deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-20 01:07:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into jdsb

Browse Source
This commit is contained in:
Jeanie Decker 2018-11-16 06:02:52 -08:00
commit 1a960fb91a
32 changed files with 2197 additions and 741 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.json
View File

@ -13889,6 +13889,11 @@
"source_path": "education/windows/windows-automatic-redeployment.md",
"redirect_url": "/education/windows/autopilot-reset",
"redirect_document_id": true
},
{
"source_path": "windows/privacy/manage-windows-endpoints.md",
"redirect_url": "/windows/privacy/manage-windows-1809-endpoints",
"redirect_document_id": true
}
]
}

393
windows/client-management/advanced-troubleshooting-boot-problems Normal file
View File

@ -0,0 +1,393 @@
---
title: Advanced Troubleshooting Windows boot problems
description: Learn how troubleshooting unable to boot Windows
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
author: kaushika-msft
ms.localizationpriority: medium
ms.author: elizapo
ms.date:
---
## Advanced Troubleshooting Windows boot problems
!>**Notice to home users**
>This article is intended for use by support agents and IT professionals. If
you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://internal.support.services.microsoft.com/en-us/help/12415).
### Summary
There are several reasons why a Windows-based computer may hang during startup. To troubleshoot boot problems, first determine in which of the following phases the computer gets stuck:
| **No** | **Boot Process** | **BIOS** | **UEFI** |
|--------|----------------------|-----------------------------------------------------------------------------|
| 1 | PreBoot | MBR/PBR (Bootstrap Code) | UEFI Firmware |
| 2 | Windows Boot Manager | %SystemDrive%\bootmgr | \EFI\Microsoft\Boot\bootmgfw.efi |
| 3 | Windows OS Loader | %SystemRoot%\system32\winload.exe | %SystemRoot%\system32\winload.efi |
| 4 | Windows NT OS Kernel | %SystemRoot%\system32\ntoskrnl.exe |
**1. PreBoot**
The PCs firmware initiates a Power-On Self Test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot
Manager.
**2. Windows Boot Manager**
Windows Boot Manager finds and starts the Windows loader (Winload.exe) on the Windows boot partition.
**3. Windows operating system loader**
Essential drivers required to start the Windows kernel are loaded and the kernel starts to run.
**4. Windows NT OS Kernel**
The kernel load into memory the system registry hive and additional drivers that are marked as BOOT_START.
The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that are not marked BOOT_START.
Here is a summary of Boot Sequence vs Display and Typical NoBoot. Before starting troubleshooting, you have to understand the outline of boot process and display status to ensure that the issue is properly identified at the beginning of the engagement.
![](media/6ed145ee3760b545fcbe277ea7d5c88d.png)
Each phase has a different approach to troubleshooting. This article provides troubleshooting techniques for problems that occur during the first three phases.
**Note**If the computer repeatedly boots to the recovery options, run the following command at a command prompt to break the cycle:
```dos
Bcdedit /set {default} recoveryenabled no
```
If the F8 options don't work, run the following command:
```dos
Bcdedit /set {default} bootmenupolicy legacy
```
#### BIOS phase
To determine whether the system has passed the BIOS phase, follow these steps:
1. If there are any external peripherals connected to the computer, disconnect them.
2. Check whether the hard disk drive light on the physical computer is working. If it is not working, this indicates that the startup process is stuck at the BIOS phase.
3. Press the NumLock key to see whether the indicator light toggles on and off. If it does not, this indicates that the startup process is stuck at BIOS.
If the system is stuck at the BIOS phase, there may be a hardware problem.
#### Boot loader phase
If the screen is completely black except for a blinking cursor, or if you receive one of the following error codes, this indicates that the boot process is stuck in the Boot Loader phase:
- Boot Configuration Data (BCD) missing or corrupted
- Boot file or MBR corrupted
- Operating system Missing
- Boot sector missing or corrupted
- Bootmgr missing or corrupted
- Unable to boot due to system hive missing or corrupted
To troubleshoot this problem, use Windows installation media to start the computer, press Shift+F10 for a command prompt, and then use any of the following methods.
##### Method 1: Startup Repair tool
The Startup Repair tool automatically fixes many common problems. The tool also lets you quickly diagnose and repair more complex startup problems. When the computer detects a startup problem, the computer starts the Startup Repair tool. When the tool starts, it performs diagnostics. These diagnostics include analyzing startup log files to determine the cause of the problem. When the Startup Repair tool determines the cause, the tool tries to fix the problem automatically.
To do this, follow these steps.
**Note** For additional methods to start WinRE, see [Entry points into
WinRE](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre).
