +ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). The following procedures for enabling ASR rules include instructions for how to exclude files and folders. @@ -76,7 +76,7 @@ The following procedures for enabling ASR rules include instructions for how to Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule. -The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules). +The following is a sample for reference, using [GUID values for ASR rules](attack-surface-reduction.md#attack-surface-reduction-rules). OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules @@ -186,4 +186,4 @@ Value: c:\path|e:\path|c:\Whitelisted.exe * [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md) * [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md) -* [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) +* [Enable cloud-delivered protection](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md index 8829cf492a..76c04110e7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md @@ -38,7 +38,7 @@ Set the baselines for calculating the score of security controls on the Secure S 3. Click **Save preferences**. ## Related topics -- [View the Secure Score dashboard](secure-score-dashboard.md) +- [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [Update data retention settings for Microsoft Defender ATP](data-retention-settings.md) - [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications.md) - [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md index 271622f774..f733ffb8a4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md @@ -50,7 +50,7 @@ You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the s ## Review attack surface reduction events in Windows Event Viewer -To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events. +To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows Defender/Operational log. The following table lists all network protection events. Event ID | Description -|- diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md index c0073ce75e..28689c33c8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md @@ -24,7 +24,7 @@ ms.custom: asr - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server 2016, version 1803. +Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server, version 1803. > [!TIP] > You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. @@ -93,7 +93,7 @@ Win32K | 260 | Untrusted Font ## Mitigation comparison -The mitigations available in EMET are included natively in Windows 10 (starting with version 1709) and Windows Server 2016 (starting with version 1803), under [Exploit protection](exploit-protection.md). +The mitigations available in EMET are included natively in Windows 10 (starting with version 1709) and Windows Server (starting with version 1803), under [Exploit protection](exploit-protection.md). The table in this section indicates the availability and support of native mitigations between EMET and exploit protection. diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md index 549743f14c..5f6f4ad48c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md @@ -34,7 +34,6 @@ In general, you’ll need to take the following steps to use the APIs: - Use the token to access Microsoft Defender ATP API. The following steps with guide you how to create an AAD application, get an access token to Microsoft Defender ATP and validate the token. -
      **To become an official partner of Microsoft Defender ATP and appear in our partner page, you will provide us with your application identifier.** ## Create the multi-tenant app diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md index 1735811830..5f0bb3386d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md @@ -66,8 +66,7 @@ GET https://api.securitycenter.windows.com/api/recommendations Here is an example of the response. -``` -Content-type: json +```json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations", "value": [ @@ -99,7 +98,8 @@ Content-type: json "nonProductivityImpactedAssets": 0, "relatedComponent": "Windows 10" } - ] + ... + ] } ``` ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md index e0e4243d76..4114015c39 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md @@ -16,7 +16,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get all vulnerabilities +# List vulnerabilities **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -66,8 +66,7 @@ GET https://api.securitycenter.windows.com/api/Vulnerabilities Here is an example of the response. -``` -Content-type: json +```json { "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities", "value": [ @@ -86,8 +85,9 @@ Content-type: json "exploitTypes": [], "exploitUris": [] } - ] - { + ... + ] + } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md index dfd844de6b..b0f731be41 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md @@ -1,6 +1,6 @@ --- -title: Get Device Secure score -description: Retrieves the organizational device secure score. +title: Get Machine Secure score +description: Retrieves the organizational machine secure score. keywords: apis, graph api, supported apis, get, alerts, recent search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -16,7 +16,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get Device Secure score +# Get Machine Secure score **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -75,8 +75,7 @@ Here is an example of the response. { "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ConfigurationScore/$entity", "time": "2019-12-03T09:15:58.1665846Z", - "score": 340, - "rbacGroupId": null + "score": 340 } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md index f57f5e53cf..794272d101 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md @@ -76,8 +76,7 @@ Here is an example of the response. { "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore/$entity", "time": "2019-12-03T07:23:53.280499Z", - "score": 33.491554051195706, - "rbacGroupId": null + "score": 33.491554051195706 } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md index a85a0bc44e..b9a2498569 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md @@ -18,9 +18,9 @@ ms.topic: article # List exposure score by machine group -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] @@ -74,23 +74,14 @@ Here is an example of the response. { "time": "2019-12-03T09:51:28.214338Z", "score": 41.38041766305988, - "rbacGroupId": 10 + "rbacGroupName": "GroupOne" }, { "time": "2019-12-03T09:51:28.2143399Z", "score": 37.403726933165366, - "rbacGroupId": 11 - }, - { - "time": "2019-12-03T09:51:28.2143407Z", - "score": 26.390921344426033, - "rbacGroupId": 9 - }, - { - "time": "2019-12-03T09:51:28.2143414Z", - "score": 23.58823563070858, - "rbacGroupId": 5 + "rbacGroupName": "GroupTwo" } + ... ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md index 81d6659101..b4a8ff7d35 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md @@ -24,7 +24,7 @@ ms.topic: article [!include[Prerelease information](../../includes/prerelease.md)] -Retrieve a list of machines that has this software installed. +Retrieve a list of machine references that has this software installed. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details. @@ -75,15 +75,16 @@ Here is an example of the response. "id": "7c7e1896fa39efb0a32a2cf421d837af1b9bf762", "computerDnsName": "dave_desktop", "osPlatform": "Windows10", - "rbacGroupId": 9 + "rbacGroupName": "GroupTwo" }, { "id": "7d5cc2e7c305e4a0a290392abf6707f9888fda0d", "computerDnsName": "jane_PC", "osPlatform": "Windows10", - "rbacGroupId": 9 + "rbacGroupName": "GroupTwo" } -] + ... + ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md index 5ee5fe1b47..b27ecfca50 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md @@ -66,8 +66,7 @@ GET https://api.securitycenter.windows.com/api/vulnerabilities/CVE-2019-0608/mac Here is an example of the response. -``` -Content-type: json +```json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences", "value": [ @@ -75,14 +74,15 @@ Content-type: json "id": "235a2e6278c63fcf85bab9c370396972c58843de", "computerDnsName": "h1mkn_PC", "osPlatform": "Windows10", - "rbacGroupId": 1268 + "rbacGroupName": "GroupTwo" }, { "id": "afb3f807d1a185ac66668f493af028385bfca184", "computerDnsName": "chat_Desk ", "osPlatform": "Windows10", - "rbacGroupId": 410 + "rbacGroupName": "GroupTwo" } + ... ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md index 6a56d41c99..9254f80562 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md @@ -65,8 +65,7 @@ GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chr Here is an example of the response. -``` -Content-type: json +```json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations/$entity", "id": "va-_-google-_-chrome", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md index d74dc47279..449efaf986 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md @@ -1,5 +1,5 @@ --- -title: Get recommendation by machines +title: List machines by recommendation description: Retrieves a list of machines associated with the security recommendation. keywords: apis, graph api, supported apis, get, security recommendation for vulnerable machines, threat and vulnerability management, threat and vulnerability management api search.product: eADQiWindows 10XVcnh @@ -16,7 +16,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get recommendation by machines +# List machines by recommendation **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -73,9 +73,10 @@ Here is an example of the response. "id": "e058770379bc199a9c179ce52a23e16fd44fd2ee", "computerDnsName": "niw_pc", "osPlatform": "Windows10", - "rbacGroupId": 2154 + "rbacGroupName": "GroupTwo" } - ] + ... + ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md index de192c1e9f..d4e5a895ef 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md @@ -65,8 +65,7 @@ GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chr Here is an example of the response. -``` -Content-type: json +```json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Analytics.Contracts.PublicAPI.PublicProductDto", "id": "google-_-chrome", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md index c9ca363c20..e7e5725b8a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md @@ -1,5 +1,5 @@ --- -title: Get recommendation by vulnerabilities +title: List vulnerabilities by recommendation description: Retrieves a list of vulnerabilities associated with the security recommendation. keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api search.product: eADQiWindows 10XVcnh @@ -16,7 +16,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get recommendation by vulnerabilities +# List vulnerabilities by recommendation **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -65,8 +65,7 @@ GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chr Here is an example of the response. -``` -Content-type: json +```json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", "value": [ @@ -85,7 +84,8 @@ Content-type: json "exploitTypes": [], "exploitUris": [] } - ] + ... + ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md index 2ba8c06b69..159f48e08e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md @@ -81,7 +81,8 @@ Here is an example of the response. "installations": 750, "vulnerabilities": 0 } - ] + ... + ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-software.md index 1ec2bcccd1..883c240d11 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software.md @@ -17,10 +17,10 @@ ms.topic: article --- # List software inventory API -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](../../includes/prerelease.md)] +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Retrieves the organization software inventory. @@ -66,20 +66,21 @@ GET https://api.securitycenter.windows.com/api/Software Here is an example of the response. -``` +```json { "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Software", "value": [ - { - "id": "microsoft-_-edge", - "name": "edge", - "vendor": "microsoft", - "weaknesses": 467, - "publicExploit": true, - "activeAlert": false, - "exposedMachines": 172, - "impactScore": 2.39947438 - } + { + "id": "microsoft-_-edge", + "name": "edge", + "vendor": "microsoft", + "weaknesses": 467, + "publicExploit": true, + "activeAlert": false, + "exposedMachines": 172, + "impactScore": 2.39947438 + } + ... ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md index 6fa52754b7..42147bc353 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md @@ -71,21 +71,22 @@ Here is an example of the response. { "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", "value": [ - { - "id": "CVE-2017-0140", - "name": "CVE-2017-0140", - "description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.", - "severity": "Medium", - "cvssV3": 4.2, - "exposedMachines": 1, - "publishedOn": "2017-03-14T00:00:00Z", - "updatedOn": "2019-10-03T00:03:00Z", - "publicExploit": false, - "exploitVerified": false, - "exploitInKit": false, - "exploitTypes": [], - "exploitUris": [] - } + { + "id": "CVE-2017-0140", + "name": "CVE-2017-0140", + "description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.", + "severity": "Medium", + "cvssV3": 4.2, + "exposedMachines": 1, + "publishedOn": "2017-03-14T00:00:00Z", + "updatedOn": "2019-10-03T00:03:00Z", + "publicExploit": false, + "exploitVerified": false, + "exploitInKit": false, + "exploitTypes": [], + "exploitUris": [] + } + ... ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md index e4ccb6c433..a7ec42d80f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md @@ -65,8 +65,7 @@ GET https://api.securitycenter.windows.com/api/Vulnerabilities/CVE-2019-0608 Here is an example of the response. -``` -Content-type: json +```json { "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities/$entity", "id": "CVE-2019-0608", diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ASR_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/ASR_icon.png deleted file mode 100644 index dd521d492a..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/ASR_icon.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/EDR_icon.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/EDR_icon.jpg deleted file mode 100644 index ed71564e87..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/EDR_icon.jpg and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/EDR_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/EDR_icon.png deleted file mode 100644 index f2622cbc2b..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/EDR_icon.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/MTE_icon.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/MTE_icon.jpg deleted file mode 100644 index 020b1d4132..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/MTE_icon.jpg and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/MTE_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/MTE_icon.png deleted file mode 100644 index d5b9b48086..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/MTE_icon.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/NGP_icon.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/NGP_icon.jpg deleted file mode 100644 index d089da2493..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/NGP_icon.jpg and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/NGP_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/NGP_icon.png deleted file mode 100644 index 6066f305a2..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/NGP_icon.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/TVM_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/TVM_icon.png index b3cb1854b9..17097506c4 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/TVM_icon.png and b/windows/security/threat-protection/microsoft-defender-atp/images/TVM_icon.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/air-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/air-icon.png new file mode 100644 index 0000000000..985e3e4429 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/air-icon.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/asr-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/asr-icon.png new file mode 100644 index 0000000000..bf649e87ec Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/asr-icon.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/edr-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/edr-icon.png new file mode 100644 index 0000000000..8c750dee42 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/edr-icon.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-investigations.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-investigations.jpg new file mode 100644 index 0000000000..6fe755e857 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-investigations.jpg differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-icon.png new file mode 100644 index 0000000000..1d5693a399 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-icon.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ngp-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/ngp-icon.png new file mode 100644 index 0000000000..9aca3db517 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ngp-icon.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md index 88ac0b8be9..0ef1449bfa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md @@ -36,7 +36,7 @@ Monitoring network connection behind a forward proxy is possible due to addition Network protection can be controlled using the following modes: -- **Block**
      Users or apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center. +- **Block**
      Users or apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Microsoft Defender Security Center. - **Audit**
      Users or apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md index 2dda7ca218..6459e6190e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md @@ -56,7 +56,7 @@ For more information on how to configure exclusions from JAMF, Intune, or anothe Open the Microsoft Defender ATP application and navigate to **Manage settings** > **Add or Remove Exclusion...**, as shown in the following screenshot: -![[Manage exclusions screenshot](../windows-defender-antivirus/images/mdatp-37-exclusions.png) +![Manage exclusions screenshot](../windows-defender-antivirus/images/mdatp-37-exclusions.png) Select the type of exclusion that you wish to add and follow the prompts. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md index 117296a474..a3c0a5a7a2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md @@ -34,14 +34,14 @@ Before you get started, see [the main Microsoft Defender ATP for Mac page](micro ## Download installation and onboarding packages -Download the installation and onboarding packages from Windows Defender Security Center: +Download the installation and onboarding packages from Microsoft Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**. 2. In Section 1 of the page, set operating system to **Linux, macOS, iOS, and Android** and Deployment method to **Local script**. 3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. 4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - ![Windows Defender Security Center screenshot](../windows-defender-antivirus/images/ATP-Portal-Onboarding-page.png) + ![Microsoft Defender Security Center screenshot](../windows-defender-antivirus/images/ATP-Portal-Onboarding-page.png) 5. From a command prompt, verify that you have the two files. Extract the contents of the .zip files: @@ -112,6 +112,7 @@ The installation proceeds. After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. ![Microsoft Defender icon in status bar screenshot](../windows-defender-antivirus/images/MDATP-Icon-Bar.png) + ## How to Allow Full Disk Access diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md index 6a79d9fca6..9a7563b95c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md @@ -43,7 +43,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi 4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. 5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos). - ![Windows Defender Security Center screenshot](../windows-defender-antivirus/images/MDATP-2-DownloadPackages.png) + ![Microsoft Defender Security Center screenshot](../windows-defender-antivirus/images/MDATP-2-DownloadPackages.png) 6. From a command prompt, verify that you have the three files. Extract the contents of the .zip files: @@ -90,19 +90,19 @@ You need no special provisioning for a Mac device beyond a standard [Company Por 1. You are asked to confirm device management. -![Confirm device management screenshot](../windows-defender-antivirus/images/MDATP-3-ConfirmDeviceMgmt.png) + ![Confirm device management screenshot](../windows-defender-antivirus/images/MDATP-3-ConfirmDeviceMgmt.png) -Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**: + Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**: -![Management profile screenshot](../windows-defender-antivirus/images/MDATP-4-ManagementProfile.png) + ![Management profile screenshot](../windows-defender-antivirus/images/MDATP-4-ManagementProfile.png) 2. Select **Continue** and complete the enrollment. -You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages. + You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages. 3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed: -![Add Devices screenshot](../windows-defender-antivirus/images/MDATP-5-allDevices.png) + ![Add Devices screenshot](../windows-defender-antivirus/images/MDATP-5-allDevices.png) ## Create System Configuration profiles @@ -284,9 +284,9 @@ You may now enroll more devices. You can also enroll them later, after you have 10. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. -Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**: + Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**: -![System configuration profiles screenshot](../windows-defender-antivirus/images/MDATP-7-DeviceStatusBlade.png) + ![System configuration profiles screenshot](../windows-defender-antivirus/images/MDATP-7-DeviceStatusBlade.png) ## Publish application @@ -294,27 +294,28 @@ Once the Intune changes are propagated to the enrolled devices, you can see them 2. Select **App type=Other/Line-of-business app**. 3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. 4. Select **Configure** and add the required information. -5. Use **macOS High Sierra 10.13** as the minimum OS and set *Ignore app version* to **Yes**. Other settings can be any arbitrary value. +5. Use **macOS High Sierra 10.13** as the minimum OS. +6. Set *Ignore app version* to **Yes**. Other settings can be any arbitrary value. > [!CAUTION] - > Failure to set *Ignore app version* to **Yes** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. + > Setting *Ignore app version* to **No** impacts the ability of the application to receive updates through Microsoft AutoUpdate. If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client machine, then uninstall Defender and push the updated policy. ![Device status blade screenshot](../windows-defender-antivirus/images/MDATP-8-IntuneAppInfo.png) -6. Select **OK** and **Add**. +7. Select **OK** and **Add**. ![Device status blade screenshot](../windows-defender-antivirus/images/MDATP-9-IntunePkgInfo.png) -7. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**. +8. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**. ![Client apps screenshot](../windows-defender-antivirus/images/MDATP-10-ClientApps.png) -8. Change **Assignment type** to **Required**. -9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Click **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. +9. Change **Assignment type** to **Required**. +10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Click **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. ![Intune assignments info screenshot](../windows-defender-antivirus/images/MDATP-11-Assignments.png) -10. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**: +11. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**: ![Intune device status screenshot](../windows-defender-antivirus/images/MDATP-12-DeviceInstall.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md index 083d1a181e..04f3d87059 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md @@ -38,14 +38,19 @@ In addition, for JAMF deployment, you need to be familiar with JAMF administrati ## Download installation and onboarding packages -Download the installation and onboarding packages from Windows Defender Security Center: +Download the installation and onboarding packages from Microsoft Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > device Management > Onboarding**. -2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS or Android** and deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. +1. In Microsoft Defender Security Center, go to **Settings > Machine management > Onboarding**. +2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS or Android**. +3. Set the deployment method to **Mobile Device Management / Microsoft Intune**. + + >[!NOTE] + >JamF falls under **Mobile Device Management**. + +4. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory. +5. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. - ![Windows Defender Security Center screenshot](../windows-defender-antivirus/images/MDATP-2-DownloadPackages.png) + ![Microsoft Defender Security Center screenshot](../windows-defender-antivirus/images/jamf-onboarding.png) 5. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so: @@ -87,7 +92,7 @@ To approve the kernel extension: 1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. 2. Use **UBF8T346G9** for Team Id. -![Approved kernel extensions screenshot](../windows-defender-antivirus/images/MDATP-17-approvedKernelExtensions.png) + ![Approved kernel extensions screenshot](../windows-defender-antivirus/images/MDATP-17-approvedKernelExtensions.png) ### Privacy Preferences Policy Control @@ -103,7 +108,7 @@ Add the following JAMF policy to grant Full Disk Access to Microsoft Defender AT 3. Set Code Requirement to `identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9`. 4. Set app or service to SystemPolicyAllFiles and access to Allow. -![Privacy Preferences Policy Control](../windows-defender-antivirus/images/MDATP-35-JAMF-PrivacyPreferences.png) + ![Privacy Preferences Policy Control](../windows-defender-antivirus/images/MDATP-35-JAMF-PrivacyPreferences.png) #### Configuration Profile's Scope @@ -153,16 +158,16 @@ You'll need no special provisioning for a macOS computer, beyond the standard JA > [!NOTE] > After a computer is enrolled, it will show up in the Computers inventory (All Computers). -1. Open **Device Profiles**, from the **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's currently set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. + - Open **Device Profiles**, from the **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's currently set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. -![MDM approve button screenshot](../windows-defender-antivirus/images/MDATP-21-MDMProfile1.png)
      -![MDM screenshot](../windows-defender-antivirus/images/MDATP-22-MDMProfileApproved.png) + ![MDM approve button screenshot](../windows-defender-antivirus/images/MDATP-21-MDMProfile1.png)