1. Start the system to the installation media for the installed version of Windows.
**Note** For more information, see [Create installation media for Windows](https://support.microsoft.com/help/15088).
2. On the **Install Windows** screen, select **Next** > **Repair your computer**.
3. On the **System Recovery Options** screen, select **Next** > **Command Prompt**.
4. After Startup Repair, select Shutdown, then turn on your PC to see if OS can boot properly.
The Startup Repair tool generates a log file to help you understand the startup problems and the repairs that were made. You can find the log file in the following location:
> %windir%\System32\LogFiles\Srt\Srttrail.txt
For more information see, [A Stop error occurs, or the computer stops responding when you try to start
Windows Vista or Windows 7
](https://support.microsoft.com/en-us/help/925810/a-stop-error-occurs-or-the-computer-stops-responding-when-you-try-to-s)
##### Method 2: Repair Boot Codes
To repair boot codes, run the following command:
```dos
BOOTREC /FIXMBR
```
To repair the boot sector, run the following command:
```dos
BOOTREC /FIXBOOT
```
**Note** Running **BOOTREC** together with **Fixmbr** overwrites only the master boot code. If the corruption in the MBR affects the partition table, running **Fixmbr** may not fix the problem.
##### Method 3: Fix BCD errors
If you receive BCD-related errors, follow these steps:
1. Scan for all the systems that are installed. To do this, run the following command:
```dos
Bootrec /ScanOS
```
2. Restart the computer to check whether the problem is fixed.
3. If the problem is not fixed, run the following command:
```dos
Bootrec /rebuildbcd
```
4. You might receive one of the following outputs:
> Scanning all disks for Windows installations. Please wait, since this may take a while...Successfully scanned Windows installations. Total identified Windows installations: 0
The operation completed successfully.
> Scanning all disks for Windows installations. Please wait, since this may take a while... Successfully scanned Windows installations. Total identified Windows installations: 1
D:\Windows
Add installation to boot list? Yes/No/All:
If the output shows **windows installation: 0**, run the following commands:
```dos
bcdedit /export c:\bcdbackup
attrib c:\\boot\\bcd -h -r s
ren c:\\boot\\bcd bcd.old
bootrec /rebuildbcd
```
After you run the command, you receive the following output:
> Scanning all disks for Windows installations. Please wait, since this may take a while...Successfully scanned Windows installations. Total identified Windows installations: 1{D}:\Windows
Add installation to boot list? Yes/No/All: Y
5. Try again to start the system.
##### Method 4: Replace Bootmgr
If methods 1 and 2 do not fix the problem, replace the Bootmgr file from drive C to the System Reserved partition. To do this, follow these steps:
1. At a command prompt, change the directory to the System Reserved partition.
2. Run the **attrib** command to unhide the file:
```dos
attrib-s -h -r
```
3. Run the same **attrib** command on the Windows (system drive):
```dos
attrib-s -h r
```
4. Rename the Bootmgr file as Bootmgr.old:
```dos
ren c:\\bootmgr bootmgr.old
```
5. Start a text editor, such as Notepad.
6. Navigate to the system drive.
7. Copy the Bootmgr file, and then paste it to the System Reserved partition.
8. Restart the computer.
##### Method 5: Restore System Hive
If Windows cannot load the system registry hive into memory, you must restore the system hive. To do this, use the Windows Recovery Environment or use Emergency Repair Disk (ERD) to copy the files from the
C:\Windows\System32\config\RegBack to C:\Windows\System32\config.
If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced.
#### Kernel Phase
If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These include, but are not limited to, the following:
- A Stop error appears after the splash screen (Windows Logo screen).
- Specific error code is displayed.
For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on.
(To troubleshoot the 0x0000007B error, see [Error code INACCESSIBLE_BOOT_DEVICE (STOP 0x7B)](https://internal.support.services.microsoft.com/en-us/help/4343769/troubleshooting-guide-for-windows-boot-problems#0x7bstoperror))
- The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon.
- A black screen appears after the splash screen.
To troubleshoot these problems, try the following recovery boot options one at a time.
Scenario 1: [Try to start the computer in Safe mode or Last Known Good Configuration]()
On the **Advanced Boot Options** screen, try to start the computer in **Safe Mode** or **Safe Mode with Networking**. If either of these options works, use Event Viewer to help identify and diagnose the cause of the boot problem. To view events that are recorded in the event logs, follow these steps:
1. Use one of the following methods to open Event Viewer:
- Click **Start**, point to **Administrative Tools**, and then click
**Event Viewer**.
- Start the Event Viewer snap-in in Microsoft Management Console (MMC).