      + ![MDM screenshot](../windows-defender-antivirus/images/MDATP-22-MDMProfileApproved.png) -After a moment, the device's User Approved MDM status will change to **Yes**. + After a moment, the device's User Approved MDM status will change to **Yes**. -![MDM status screenshot](../windows-defender-antivirus/images/MDATP-23-MDMStatus.png) + ![MDM status screenshot](../windows-defender-antivirus/images/MDATP-23-MDMStatus.png) -You may now enroll additional devices. You may also enroll them later, after you have finished provisioning system configuration and application packages. + You may now enroll additional devices. You may also enroll them later, after you have finished provisioning system configuration and application packages. ## Deployment diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md index 0c7105a289..cd57c99e3a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md @@ -53,7 +53,7 @@ As part of the process of creating a machine group, you'll: 2. Click **Add machine group**. -3. Enter the group name and automation settings and specify the matching rule that determines which machines belong to the group. For more information on automation levels, see [Understand the Automated investigation flow](automated-investigations.md#understand-the-automated-investigation-flow). +3. Enter the group name and automation settings and specify the matching rule that determines which machines belong to the group. See [How the automated investigation starts](automated-investigations.md#how-the-automated-investigation-starts). >[!TIP] >If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Create and manage machine tags](machine-tags.md). @@ -83,7 +83,6 @@ Machines that are not matched to any groups are added to Ungrouped machines (def ## Related topics -## Related topic - [Manage portal access using role-based based access control](rbac.md) - [Create and manage machine tags](machine-tags.md) - [Get list of tenant machine groups using Graph API](get-machinegroups-collection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md index 3380258c96..6b96503525 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md @@ -78,7 +78,7 @@ Filter by machines that are well configured or require attention based on the se - **Well configured** - Machines have the security controls well configured. - **Requires attention** - Machines where improvements can be made to increase the overall security posture of your organization. -For more information, see [View the Secure Score dashboard](secure-score-dashboard.md). +For more information, see [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md). ### Threat mitigation status diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md index 32343d94bd..a9250abb97 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md @@ -1,6 +1,6 @@ --- -title: Learn about the automated investigations dashboard in Microsoft Defender Security Center -description: View the automated investigations list. View the status, detection source and other details for automated investigations. +title: Review and approve actions following automated investigations in the Microsoft Defender Security Center +description: Review and approve (or reject) remediation actions following an automated investigation. keywords: autoir, automated, investigation, detection, dashboard, source, threat types, id, tags, machines, duration, filter export search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -8,8 +8,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: macapara -author: mjcaparas +ms.author: deniseb +author: denisebmsft ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -17,154 +17,52 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Learn about the automated investigations dashboard -By default, the automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range. +# Review and approve actions following an automated investigation ->[!NOTE] ->If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation. +## Remediation actions -Use the **Customize columns** drop-down menu to select columns that you'd like to show or hide. +When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *Clean*. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organization’s security operations team. For example, some actions, such as removing malware, are taken automatically. Other actions require review and approval to proceed. -From this view, you can also download the entire list in CSV format using the **Export** button, specify the number of items to show per page, and navigate between pages. You also have the flexibility to filter the list based on your preferred criteria. +When a verdict of *Malicious* is reached for a piece of evidence, Microsoft Defender Advanced Threat Protection takes one of the following remediation actions automatically: +- Quarantine file +- Remove registry key +- Kill process +- Stop service +- Remove registry key +- Disable driver +- Remove scheduled task -![Image of Auto investigations page](images/atp-auto-investigations-list.png) +Evidence determined as *Suspicious* results in pending actions that require approval. As a best practice, make sure to [approve (or reject) pending actions](#review-pending-actions) as soon as possible. This helps your automated investigations complete in a timely manner. +No actions are taken when evidence is determined to be *Clean*. + +In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and viewable in the Microsoft Defender Security Center](#review-completed-actions). + +## Review pending actions + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. This takes you to your Security dashboard. + +2. On the Security dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**. + +3. Review any items on the **Pending** tab. + + Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can click on the **Open investigation page** link to see the investigation details. + + You can also select multiple investigations to approve or reject actions on multiple investigations. + + +## Review completed actions + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. This takes you to your Security dashboard. + +2. On the Security dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**. + +3. Select the **History** tab. (If need be, expand the time period to display more data.) + +4. Select an item to view more details about that remediation action. -**Filters**
      -You can use the following operations to customize the list of automated investigations displayed: +## Related articles +- [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air) -**Triggering alert**
      -The alert that initiated the automated investigation. - -**Status**
      -An automated investigation can be in one of the following status: - -Status | Description -:---|:--- -| No threats found | No malicious entities found during the investigation. -| Failed | A problem has interrupted the investigation, preventing it from completing. | -| Partially remediated | A problem prevented the remediation of some malicious entities. | -| Pending action | Remediation actions require review and approval. | -| Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. | -| Queued | Investigation has been queued and will resume as soon as other remediation activities are completed. | -| Running | Investigation ongoing. Malicious entities found will be remediated. | -| Remediated | Malicious entities found were successfully remediated. | -| Terminated by system | Investigation was stopped by the system. | -| Terminated by user | A user stopped the investigation before it could complete. -| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. | - - - -**Detection source**
      -Source of the alert that initiated the automated investigation. - -**Threat**
      -The category of threat detected during the automated investigation. - - -**Tags**
      -Filter using manually added tags that capture the context of an automated investigation. - -**Machines**
      -You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine. - -**Machine groups**
      -Apply this filter to see specific machine groups that you might have created. - -**Comments**
      -Select between filtering the list between automated investigations that have comments and those that don't. - -## Analyze automated investigations -You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information. - -In this view, you'll see the name of the investigation, when it started and ended. - -![Image of investigation details window](images/atp-analyze-auto-ir.png) - -The progress ring shows two status indicators: -- Orange ring - shows the pending portion of the investigation -- Green ring - shows the running time portion of the investigation - -![Image of start, end, and pending time for an automated investigation](images/atp-auto-investigation-pending.png) - -In the example image, the automated investigation started on 10:26:59 AM and ended on 10:56:26 AM. Therefore, the entire investigation was running for 29 minutes and 27 seconds. - -The pending time of 16 minutes and 51 seconds reflects two possible pending states: pending for asset (for example, the device might have disconnected from the network) or pending for approval. - -From this view, you can also view and add comments and tags about the investigation. - -### Investigation page -The investigation page gives you a quick summary on the status, alert severity, category, and detection source. - -You'll also have access to the following sections that help you see details of the investigation with finer granularity: - -- Investigation graph -- Alerts -- Machines -- Evidence -- Entities -- Log -- Pending actions - - >[!NOTE] - >The Pending actions tab is only displayed if there are actual pending actions. - -- Pending actions history - - >[!NOTE] - >The Pending actions history tab is only displayed when an investigation is complete. - -In any of the sections, you can customize columns to further expand to limit the details you see in a section. - -### Investigation graph -The investigation graph provides a graphical representation of an automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information. - -### Alerts -Shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to. - -Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is ongoing. - -Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related machine, logged-on users, and comments and history. - -Clicking on an alert title brings you the alert page. - -### Machines -Shows details the machine name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated. - -Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view. - -Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users. - -Clicking on an machine name brings you the machine page. - -### Evidence -Shows details related to threats associated with this investigation. - -### Entities -Shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or determined to be clean. - -### Log -Gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, machine name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration. - -As with other sections, you can customize columns, select the number of items to show per page, and filter the log. - -Available filters include action type, action, status, machine name, and description. - -You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data. - -### Pending actions history -This tab is only displayed when an investigation is complete and shows all pending actions taken during the investigation. - - -## Pending actions -If there are pending actions on an automated investigation, you'll see a pop up similar to the following image. - -![Image of pending actions](images/pending-actions.png) - -When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page from the navigation page by going to **automated investigation** > **Action center**. For more information, see [Action center](auto-investigation-action-center.md). - - -## Related topic -- [Investigate Microsoft Defender ATP alerts](investigate-alerts.md) -- [Manage actions related to automated investigation and remediation](auto-investigation-action-center.md) +- [Automated investigation and response in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md index be8b72641f..ae1856f3eb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md @@ -125,7 +125,8 @@ It's important to understand the following prerequisites prior to creating indic > For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages Network Protection (link) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS):
      > NOTE: >- IP is supported for all three protocols ->- Encrypted URLs can only be blocked on first party browsers +>- Encrypted URLs (full path) can only be blocked on first party browsers +>- Encrypted URLS (FQDN only) can be blocked outside of first party browsers >- Full URL path blocks can be applied on the domain level and all unencrypted URLs >[!NOTE] diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md index f838be1390..2634614f1b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md +++ b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md @@ -43,7 +43,7 @@ The Microsoft Defender ATP solution is built on top of an integration-ready plat Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities. -![Image of available API and integration in Microsoft Defender ATP](images/mdatp-apis.png) +![Image of available API and integration in Microsoft Defender ATP](images/mdatp-apis.png) The Microsoft Defender ATP APIs can be grouped into three: - Microsoft Defender ATP APIs @@ -54,6 +54,9 @@ The Microsoft Defender ATP APIs can be grouped into three: Microsoft Defender ATP offers a layered API model exposing data and capabilities in a structured, clear and easy to use model, exposed through a standard Azure AD-based authentication and authorization model allowing access in context of users or SaaS applications. The API model was designed to expose entities and capabilities in a consistent form. +Watch this video for a quick overview of Microsoft Defender ATP's APIs. +>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4d73M] + The **Investigation API** exposes the richness of Microsoft Defender ATP - exposing calculated or 'profiled' entities (for example, machine, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information see, [Supported APIs](exposed-apis-list.md). The **Response API** exposes the ability to take actions in the service and on devices, enabling customers to ingest indicators, manage settings, alert status, as well as take response actions on devices programmatically such as isolate machines from the network, quarantine files, and others. diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md index 56b73435ad..9c596b4ec9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md @@ -25,6 +25,8 @@ ms.topic: conceptual Microsoft Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. +> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq] + Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: - **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors @@ -48,12 +50,11 @@ Microsoft Defender ATP uses the following combination of technology built into W - - - - - - + + + + +

      Threat & Vulnerability Management

      Attack surface reduction

      Next generation protection

      Endpoint detection and response

      Automated investigation and remediation

      Secure score

      Microsoft Threat Experts

      Attack surface reduction

      Next generation protection

      Endpoint detection and response

      Automated investigation and remediation

      Microsoft Threat Experts
      @@ -97,17 +98,21 @@ In conjunction with being able to quickly respond to advanced attacks, Microsoft -**[Secure score](overview-secure-score.md)**
      +**[Configuration score](configuration-score.md)**
      > [!NOTE] -> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page. +> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). -Microsoft Defender ATP includes a secure score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. +Microsoft Defender ATP includes a configuration score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. **[Microsoft Threat Experts](microsoft-threat-experts.md)**
      Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately. +>[!IMPORTANT] +>Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.

      +>

      If you are not enrolled yet and would like to experience its benefits, go to Settings > General > Advanced features > Microsoft Threat Experts to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription. + **[Management and APIs](management-apis.md)**
      diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md index c451cf8400..a28cd30703 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md @@ -26,9 +26,12 @@ Microsoft Threat Experts is a managed detection and response (MDR) service that This new capability provides expert-driven insights and data through targeted attack notification and access to experts on demand. ->[!NOTE] ->Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive targeted attack notifications and to collaborate with experts on demand. A Microsoft Threat Experts subscription is a prerequisite for experts on demand collaboration. See [Configure Microsoft Threat Experts capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#before-you-begin) for details. - + +## Before you begin +Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service. + +If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription. See [Configure Microsoft Threat Experts capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#before-you-begin) for details. + ## Targeted attack notification Microsoft Threat Experts provides proactive hunting for the most important threats to your network, including human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyberespionage. The managed hunting service includes: - Threat monitoring and analysis, reducing dwell time and risk to the business diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md index 3c6f9f6bc7..64488a550e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md @@ -29,7 +29,9 @@ Network protection helps reduce the attack surface of your devices from Internet Network protection expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). -Network protection is supported beginning with Windows 10, version 1709. +Network protection is supported beginning with Windows 10, version 1709. + +For more details about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network. > [!TIP] > You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md index 3da4badfe6..09dea1ee83 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md +++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md @@ -27,6 +27,10 @@ Effectively identifying, assessing, and remediating endpoint weaknesses is pivot It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context. +Watch this video for a quick overview of Threat & Vulnerability Management. + +>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4mLsn] + ## Next-generation capabilities Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase. @@ -75,3 +79,4 @@ Microsoft Defender ATP’s Threat & Vulnerability Management allows security adm - [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software) - [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine) - [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) +- [BLOG: Microsoft’s Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time](https://www.microsoft.com/security/blog/2019/07/02/microsofts-threat-vulnerability-management-now-helps-thousands-of-customers-to-discover-prioritize-and-remediate-vulnerabilities-in-real-time/) diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md index ea9ee7efc8..5fee273e29 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md @@ -34,7 +34,6 @@ Follow the corresponding instructions depending on your preferred deployment met ## Offboard Windows 10 machines - [Offboard machines using a local script](configure-endpoints-script.md#offboard-machines-using-a-local-script) - [Offboard machines using Group Policy](configure-endpoints-gp.md#offboard-machines-using-group-policy) -- [Offboard machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md#offboard-machines-using-system-center-configuration-manager) - [Offboard machines using Mobile Device Management tools](configure-endpoints-mdm.md#offboard-and-monitor-machines-using-mobile-device-management-tools) ## Offboard Servers diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt index 987d3c8ce0..51d5efdc49 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt +++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt @@ -95,9 +95,6 @@ #### [Manage actions related to automated investigation and remediation](auto-investigation-action-center.md) -### [Secure score](overview-secure-score.md) - - ### [Threat analytics](threat-analytics.md) @@ -298,8 +295,6 @@ ##### [Use the mpcmdrun.exe command line tool to manage next generation protection](../windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) -### [Configure Secure score dashboard security controls](secure-score-dashboard.md) - ### [Configure and manage Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) @@ -336,7 +331,7 @@ ##### [Understand Microsoft Defender ATP APIs](use-apis.md) ##### [Microsoft Defender ATP API license and terms](api-terms-of-use.md) -##### [Get started with Microsoft Defender ATP APIs]() +##### [Get started]() ###### [Introduction](apis-intro.md) ###### [Hello World](api-hello-world.md) ###### [Get access with application context](exposed-apis-create-app-webapp.md) @@ -345,6 +340,7 @@ ##### [APIs]() ###### [Supported Microsoft Defender ATP APIs](exposed-apis-list.md) +###### [Common REST API error codes](common-errors.md) ###### [Advanced Hunting](run-advanced-query-api.md) ###### [Alert]() @@ -480,7 +476,6 @@ ##### [Update data retention settings](data-retention-settings.md) ##### [Configure alert notifications](configure-email-notifications.md) ##### [Enable and create Power BI reports using Windows Security app data](powerbi-reports.md) -##### [Enable Secure score security controls](enable-secure-score.md) ##### [Configure advanced features](advanced-features.md) #### [Permissions]() diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md index 1a48280c33..68bfb931a3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md @@ -35,6 +35,8 @@ In general, to onboard devices to the service: - Use the appropriate management tool and deployment method for your devices - Run a detection test to verify that the devices are properly onboarded and reporting to the service +>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqr] + ## In this section Topic | Description :---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md index 0d041b05e3..c304bcfd54 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard.md @@ -31,7 +31,6 @@ Topic | Description :---|:--- [Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. [Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats. -[Configure Secure score dashboard security controls](secure-score-dashboard.md) | Configure the security controls in Secure score to increase the security posture of your organization. [Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts. [Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Microsoft Defender ATP. [Management and API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md deleted file mode 100644 index f08e397a67..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md +++ /dev/null @@ -1,93 +0,0 @@ ---- -title: Overview of Secure score in Microsoft Defender Security Center -description: Expand your visibility into the overall security posture of your organization -keywords: secure score, security controls, improvement opportunities, security score over time, score, posture, baseline -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Overview of Secure score in Microsoft Defender Security Center -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - ->[!NOTE] -> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. - -The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines. - ->[!IMPORTANT] -> This feature is available for machines on Windows 10, version 1703 or later. - - -The **Secure score dashboard** displays a snapshot of: -- Microsoft secure score -- Secure score over time -- Top recommendations -- Improvement opportunities - - -![Secure score dashboard](images/new-secure-score-dashboard.png) - -## Microsoft secure score -The Microsoft secure score tile is reflective of the sum of all the security controls that are configured according to the recommended Windows baseline and Office 365 controls. It allows you to drill down into each portal for further analysis. You can also improve this score by taking the steps in configuring each of the security controls in the optimal settings. - -![Image of Microsoft secure score tile](images/mss.png) - -Each Microsoft security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported Microsoft security controls (security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar). - -The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess). - -In the example image, the total points for the security controls and Office 365 add up to 602 points. - -You can set the baselines for calculating the security control scores on the Secure score dashboard through the **Settings**. For more information, see [Enable Secure score security controls](enable-secure-score.md). - -## Secure score over time -You can track the progression of your organizational security posture over time using this tile. It displays the overall score in a historical trend line enabling you to see how taking the recommended actions increase your overall security posture. - -![Image of the security score over time tile](images/new-ssot.png) - -You can mouse over specific date points to see the total score for that security control is on a specific date. - - -## Top recommendations -Reflects specific actions you can take to significantly increase the security stance of your organization and how many points will be added to the secure score if you take the recommended action. - -![Top recommendations tile](images/top-recommendations.png) - -## Improvement opportunities -Improve your score by taking the recommended improvement actions listed on this tile. The goal is to reduce the gap between the perfect score and the current score for each control. - -Clicking on the affected machines link at the top of the table takes you to the Machines list. The list is filtered to reflect the list of machines where improvements can be made. - - - -![Improvement opportunities](images/io.png) - - -Within the tile, you can click on each control to see the recommended optimizations. - -Clicking the link under the **Misconfigured machines** column opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice. - -## Related topic -- [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) -- [Exposure score](tvm-exposure-score.md) -- [Configuration score](configuration-score.md) -- [Security recommendations](tvm-security-recommendation.md) -- [Remediation](tvm-remediation.md) -- [Software inventory](tvm-software-inventory.md) -- [Weaknesses](tvm-weaknesses.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [Threat analytics](threat-analytics.md) - diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview.md b/windows/security/threat-protection/microsoft-defender-atp/overview.md index be86e6742f..8600ed540e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview.md @@ -38,8 +38,8 @@ Topic | Description [Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | Learn about the antivirus capabilities in Microsoft Defender ATP so you can protect desktops, portable computers, and servers. [Endpoint detection and response](overview-endpoint-detection-response.md) | Understand how Microsoft Defender ATP continuously monitors your organization for possible attacks against systems, networks, or users in your organization and the features you can use to mitigate and remediate threats. [Automated investigation and remediation](automated-investigations.md) | In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. -[Secure score](overview-secure-score.md) | Quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to better protect your organization - all in one place. -[Microsoft Threat Experts](microsoft-threat-experts.md) | Managed cybersecurity threat hunting service. Learn how you can get expert-driven insights and data through targeted attack notification and access to experts on demand. +[Configuration score](configuration-score.md) | Your configuration score shows the collective security configuration state of your machines across application, operating system, network, accounts, and security controls. +[Microsoft Threat Experts](microsoft-threat-experts.md) | Managed cybersecurity threat hunting service. Learn how you can get expert-driven insights and data through targeted attack notification and access to experts on demand.

      **NOTE:**

      Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.