2. In the console tree, expand Event Viewer, and then click the log that you
want to view. For example, click **System log** or **Application log**.
3. In the details pane, double-click the event that you want to view.
4. On the **Edit** menu, click **Copy**, open a new document in the program in
which you want to paste the event (for example, Microsoft Word), and then
click **Paste**.
5. Use the Up Arrow or Down Arrow key to view the description of the previous
or next event.
#### Clean boot
To troubleshoot problems that affect services, do a clean boot by using System Configuration (msconfig).
Select **Selective startup** to test the services one at a time to determine which one is causing the problem. If you cannot find the cause, try including system services. However, in most cases, the problematic service is third-party.
Disable any service that you find to be faulty, and try to start the computer again by selecting **Normal startup**.
For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/en-us/help/929135/how-to-perform-a-clean-boot-in-windows).
If the computer starts in Disable Driver Signature mode, start the computer in Disable Driver Signature Enforcement mode, and then follow the steps that are documented in the following article to determine which drivers or files require driver signature enforcement:
[Troubleshooting boot problem caused by missing driver signature
(x64)](https://blogs.technet.microsoft.com/askcore/2012/04/15/troubleshooting-boot-issues-due-to-missing-driver-signature-x64/)
**Note**
- If the computer is a domain controller, try Directory Services Restore mode (DSRM).
- This method is an important step if you encounter Stop error "0xC00002E1" or "0xC00002E2"
**Examples**
> Warning
> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these
problems can be solved. Modify the registry at your own risk.
*Error code INACCESSIBLE_BOOT_DEVICE (STOP 0x7B)*
To troubleshoot this Stop error, follow these steps to filter the drivers:
1. Go to Window Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of same version of Windows or a later version.
2. Open the registry.
3. Load the system hive, and name it as "test."
4. Under the following registry subkey, check for lower filter and upper filter items for Non-Microsoft Drivers:
**HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class**
5. For each third-party driver that you locate, click the upper or lower filter, and then delete the value data.
6. Search through the whole registry for similar items. Process as an appropriate, and then unload the registry hive.
7. Restart the server in Normal mode.
For additional troubleshooting steps, see the following articles:
- [Troubleshooting a Stop 0x7B in
Windows](https://blogs.technet.microsoft.com/askcore/2013/08/05/troubleshooting-a-stop-0x7b-in-windows/)
- [Advanced troubleshooting for "Stop error code 0x0000007B (INACCESSIBLE_BOOT_DEVICE)" errors in Windows
XP](https://internal.support.services.microsoft.com/en-us/help/324103).
To fix problems that occur after you install Windows updates, check for pending updates by using these steps:
1. Open a Command Prompt winodw in WinRE.
2. Run the command:
```dos
dism /image:C:\ /get-packages
```
3. If there are any pending updates, uninstall them by running the following commands:
```dos
DISM /image:C:\ /remove-package /packagename: name of the package
```
```dos
Dism /Image:C:\ /Cleanup-Image /RevertPendingActions
```
Try to start the computer.
If the computer does not start, follow these steps:
1. Open A Command Prompt window in WinRE, and start a text editor, such as Notepad.
2. Navigate to the system drive, and search for windows\winsxs\pending.xml.
3. If the Pending.xml file is found, rename the file as Pending.xml.old.
4. Open the registry, and then load the component hive in HKEY_LOCAL_MACHINE as a test.
5. Highlight the loaded test hive, and then search for the **pendingxmlidentifier** value.
6. If the **pendingxmlidentifier** value exists, delete the value.
7. Unload the test hive.
8. Load the system hive, name it as "test".
9. Navigate to the following subkey:
**HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\TrustedInstaller**
10. Change the **Start** value from **1** to **4**
11. Unload the hive.
12. Try to start the computer.
If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For details, see the following Knowledge Base article:
- [969028](https://support.microsoft.com/help/969028) How to generate a kernel or a complete memory dump file in Windows Server 2008 and Windows Server 2008 R2
For more information about page file problems in Windows 10 or Windows Server 2016, see the following Knowledge Base article:
- [4133658](https://support.microsoft.com/help/4133658) Introduction of page file in Long-Term Servicing Channel and Semi-Annual Channel of Windows
For more information about Stop errors, see the following Knowledge Base article:
- [3106831](https://support.microsoft.com/help/3106831) Troubleshooting Stop error problems for IT Pros
If the dump file shows an error that is related to a driver (for example, windows\system32\drivers\stcvsm.sys is missing or corrupted), follow these guidelines:
- Check the functionality that is provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does.
- If the driver is not important and has no dependencies, load the system hive, and then disable the driver.