      If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription. [Advanced hunting](advanced-hunting-overview.md) | Use a powerful query-based threat-hunting tool to proactively find breach activity and create custom detection rules. [Management and APIs](management-apis.md) | Microsoft Defender ATP supports a wide variety of tools to help you manage and interact with the platform so that you can integrate the service into your existing workflows. [Microsoft Threat Protection](threat-protection-integration.md) | Microsoft security products work better together. Learn about other how Microsoft Defender ATP works with other Microsoft security solutions. diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md index 480df72feb..ceb8637a40 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md @@ -122,5 +122,5 @@ Icon | Description ## Related topics - [Understand the Microsoft Defender Advanced Threat Protection portal](use.md) - [View the Security operations dashboard](security-operations-dashboard.md) -- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard.md) +- [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md index 60c0833058..2fc67b8211 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md @@ -138,16 +138,16 @@ structure required for your environment. ## Adoption Order -In many cases organizations will have existing endpoint security products in -place. The bare minimum every organization should have is an antivirus solution. But in some cases an organization might also already implanted an EDR solution. -Historically, replacing any security solution was time intensive and difficult -to achieve due to the tight hooks into the application layer and infrastructure +In many cases, organizations will have existing endpoint security products in +place. The bare minimum every organization should have is an antivirus solution. But in some cases, an organization might also have implanted an EDR solution already. +Historically, replacing any security solution used to be time intensive and difficult +to achieve, due to the tight hooks into the application layer and infrastructure dependencies. However, because Microsoft Defender ATP is built into the -operating system, replacing third-party solutions is easy to achieve. +operating system, replacing third-party solutions is now easy to achieve. -Choose which component of Microsoft Defender ATP to be used and remove the ones -that do not apply. The table below indicates the Microsoft recommendation on the -order on how the endpoint security suite should be enabled. +Choose the component of Microsoft Defender ATP to be used and remove the ones +that do not apply. The table below indicates the order Microsoft recommends for +how the endpoint security suite should be enabled. | Component | Description | Adoption Order Rank | |-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------| @@ -159,4 +159,4 @@ order on how the endpoint security suite should be enabled. | Microsoft Threat Experts (MTE) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts) | Not applicable | ## Related topic -- [Production deployment](production-deployment.md) \ No newline at end of file +- [Production deployment](production-deployment.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/product-brief.md b/windows/security/threat-protection/microsoft-defender-atp/product-brief.md index 2a83d109de..e69a6bc890 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/product-brief.md +++ b/windows/security/threat-protection/microsoft-defender-atp/product-brief.md @@ -36,33 +36,33 @@ Capability | Description **Threat and Vulnerability Management** | This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. **Attack Surface Reduction** | The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. **Next Generation Protection** | To further reinforce the security perimeter of the organizations network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats. -**Endpoint Detection & Response** | Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. -**Auto Investigation & Remediation** | In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. +**Endpoint Detection & Response** | Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. +**Auto Investigation & Remediation** | In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. **Microsoft Threat Experts** | Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately. -**Secure Score** | Microsoft Defender ATP includes a secure score to help dynamically assess the security state of the enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of the organization. +**Configuration Score** | Microsoft Defender ATP includes configuration score to help dynamically assess the security state of the enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of the organization. **Advance Hunting** | Create custom threat intelligence and use a powerful search and query tool to hunt for possible threats in the organization. **Management and API** | Integrate Microsoft Defender Advanced Threat Protection into existing workflows. **Microsoft Threat Protection** | Microsoft Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. Bring the power of Microsoft threat protection to the organization. | | Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: -- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors +- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Microsoft Defender ATP. - -- **Cloud security analytics**: Leveraging big-data, machine-learning, and +- **Cloud security analytics**: Leveraging big-data, machine-learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products (such as Office 365), and online assets, behavioral signals are translated into insights, detections, and recommended responses to advanced threats. -- **Threat intelligence**: Generated by Microsoft hunters, security teams, +- **Threat intelligence**: Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Microsoft Defender ATP to identify attacker tools, techniques, and procedures, and generate alerts when these are observed in collected sensor data. ## Licensing requirements + Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: - Windows 10 Enterprise E5 @@ -71,4 +71,5 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr - Microsoft 365 A5 (M365 A5) ## Related topic + - [Prepare deployment](prepare-deployment.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md index a617060626..0b3f53d6f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md @@ -63,6 +63,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w - Each event hub message in Azure Event Hubs contains list of records. - Each record contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**". - For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](advanced-hunting-overview.md). +- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the machine. Here every event will be decorated with this column as well. See [Machine Groups](machine-groups.md) for more information. ## Data types mapping: diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md index f0c242ed3a..682cc7e7d9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md @@ -64,6 +64,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w - Each blob contains multiple rows. - Each row contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties". - For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](advanced-hunting-overview.md). +- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the machine. Here every event will be decorated with this column as well. See [Machine Groups](machine-groups.md) for more information. ## Data types mapping: diff --git a/windows/security/threat-protection/microsoft-defender-atp/rbac.md b/windows/security/threat-protection/microsoft-defender-atp/rbac.md index 20269f37f3..3bf1ca9d9d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/rbac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/rbac.md @@ -28,6 +28,8 @@ ms.topic: article Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal. Based on the roles and groups you create, you have fine-grained control over what users with access to the portal can see and do. +> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bJ2a] + Large geo-distributed security operations teams typically adopt a tier-based model to assign and authorize access to security portals. Typical tiers include the following three levels: Tier | Description diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index 90191cad9b..8998da024b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -209,6 +209,8 @@ Results of deep analysis are matched against threat intelligence and any matches Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the file's profile page. +>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqr] + **Submit for deep analysis** is enabled when the file is available in the Microsoft Defender ATP backend sample collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis. > [!NOTE] diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index 540c957c3f..19ccd7e62c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -71,21 +71,18 @@ Request Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](../../includes/improve-request-performance.md)] + ``` POST https://api.securitycenter.windows.com/api/advancedqueries/run Content-type: application/json { - "Query":"ProcessCreationEvents -| where InitiatingProcessFileName =~ \"powershell.exe\" -| where ProcessCommandLine contains \"appdata\" -| project EventTime, FileName, InitiatingProcessFileName -| limit 2" + "Query":"DeviceProcessEvents + | where InitiatingProcessFileName =~ 'powershell.exe' + | where ProcessCommandLine contains 'appdata' + | project Timestamp, FileName, InitiatingProcessFileName, DeviceId + | limit 2" } ``` @@ -96,32 +93,40 @@ Here is an example of the response. >[!NOTE] >The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. -``` -HTTP/1.1 200 OK -Content-Type: application/json​ +```json { - "Schema": [{ - "Name": "EventTime", - "Type": "DateTime" - }, - { - "Name": "FileName", - "Type": "String" - }, - { - "Name": "InitiatingProcessFileName", - "Type": "String" - }], - "Results": [{ - "EventTime": "2018-07-09T07:16:26.8017265", - "FileName": "csc.exe", - "InitiatingProcessFileName": "powershell.exe" - }, - { - "EventTime": "2018-07-08T19:00:02.7798905", - "FileName": "gpresult.exe", - "InitiatingProcessFileName": "powershell.exe" - }] + "Schema": [ + { + "Name": "Timestamp", + "Type": "DateTime" + }, + { + "Name": "FileName", + "Type": "String" + }, + { + "Name": "InitiatingProcessFileName", + "Type": "String" + }, + { + "Name": "DeviceId", + "Type": "String" + } + ], + "Results": [ + { + "Timestamp": "2020-02-05T01:10:26.2648757Z", + "FileName": "csc.exe", + "InitiatingProcessFileName": "powershell.exe", + "DeviceId": "10cbf9182d4e95660362f65cfa67c7731f62fdb3" + }, + { + "Timestamp": "2020-02-05T01:10:26.5614772Z", + "FileName": "csc.exe", + "InitiatingProcessFileName": "powershell.exe", + "DeviceId": "10cbf9182d4e95660362f65cfa67c7731f62fdb3" + } + ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/score.md b/windows/security/threat-protection/microsoft-defender-atp/score.md index 9a903d296f..a0a67a5dd0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/score.md @@ -37,41 +37,4 @@ Property | Type | Description :---|:---|:--- Score | Double | The current score. Time | DateTime | The date and time in which the call for this API was made. -RbacGroupId | Nullable Int | RBAC Group ID. - - -### Response example for getting machine groups score: - -``` -GET https://api.securitycenter.windows.com/api/exposureScore/byMachineGroups -``` - -```json -{ - "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore", - "value": [ - { - "time": "2019-12-03T07:26:49.9376328Z", - "score": 41.38041766305988, - "rbacGroupId": 10 - }, - { - "time": "2019-12-03T07:26:49.9376375Z", - "score": 23.58823563070858, - "rbacGroupId": 5 - }, - { - "time": "2019-12-03T07:26:49.9376382Z", - "score": 37.403726933165366, - "rbacGroupId": 11 - }, - { - "time": "2019-12-03T07:26:49.9376388Z", - "score": 26.323200116475423, - "rbacGroupId": 9 - } - ] -} - - -``` +RbacGroupName | String | The machine group name. diff --git a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md deleted file mode 100644 index 1ac2ee7415..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md +++ /dev/null @@ -1,315 +0,0 @@ ---- -title: Configure the security controls in Secure score -description: Configure the security controls in Secure score -keywords: secure score, dashboard, security recommendations, security control state, security score, score improvement, microsoft secure score, security controls, security control, improvement opportunities, edr, antivirus, av, os security updates -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: dolmont -author: DulceMontemayor -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Configure the security controls in Secure score - -**Applies to:** - -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -> [!NOTE] -> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page. - -Each security control lists recommendations that you can take to increase the security posture of your organization. - -### Endpoint detection and response (EDR) optimization - -A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for your Endpoint detection and response tool. - -> [!IMPORTANT] -> This feature is available for machines on Windows 10, version 1607 or later. - -#### Minimum baseline configuration setting for EDR - -* Microsoft Defender ATP sensor is on -* Data collection is working correctly -* Communication to Microsoft Defender ATP service is not impaired - -##### Recommended actions - -You can take the following actions to increase the overall security score of your organization: - -* Turn on sensor -* Fix sensor data collection -* Fix impaired communications - -For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). - -### Windows Defender Antivirus (Windows Defender AV) optimization -A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AV. - -> [!IMPORTANT] -> This feature is available for machines on Windows 10, version 1607 or later. - -#### Minimum baseline configuration setting for Windows Defender AV: -A well-configured machine for Windows Defender AV meets the following requirements: - -- Windows Defender AV is reporting correctly -- Windows Defender AV is turned on -- Security intelligence is up-to-date -- Real-time protection is on -- Potentially Unwanted Application (PUA) protection is enabled - -You can take the following actions to increase the overall security score of your organization: - ->[!NOTE] -> For the Windows Defender Antivirus properties to show, you'll need to ensure that the Windows Defender Antivirus Cloud-based protection is properly configured on the machine. - -- Fix antivirus reporting - - This recommendation is displayed when the Windows Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md). -- Turn on antivirus -- Update antivirus Security intelligence -- Turn on real-time protection -- Turn on PUA protection - -For more information, see [Configure Windows Defender Antivirus](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md). - -### OS security updates optimization - -This tile shows you the number of machines that require the latest security updates. It also shows machines that are running on the latest Windows Insider preview build and serves as a reminder to ensure that users should run the latest builds. - -> [!IMPORTANT] -> This feature is available for machines on Windows 10, version 1607 or later. - -You can take the following actions to increase the overall security score of your organization: - -* Install the latest security updates -* Fix sensor data collection - * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). - -For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/help/4027322/windows-windows-update-troubleshooter). - -### Windows Defender Exploit Guard (Windows Defender EG) optimization - - -A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on machines to meet the minimum baseline configuration setting for Microsoft Defender EG. When endpoints are configured according to the baseline the Microsoft Defender EG events shows on the Microsoft Defender ATP Machine timeline. - -> [!IMPORTANT] -> This security control is only applicable for machines with Windows 10, version 1709 or later. - -#### Minimum baseline configuration setting for Windows Defender EG - -Machines are considered "well configured" for Microsoft Defender EG if the following requirements are met: - -* System level protection settings are configured correctly -* Attack Surface Reduction rules are configured correctly -* Controlled Folder Access setting is configured correctly - -##### System level protection - -The following system level configuration settings must be set to **On or Force On**: - -1. Control Flow Guard -2. Data Execution Prevention (DEP) -3. Randomize memory allocations (Bottom-up ASLR) -4. Validate exception chains (SEHOP) -5. Validate heap integrity - -> [!NOTE] -> The setting **Force randomization for images (Mandatory ASLR)** is currently excluded from the baseline. -> Consider configuring **Force randomization for images (Mandatory ASLR)** to **On or Force On** for better protection. - -##### Attack Surface Reduction (ASR) rules - -The following ASR rules must be configured to **Block mode**: - -Rule description | GUIDs --|- -Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A -Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 -Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D -Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B - -> [!NOTE] -> The setting **Block Office applications from injecting into other processes** with GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 is excluded from the baseline. -> Consider enabling this rule in **Audit** or **Block mode** for better protection. - -##### Controlled Folder Access - -The Controlled Folder Access setting must be configured to **Audit mode** or **Enabled**. - -> [!NOTE] -> Audit mode, allows you to see audit events in the Microsoft Defender ATP Machine timeline however it does not block suspicious applications. -> Consider enabling Controlled Folder Access for better protection. - -##### Recommended actions - -You can take the following actions to increase the overall security score of your organization: - -- Turn on all system-level Exploit Protection settings -- Set all ASR rules to enabled or audit mode -- Turn on Controlled Folder Access -- Turn on Windows Defender Antivirus on compatible machines - -### Windows Defender Application Guard (Windows Defender AG) optimization -A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AG. When endpoints are configured according to the baseline, Windows Defender AG events shows on the Microsoft Defender ATP Machine timeline. - -A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender AG. When endpoints are configured according to the baseline, Microsoft Defender AG events shows on the Microsoft Defender ATP Machine timeline. - -> [!IMPORTANT] -> This security control is only applicable for machines with Windows 10, version 1709 or later. - -#### Minimum baseline configuration setting for Windows Defender AG: -A well-configured machine for Windows Defender AG meets the following requirements: - -- Hardware and software prerequisites are met -- Windows Defender AG is turned on compatible machines -- Managed mode is turned on - -You can take the following actions to increase the overall security score of your organization: - -* Ensure hardware and software prerequisites are met - - > [!NOTE] - > This improvement item does not contribute to the security score in itself because it's not a prerequisite for Microsoft Defender AG. It gives an indication of a potential reason why Microsoft Defender AG is not turned on. - -* Turn on Microsoft Defender AG on compatible machines -* Turn on managed mode - -For more information, see [Microsoft Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md). - -### Windows Defender SmartScreen optimization - -A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender SmartScreen. - -> [!WARNING] -> Data collected by Microsoft Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Microsoft Defender ATP data. - -> [!IMPORTANT] -> This security control is only applicable for machines with Windows 10, version 1709 or later. - -#### Minimum baseline configuration setting for Windows Defender SmartScreen: - -The following settings must be configured with the following settings: - -* Check apps and files: **Warn** or **Block** -* Microsoft Defender SmartScreen for Microsoft Edge: **Warn** or **Block** -* Microsoft Defender SmartScreen for Microsoft store apps: **Warn** or **Off** - -You can take the following actions to increase the overall security score of your organization: - -- Set **Check app and files** to **Warn** or **Block** -- Set **Windows Defender SmartScreen for Microsoft Edge** to **Warn** or **Block** -- Set **Windows Defender SmartScreen for Microsoft store apps** to **Warn** or **Off** - -For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). - -* Set **Check app and files** to **Warn** or **Block** -* Set **Windows Defender SmartScreen for Microsoft Edge** to **Warn** or **Block** -* Set **Windows Defender SmartScreen for Microsoft store apps** to **Warn** or **Off** - -For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). - -### Windows Defender Firewall optimization - -A well-configured machine must have Microsoft Defender Firewall turned on and enabled for all profiles so that inbound connections are blocked by default. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender Firewall. - -> [!IMPORTANT] -> This security control is only applicable for machines with Windows 10, version 1709 or later. - -#### Minimum baseline configuration setting for Windows Defender Firewall - -* Microsoft Defender Firewall is turned on for all network connections -* Secure domain profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked -* Secure private profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked -* Secure public profile is configured by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked - -For more information on Windows Defender Firewall settings, see [Planning settings for a basic firewall policy](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy). - -> [!NOTE] -> If Windows Defender Firewall is not your primary firewall, consider excluding it from the security score calculations and make sure that your third-party firewall is configured in a securely. - -##### Recommended actions - -You can take the following actions to increase the overall security score of your organization: - -* Turn on firewall -* Secure domain profile -* Secure private profile -* Secure public profile -* Verify secure configuration of third-party firewall -* Fix sensor data collection - * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). - -For more information, see [Windows Defender Firewall with Advanced Security](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security). - -### BitLocker optimization - -A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for BitLocker. - -> [!IMPORTANT] -> This security control is only applicable for machines with Windows 10, version 1803 or later. - -#### Minimum baseline configuration setting for BitLocker - -* Ensure all supported drives are encrypted -* Ensure that all suspended protection on drives resume protection -* Ensure that drives are compatible - -##### Recommended actions - -You can take the following actions to increase the overall security score of your organization: - -* Encrypt all supported drives -* Resume protection on all drives -* Ensure drive compatibility -* Fix sensor data collection - * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). - -For more information, see [Bitlocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview). - -### Windows Defender Credential Guard optimization -A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender Credential Guard. - -> [!IMPORTANT] -> This security control is only applicable for machines with Windows 10, version 1709 or later. - -#### Minimum baseline configuration setting for Windows Defender Credential Guard: -Well-configured machines for Windows Defender Credential Guard meets the following requirements: - -- Hardware and software prerequisites are met -- Windows Defender Credential Guard is turned on compatible machines - -##### Recommended actions - -You can take the following actions to increase the overall security score of your organization: - -* Ensure hardware and software prerequisites are met -* Turn on Credential Guard -* Fix sensor data collection - * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). - -For more information, see [Manage Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage). - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink) - -## Related topics - -* [Overview of Secure score](overview-secure-score.md) -* [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -* [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) -* [Exposure score](tvm-exposure-score.md) -* [Configuration score](configuration-score.md) -* [Security recommendations](tvm-security-recommendation.md) -* [Remediation](tvm-remediation.md) -* [Software inventory](tvm-software-inventory.md) -* [Weaknesses](tvm-weaknesses.md) -* [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md index ea54e6d0ea..00820b5fe4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md @@ -121,5 +121,5 @@ Click the user account to see details about the user account. For more informati ## Related topics - [Understand the Microsoft Defender Advanced Threat Protection portal](use.md) - [Portal overview](portal-overview.md) -- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard.md) +- [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) - [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md index a1c5557fed..2ade5dcf42 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md @@ -26,6 +26,11 @@ Cyberthreats are emerging more frequently and prevalently. It is critical for or Threat analytics is a set of reports published by Microsoft security researchers as soon as emerging threats and outbreaks are identified. The reports help you assess the impact of threats to your environment and identify actions that can contain them. +Watch this short video to quickly understand how threat analytics can help you track the latest threats and stop them. +

      + +> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bw1f] + ## View the threat analytics dashboard The threat analytics dashboard is a great jump off point for getting to the reports that are most relevant to your organization. It provides several overviews about the threats covered in the reports: diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index 7df11c3d9e..9f6f5b45c6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -85,8 +85,9 @@ To lower down your threat and vulnerability exposure: 6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases. ## Improve your security configuration + >[!NOTE] -> Secure score is now part of Threat & Vulnerability Management as [configuration score](configuration-score.md). The secure score page is available for a few weeks. View the [secure score](https://securitycenter.windows.com/securescore) page. +> Secure score is now part of Threat & Vulnerability Management as [configuration score](configuration-score.md). You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities. diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md index e49cc30afe..56a0d71130 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md @@ -73,7 +73,7 @@ You'll need to whitelist the `securitycenter.windows.com` and all sub-domains un ## Portal communication issues -If you encounter issues with accessing the portal, missing data, or restricted access to portions of the portal, you'll need to verify that the following URLs are whitelisted and open for communciation. +If you encounter issues with accessing the portal, missing data, or restricted access to portions of the portal, you'll need to verify that the following URLs are whitelisted and open for communication. - `*.blob.core.windows.net crl.microsoft.com` @@ -89,4 +89,4 @@ crl.microsoft.com` ## Related topics -- [Validate licensing provisioning and complete setup for Microsoft Defender ATP](licensing.md) \ No newline at end of file +- [Validate licensing provisioning and complete setup for Microsoft Defender ATP](licensing.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md index 6641950721..cc0b92af10 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md @@ -39,9 +39,7 @@ If your client secret expires or if you've misplaced the copy provided when you 3. Select your tenant. -4. Click **App registrations**. Then in the applications list, select the application: - - For SIEM: `https://WindowsDefenderATPSiemConnector` - - For Threat intelligence API: `https://WindowsDefenderATPCustomerTiConnector` +4. Click **App registrations**. Then in the applications list, select the application. 5. Select **Keys** section, then provide a key description and specify the key validity duration. @@ -59,9 +57,7 @@ If you encounter an error when trying to get a refresh token when using the thre 3. Select your tenant. -4. Click **App Registrations**. Then in the applications list, select the application: - - For SIEM: `https://WindowsDefenderATPSiemConnector` - - For Threat intelligence API: `https://WindowsDefenderATPCustomerTiConnector` +4. Click **App Registrations**. Then in the applications list, select the application. 5. Add the following URL: - For the European Union: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback` diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md index ffd3002549..a0465dd642 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md @@ -66,10 +66,10 @@ When you submit a remediation request from Threat & Vulnerability Management, it It creates a security task which will be tracked in Threat & Vulnerability Management **Remediation** page, and it also creates a remediation ticket in Microsoft Intune. -The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task. +The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task. ## When to file for exception instead of remediating issues -You can file exceptions to exclude certain recommendation from showing up in reports and affecting risk scores or secure scores. +You can file exceptions to exclude certain recommendation from showing up in reports and affecting your configuration score. When you select a security recommendation, it opens up a flyout screen with details and options for your next step. You can either **Open software page**, choose from **Remediation options**, go through **Exception options** to file for exceptions, or **Report inaccuracy**. @@ -113,10 +113,10 @@ Clicking the link opens up to the **Security recommendations** page, where you c - **In effect** - The exception that you've filed is in progress ### Exception impact on scores -Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Secure Score (for configurations) of your organization in the following manner: +Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Configuration Score (for configurations) of your organization in the following manner: - **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores - **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control. -- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Secure Score results out of the exception option that you made +- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Configuration Score results out of the exception option that you made The exception impact shows on both the Security recommendations page column and in the flyout pane. diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md index 1ffd2a0270..de5dd35eec 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md @@ -1,6 +1,6 @@ --- title: Weaknesses -description: Windows Defender Security Center offers a Weaknesses page, which lists vulnerabilities found in the infected software running in your organization. +description: Microsoft Defender Security Center offers a Weaknesses page, which lists vulnerabilities found in the infected software running in your organization. keywords: mdatp threat & vulnerability management, mdatp tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm search.product: eADQiWindows 10XVcnh search.appverid: met150 diff --git a/windows/security/threat-protection/microsoft-defender-atp/use.md b/windows/security/threat-protection/microsoft-defender-atp/use.md index dbf6830312..1b86e94b66 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/use.md +++ b/windows/security/threat-protection/microsoft-defender-atp/use.md @@ -29,7 +29,7 @@ Microsoft Defender Security Center is the portal where you can access Microsoft Use the **Security operations** dashboard to gain insight on the various alerts on machines and users in your network. -Use the **Secure Score** dashboard to expand your visibility on the overall security posture of your organization. You'll see machines that require attention and recommendations that can help you reduce the attack surface in your organization. +Use the **Threat & Vulnerability Management** dashboard to expand your visibility on the overall security posture of your organization. You'll see machines that require attention and recommendations that can help you reduce the attack surface in your organization. Use the **Threat analytics** dashboard to continually assess and control risk exposure to Spectre and Meltdown. @@ -39,5 +39,5 @@ Topic | Description :---|:--- [Portal overview](portal-overview.md) | Understand the portal layout and area descriptions. [View the Security operations dashboard](security-operations-dashboard.md) | The Microsoft Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the machines on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines. -[View the Secure Score dashboard and improve your secure score](secure-score-dashboard.md) | The **Secure Score dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. +[View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) | The **Threat & Vulnerability Management dashboard** lets you view exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines. [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to threats. Use the charts to quickly identify machines for the presence or absence of mitigations. \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md index 379bc21985..e55dfe29c0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md +++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md @@ -70,7 +70,7 @@ The following steps guide you on how to create roles in Microsoft Defender Secur For more information on the available commands, see [Investigate machines using Live response](live-response.md). -4. Click **Next** to assign the role to an Azure AD group. +4. Click **Next** to assign the role to an Azure AD Security group. 5. Use the filter to select the Azure AD group that you'd like to add to this role. diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md index 5a60f9e9ae..aa2f21d63e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md @@ -26,7 +26,7 @@ ms.topic: article Web content filtering is part of [Web protection](web-protection-overview.md) in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic due to compliance regulations, bandwidth usage, or other concerns. -You can configure policies across your machine groups to block certain categories, effectively preventing users within specified machine groups from accessing URLs within that category. If a category is not blocked, all your users will be able to access the URLs without disruption. However, web content filtering will continue to gather access statistics that you can use to understand web usage and inform future policy decisions. +You can configure policies across your machine groups to block certain categories, effectively preventing users within specified machine groups from accessing URLs within that category. If a category is not blocked, all your users will be able to access the URLs without disruption. However, web content filtering will continue to gather access statistics that you can use to understand web usage and inform future policy decisions. If an element on the page you’re viewing is making calls to a resource which is blocked, you will see a block notification. Web content filtering is available on most major web browsers, with blocks performed by SmartScreen (Edge) and Network Protection (Internet Explorer, Chrome, Firefox, and all other browsers). See the prerequisites section for more information about browser support. @@ -73,7 +73,7 @@ Cyren's web content classification technology is integrated by design into Micro Learn more at https://www.cyren.com/products/url-filtering. -### Cyren permissions +### Cyren Permissions "Sign in and read user profile" allows Cyren to read your tenant info from your Microsoft Defender ATP account, such as your tenant ID, which will be tied to your Cyren license. @@ -168,4 +168,4 @@ You need to be logged in to an AAD account with either App administrator or Glob - [Web protection overview](web-protection-overview.md) - [Web threat protection](web-threat-protection.md) - [Monitor web security](web-protection-monitoring.md) -- [Respond to web threats](web-protection-response.md) \ No newline at end of file +- [Respond to web threats](web-protection-response.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md index d3dd75a836..877203d476 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md @@ -1,7 +1,7 @@ --- title: Web protection description: Learn about web protection in Microsoft Defender ATP and how it can protect your organization -keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser +keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, malicious websites search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -36,7 +36,7 @@ Web threat protection includes: ## Web content filtering -The cards that make up web content filtering are **Web activity by category**, **Web content filtering summary**, and **Web activity summary**. +The cards that comprise web content filtering are **Web activity by category**, **Web content filtering summary**, and **Web activity summary**. Web content filtering includes: - Users are prevented from accessing websites in blocked categories, whether they are browsing on-premises or away diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md index 727eb7097a..5d4835f444 100644 --- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md +++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 07/13/2017 +ms.date: 2/6/2020 --- # Increase scheduling priority @@ -75,15 +75,15 @@ A user who is assigned this user right could increase the scheduling priority of ### Countermeasure -Verify that only Administrators and Window Manager/Window Manager Group have the **Increase scheduling priority** user right assigned to them. +Verify that only Administrators and Window Manager\Window Manager Group have the **Increase scheduling priority** user right assigned to them. ### Potential impact -None. Restricting the **Increase scheduling priority** user right to members of the Administrators group and Window Manager/Window Manager Group is the default configuration. +None. Restricting the **Increase scheduling priority** user right to members of the Administrators group and Window Manager\Window Manager Group is the default configuration. > [!Warning] > If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver. -> +> > On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md index c9c8515fe5..a20693d19b 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md @@ -32,6 +32,9 @@ If smart cards are used for authentication, the device should automatically lock If you select **Force Logoff** in the property sheet for this policy setting, the user is automatically logged off when the smart card is removed. Users will have to reinsert their smart cards and reenter their PINs when they return to their workstations. +> [!NOTE] +> This policy depends on **Smart Card Removal Policy** service. The service must be running for the policy to take effect, so it is recommended to set the startup type of the service to **Automatic**. + ### Possible values - No Action diff --git a/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md new file mode 100644 index 0000000000..228378515b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md @@ -0,0 +1,75 @@ +--- +title: What to do with false positives/negatives in Windows Defender Antivirus +description: Did Windows Defender Antivirus miss or wrongly detect something? Find out what you can do. +keywords: Windows Defender Antivirus, false positives, false negatives, exclusions +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 02/05/2020 +ms.reviewer: +manager: dansimp +audience: ITPro +ms.topic: article +--- + +# What to do with false positives/negatives in Windows Defender Antivirus + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Windows Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With Windows Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats like viruses, malware and spyware across email, apps, the cloud, and the web. + +But what if something gets detected wrongly as malware, or something is missed? We call these false positives and false negatives. Fortunately, there are some steps you can take to deal with these things. You can: +- [Submit a file to Microsoft for analysis](#submit-a-file-to-microsoft-for-analysis); +- [Create an "Allow" indicator to prevent a false positive from recurring](#create-an-allow-indicator-to-prevent-a-false-positive-from-recurring); or +- [Define an exclusion on an individual Windows device to prevent an item from being scanned](#define-an-exclusion-on-an-individual-windows-device-to-prevent-an-item-from-being-scanned) by Windows Defender Antivirus. + +## Submit a file to Microsoft for analysis + +1. Review the [submission guidelines](../intelligence/submission-guide.md). +2. [Submit your file or sample](https://www.microsoft.com/wdsi/filesubmission). + +> [!TIP] +> We recommend signing in at the submission portal so you can track the results of your submissions. + +## Create an "Allow" indicator to prevent a false positive from recurring + +If a file, IP address, URL, or domain is treated as malware on a device, even though it's safe, you can create an "Allow" indicator. This indicator tells Windows Defender Antivirus (and Microsoft Defender Advanced Threat Protection) that the item is safe. + +To set up your "Allow" indicator, follow the guidance in [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators). + +## Define an exclusion on an individual Windows device to prevent an item from being scanned + +When you define an exclusion for Windows Defender Antivirus, you configure your antivirus to skip that item. + +1. On your Windows 10 device, open the Windows Security app. +2. Select **Virus & threat protection** > **Virus & threat protection settings**. +3. Under **Exclusions**, select **Add or remove exclusions**. +4. Select **+ Add an exclusion**, and specify its type (**File**, **Folder**, **File type**, or **Process**). + +The following table summarizes exclusion types, how they're defined, and what happens when they're in effect. + +|Exclusion type |Defined by |What happens | +|---------|---------|---------| +|**File** |Location
      Example: `c:\sample\sample.test` |The specified file is skipped by Windows Defender Antivirus. | +|**Folder** |Location
      Example: `c:\test\sample` |All items in the specified folder are skipped by Windows Defender Antivirus. | +|**File type** |File extension
      Example: `.test` |All files with the specified extension anywhere on your device are skipped by Windows Defender Antivirus. | +|**Process** |Executable file path
      Example: `c:\test\process.exe` |The specified process and any files that are opened by that process are skipped by Windows Defender Antivirus. | + +To learn more, see: +- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus) +- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus) + +## Related articles + +[What is Microsoft Defender Advanced Threat Protection?](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) + +[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md index 97287da999..af838d196f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md @@ -50,7 +50,7 @@ Block at first sight requires a number of settings to be configured correctly or ### Confirm block at first sight is enabled with Intune -1. In Intune, navigate to **Device configuration - Profiles > *Profile name* > Device restrictions > Windows Defender Antivirus**. +1. In Intune, navigate to **Device configuration - Profiles** > *Profile name* > **Device restrictions** > **Windows Defender Antivirus**. > [!NOTE] > The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type. @@ -96,7 +96,7 @@ For a list of Windows Defender Antivirus device restrictions in Intune, see [Dev ### Confirm block at first sight is enabled with Group Policy -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. @@ -119,19 +119,19 @@ If you had to change any of the settings, you should re-deploy the Group Policy ### Confirm block at first sight is enabled with the Windows Security app -You can confirm that block at first sight is enabled in Windows Settings. +You can confirm that block at first sight is enabled in your Windows security settings. -Block at first sight is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on. +Block at first sight is automatically enabled as long as **Cloud-delivered protection** and **Automatic sample submission** are both turned on. ### Confirm Block at First Sight is enabled on individual clients -1. Open the Windows Security app by clicking the shield icon in the task bar. +1. Open the Windows Security app. -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Manage Settings** under **Virus & threat protection settings**: +2. Select **Virus & threat protection**, and then, under **Virus & threat protection settings**, select **Manage Settings**. ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) -3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. +3. Confirm that **Cloud-delivered protection** and **Automatic sample submission** are both turned on. > [!NOTE] > If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md index f6da565014..03cf88d610 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 02/05/2020 ms.reviewer: manager: dansimp --- @@ -23,21 +23,15 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can exclude certain files, folders, processes, and process-opened files from Windows Defender Antivirus scans. - -The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection. - -Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. - -Windows Server 2016 also features automatic exclusions that are defined by the server roles you enable. See the [Windows Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md) topic for more information and a list of the automatic exclusions. +You can exclude certain files, folders, processes, and process-opened files from Windows Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection. >[!WARNING] >Defining exclusions lowers the protection offered by Windows Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious. -## In this section +- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md). This enables you to exclude files from Windows Defender Antivirus scans based on their file extension, file name, or location. -Topic | Description ----|--- -[Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) | Exclude files from Windows Defender Antivirus scans based on their file extension, file name, or location -[Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) | Exclude files from scans that have been opened by a specific process -[Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) | Windows Server 2016 includes automatic exclusions, based on the defined server role. You can also add custom exclusions. +- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md). This enables you to exclude files from scans that have been opened by a specific process. + +## Related articles + +[Windows Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 9a1559d85e..7f217bed68 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -94,7 +94,7 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// 1. Set the option to **Enabled**. 2. Under the **Options** section, click **Show...**. - 3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column. + 3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column. 5. Click **OK**. @@ -364,3 +364,4 @@ You can also copy the string into a blank text file and attempt to save it with - [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) - [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Handling false positives/negatives](antivirus-false-positives-negatives.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md index fa061b9284..59f19f11c9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 02/13/2020 ms.reviewer: manager: dansimp --- @@ -47,7 +47,7 @@ To configure these settings: 5. Deploy the Group Policy Object as usual. -Location | Setting | Configuration topic +Location | Setting | Article ---|---|---|--- MAPS | Configure local setting override for reporting to Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) @@ -67,13 +67,13 @@ Scan | Configure local setting override for the scan type to use for a scheduled ## Configure how locally and globally defined threat remediation and exclusions lists are merged -You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md) and [specified remediation lists](configure-remediation-windows-defender-antivirus.md). +You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md), [specified remediation lists](configure-remediation-windows-defender-antivirus.md), and [attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction). By default, lists that have been configured in local group policy and the Windows Security app are merged with lists that are defined by the appropriate Group Policy Object that you have deployed on your network. Where there are conflicts, the globally-defined list takes precedence. You can disable this setting to ensure that only globally-defined lists (such as those from any deployed GPOs) are used. -**Use Group Policy to disable local list merging:** +### Use Group Policy to disable local list merging 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index 39f0cb02b4..69f56da605 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -43,7 +43,7 @@ The Windows Defender Antivirus cloud service provides fast, strong protection fo >[!NOTE] >The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. -See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) for details on enabling the service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. +See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) for details on enabling the service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md index 686871aec0..ef9bf3607a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md @@ -71,10 +71,10 @@ You can use Group Policy to: - Hide all notifications on endpoints - Hide reboot notifications on endpoints -Hiding notifications can be useful in situations where you can't hide the entire Windows Defender Antivirus interface. See [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) for more information. +Hiding notifications can be useful in situations where you can't hide the entire Windows Defender Antivirus interface. See [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) for more information. > [!NOTE] -> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). +> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). See [Customize the Windows Security app for your organization](../windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md index 7835908e14..94b115e1e2 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans. +You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans. This topic describes how to configure exclusion lists for the following: diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md index c0c4318e7b..5f0b5efdbe 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md @@ -25,7 +25,7 @@ manager: dansimp When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats. -This topic describes how to configure these settings with Group Policy, but you can also use [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +This topic describes how to configure these settings with Group Policy, but you can also use [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) to configure these settings. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md index 3532148261..86857fc378 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md @@ -39,7 +39,7 @@ The following broad categories of features can be configured: The topics in this section describe how to perform key tasks when configuring Windows Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools). -You can also review the [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) topic for an overview of each tool and links to further help. +You can also review the [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) topic for an overview of each tool and links to further help. ## In this section Topic | Description diff --git a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md index b0b2030e32..3162bb5114 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Windows Defender Antivirus scans. +You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Windows Defender Antivirus scans. ## In this section diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md index 4e7ec5971c..faaa2c10dd 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md @@ -80,6 +80,6 @@ Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by Topic | Description ---|--- -[Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with Microsoft Endpoint Configuration Manager, Microsoft Intune, or Group Policy Objects. +[Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with Microsoft Endpoint Configuration Manager, Microsoft Intune, or Group Policy Objects. [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating Security intelligence (protection updates). You can update Security intelligence in a number of ways, using Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, and WMI. [Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use Microsoft Intune, Microsoft Endpoint Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, or a third-party SIEM product (by consuming Windows event logs) to monitor protection status and create reports about endpoint protection. diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md index 6f8dd3363b..bf74b6893b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender Antivirus protection. +Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender Antivirus protection. See the table in [Deploy, manage, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI). diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index fc883cd71d..3fb436099a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -13,7 +13,7 @@ author: denisebmsft ms.author: deniseb ms.custom: nextgen audience: ITPro -ms.date: 01/06/2020 +ms.date: 02/12/2020 ms.reviewer: manager: dansimp --- @@ -45,11 +45,11 @@ The next major version of Microsoft Edge, which is Chromium-based, blocks potent #### Enable PUA protection in Chromium-based Microsoft Edge -Although potentially unwanted application protection in Microsoft Edge (Chromium-based) is turned off by default, it can easily be turned on from within the browser. +Although potentially unwanted application protection in Microsoft Edge (Chromium-based, version 80.0.361.50) is turned off by default, it can easily be turned on from within the browser. -1. From the tool bar, select **Settings and more** > **Settings**. +1. Select the ellipses, and then choose **Settings**. 2. Select **Privacy and services**. -3. Under the **Services** section, you can toggle **Potentially unwanted app blocking** on or off. +3. Under the **Services** section, turn on **Block potentially unwanted apps**. > [!TIP] > If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen [demo pages](https://demo.smartscreen.msft.net/). diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/jamf-onboarding.png b/windows/security/threat-protection/windows-defender-antivirus/images/jamf-onboarding.png new file mode 100644 index 0000000000..dedadfcc30 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/jamf-onboarding.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/tamperprotectsecurityrecos.png b/windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectsecurityrecos.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/tamperprotectsecurityrecos.png rename to windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectsecurityrecos.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 0005561984..3dd89a2653 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -91,7 +91,7 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal- - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)). - Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; this is included in Microsoft 365 E5.) - - Your Windows machines must be running Windows OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.) + - Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.) - You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above). - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md).) @@ -119,7 +119,7 @@ Here's what you see in the Windows Security app: ### Are you using Windows OS 1709, 1803, or 1809? -If you are using Windows OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. In this case, you can use PowerShell to determine whether tamper protection is enabled. +If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. In this case, you can use PowerShell to determine whether tamper protection is enabled. #### Use PowerShell to determine whether tamper protection is turned on @@ -147,7 +147,7 @@ Tamper protection integrates with [Threat & Vulnerability Management](https://do In the results, you can select **Turn on Tamper Protection** to learn more and turn it on. -![Turn on tamper protection](tamperprotectsecurityrecos.png) +![Turn on tamper protection](images/tamperprotectsecurityrecos.png) To learn more about Threat & Vulnerability Management, see [Threat & Vulnerability Management in Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights#threat--vulnerability-management-in-microsoft-defender-security-center). @@ -155,7 +155,7 @@ To learn more about Threat & Vulnerability Management, see [Threat & Vulnerabili ### To which Windows OS versions is configuring tamper protection is applicable? -Windows OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). +Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). ### Is configuring tamper protection in Intune supported on servers? diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md index 80c59d0658..8631d5a627 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md @@ -23,27 +23,26 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/powershell/mt173057.aspx). +You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration. You can read more about it at the [PowerShell hub on MSDN](https://docs.microsoft.com/previous-versions/msdn10/mt173057(v=msdn.10)). -For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) topic. +For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender) topic. -PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software. +PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software. > [!NOTE] > PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr), [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), or [Windows Defender Antivirus Group Policy ADMX templates](https://support.microsoft.com/kb/927367). -Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell. +Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell. You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md). PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_. - ## Use Windows Defender Antivirus PowerShell cmdlets -1. Click **Start**, type **powershell**, and press **Enter**. -2. Click **Windows PowerShell** to open the interface. -3. Enter the command and parameters. +1. In the Windows search bar, type **powershell**. +2. Select **Windows PowerShell** from the results to open the interface. +3. Enter the PowerShell command and any parameters. > [!NOTE] > You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. @@ -53,6 +52,7 @@ To open online help for any of the cmdlets type the following: ```PowerShell Get-Help -Online ``` + Omit the `-online` parameter to get locally cached help. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md index 57b00a8aa0..9ba7a43bf9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md @@ -34,7 +34,7 @@ Although you can use a non-Microsoft antivirus solution with Microsoft Defender | |Advantage |Why it matters | |--|--|--| |1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). | -|2|Threat analytics and your secure score |Windows Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [secure score](../microsoft-defender-atp/overview-secure-score.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. | +|2|Threat analytics and your configuration score |Windows Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [configuration score](../microsoft-defender-atp/configuration-score.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. | |3|Performance |Microsoft Defender ATP is designed to work with Windows Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Windows Defender Antivirus](evaluate-windows-defender-antivirus.md) and [Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md).| |4|Details about blocked malware |More details and actions for blocked malware are available with Windows Defender Antivirus and Microsoft Defender ATP. [Understand malware & other threats](../intelligence/understanding-malware.md).| |5|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).| diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md index be4f7240f1..75d23d70dd 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md @@ -27,18 +27,14 @@ In Windows 10, version 1703 and later, the Windows Defender app is part of the W Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703. > [!IMPORTANT] -> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date. - -> [!WARNING] -> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device. +> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
      If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device. >It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed. >This will significantly lower the protection of your device and could lead to malware infection. -See the [Windows Security topic](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app. +See the [Windows Security article](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app. ->[!NOTE] ->The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md). +The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md). ## Review virus and threat protection settings in the Windows Security app @@ -130,6 +126,19 @@ This section describes how to perform some of the most common tasks when reviewi 5. Click the plus icon to choose the type and set the options for each exclusion. +The following table summarizes exclusion types and what happens: + +|Exclusion type |Defined by |What happens | +|---------|---------|---------| +|**File** |Location
      Example: `c:\sample\sample.test` |The specific file is skipped by Windows Defender Antivirus. | +|**Folder** |Location
      Example: `c:\test\sample` |All items in the specified folder are skipped by Windows Defender Antivirus. | +|**File type** |File extension
      Example: `.test` |All files with the `.test` extension anywhere on your device are skipped by Windows Defender Antivirus. | +|**Process** |Executable file path
      Example: `c:\test\process.exe` |The specific process and any files that are opened by that process are skipped by Windows Defender Antivirus. | + +To learn more, see: +- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus) +- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus) + ### Review threat detection history in the Windows Defender Security Center app 1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or  diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md index acfdd8e57d..9f6e032b66 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md @@ -1,6 +1,6 @@ --- title: Document your AppLocker rules (Windows 10) -description: Learn how to document your Applocker rules with this planning guide. Associate rule conditions with files, permissions, rule source, and implementation. +description: Learn how to document your AppLocker rules and associate rule conditions with files, permissions, rule source, and implementation. ms.assetid: 91a198ce-104a-45ff-b49b-487fb40cd2dd ms.reviewer: ms.author: dansimp @@ -23,7 +23,7 @@ ms.date: 09/21/2017 - Windows 10 - Windows Server -This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded. +This topic describes what AppLocker rule conditions to associate with each file, how to associate these rule conditions, the source of the rule, and whether the file should be included or excluded. ## Record your findings @@ -119,9 +119,10 @@ The following table details sample data for documenting rule type and rule condi
      + ## Next steps -For each rule, determine whether to use the allow or deny option. Then, three tasks remain: +For each rule, determine whether to use the allow or deny option, and then complete the following tasks: - [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) - [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index 6fc44116aa..d25131d06d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -43,8 +43,8 @@ Alice identifies the following key factors to arrive at the "circle-of-trust" fo - All clients are running Windows 10 version 1903 or above; - All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune; -> [!NOTE] -> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM) + > [!NOTE] + > Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM). - Some, but not all, apps are deployed using MEMCM; - Most users are local administrators on their devices; @@ -117,7 +117,7 @@ Alice follows these steps to complete this task: $PathRules += New-CIPolicyRule -FilePathRule "%windir%\*" $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*" $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*" - Merge-CIPolicy -OutputFilePath = $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules + Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules ``` 7. If appropriate, add additional signer or file rules to further customize the policy for your organization. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index ba4929c2f6..b3b52de9b2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -46,7 +46,7 @@ Windows 10 includes two technologies that can be used for application control de Windows Defender Application Control (WDAC) was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC). > [!NOTE] -> Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity policies. +> Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI) policies. WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on: - Attributes of the codesigning certificate(s) used to sign an app and its binaries; @@ -58,9 +58,8 @@ WDAC policies apply to the managed computer as a whole and affects all users of ### WDAC System Requirements -WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Windows Server 2016 and above. -They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune. -Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above. +WDAC policies can only be created on computers running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above. +WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a scripthost like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10. ## AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 0684b674b2..1e8839b354 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -83,7 +83,7 @@ To trust a subdomain, you must precede your domain with two dots, for example: ` ### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? -When using Windows Pro and Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). +When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). ### Is there a size limit to the domain lists that I need to configure? diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md index c8d5d6ec1c..5c81b7eb36 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 11/09/2017 +ms.date: 02/11/2020 ms.reviewer: manager: dansimp ms.custom: asr @@ -42,3 +42,4 @@ Your environment needs the following software to run Windows Defender Applicatio |Operating system|Windows 10 Enterprise edition, version 1709 or higher
      Windows 10 Professional edition, version 1803 or higher
      Windows 10 Professional for Workstations edition, version 1803 or higher
      Windows 10 Professional Education edition version 1803 or higher
      Windows 10 Education edition, version 1903 or higher
      Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with WDAG for Professional editions. | |Browser|Microsoft Edge and Internet Explorer| |Management system
      (only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)

      **-OR-**

      [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/)

      **-OR-**

      [Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)

      **-OR-**

      Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| +|Windows Defender Exploit Protection settings|The following settings should be configured or verified in the **Windows Security** app under **App & browser control** > **Exploit protection** > **Exploit protection settings** > **System Settings**.

      **Control flow guard (CFG)** must be set to **Use default (On)** or **Off by default**. If set to **On by default**, [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard) will not launch.

      **Randomize memory allocations (Bottom-up ASLR)** must be set to **Use default (On)** or **Off by default**. If set to "On by default", the `Vmmem` process will have high CPU utilization while a Windows Defender Application Guard window is open.|