- If the stop error indicates system file corruption, run the system file checker in offline mode.
- To do this, open WinRE, open a command prompt, and then run the following command:
```dos
SFC /Scannow /OffBootDir=C:\ /OffWinDir=E:\Windows
```
For more information, see [Using System File Checker (SFC) To Fix Issues](https://blogs.technet.microsoft.com/askcore/2007/12/18/using-system-file-checker-sfc-to-fix-issues/)
- If there is disk corruption, run the check disk command:
```dos
chkdsk /f /r
```
- If the Stop error indicates general registry corruption, or if you believe that new drivers or services were installed, follow these steps:
1. Start WinRE, and open a Command Prompt window.
2. Start a text editor, such as Notepad.
3. Navigate to C\Windows\System32\Config\.
4. Rename the all five hives by appending ".old" to the name.
5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode.

797
windows/client-management/data-collection-for-802-authentication.md
View File

@ -14,538 +14,371 @@ ms.date: 10/29/2018
# Data Collection for Troubleshooting 802.1x Authentication
## Steps to capture Wireless/Wired functionality logs
## Capture wireless/wired functionality logs
Use the following steps to collect wireless and wired logs on Windows and Windows Server:
1. Create C:\MSLOG on the client machine to store captured logs.
2. Launch a command prompt as an administrator on the client machine, and run the following commands to start RAS trace log and Wireless/Wired scenario log:
2. Launch a command prompt as an administrator on the client machine, and run the following commands to start RAS trace log and Wireless/Wired scenario log.
**On Windows 8.1, Windows 10 Wireless Client**
**Wireless Windows 8.1 and Windows 10:**
```dos
netsh ras set tracing * enabled
```
```dos
netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl
```
```
netsh ras set tracing * enabled
netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl
```
**On Windows 7, Winodws 8 Wireless Client**
```dos
netsh ras set tracing * enabled
```
```dos
netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl
```
**Wireless Windows 7 and Windows 8:**
```
netsh ras set tracing * enabled
netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl
```
**On Wired network client**
```dos
netsh ras set tracing * enabled
```
```dos
netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_cli.etl
```
**Wired client, regardless of version**
```
netsh ras set tracing * enabled
netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_cli.etl
```
3. Run the followind command to enable CAPI2 logging:
```dos
wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
```
3. Run the following command to enable CAPI2 logging:
```
wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
```
4. Create C:\MSLOG on the NPS to store captured logs.
5. Launch a command prompt as an administrator on the NPS and run the following commands to start RAS trace log and Wireless/Wired scenario log:
**On Windows Server 2012 R2, Windows Server 2016 Wireless network**
**Windows Server 2012 R2, Windows Server 2016 wireless network:**
```dos
netsh ras set tracing * enabled
```
```dos
netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl
netsh ras set tracing * enabled
netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl
```
**On Windows Server 2008 R2, Winodws Server 2012 Wireless network**
**Windows Server 2008 R2, Windows Server 2012 wireless network**
```dos
netsh ras set tracing * enabled
```
```dos
netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl
netsh ras set tracing * enabled
netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl
```
**On wired network**
**Wired network**
```dos
netsh ras set tracing * enabled
```
```dos
netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_nps.etl
netsh ras set tracing * enabled
netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_nps.etl
```
6. Run the followind command to enable CAPI2 logging:
6. Run the following command to enable CAPI2 logging:
```dos
```
wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
```
7. Run the following command from the command prompt on the client machine and start PSR to capture screen images:
> [!NOTE]
> When the mouse button is clicked, the cursor will blink in red while capturing a screen image.
> [!NOTE]
> When the mouse button is clicked, the cursor will blink in red while capturing a screen image.
```dos
```
psr /start /output c:\MSLOG\%computername%\_psr.zip /maxsc 100
```
8. Repro the issue.
9. Run the following command on the client machine to stop the PSR capturing:
9. Run the following command on the client PC to stop the PSR capturing:
```dos
psr /stop
```
```
psr /stop
```
10. Run the following commands from the command prompt on the NPS.
**Stopping RAS trace log and Wireless scenario log**
- To stop RAS trace log and wireless scenario log:
```dos
netsh trace stop
```
```dos
netsh ras set tracing * disabled
```
**Disabling and copying CAPI2 log**
```
netsh trace stop
netsh ras set tracing * disabled
```
- To disable and copy CAPI2 log:
```dos
wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false
```
```dos
wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx
```
```
wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false
wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx
```
11. Run the following commands from the prompt on the client machine.
11. Run the following commands on the client PC.
- To stop RAS trace log and wireless scenario log:
```
netsh trace stop
netsh ras set tracing * disabled
```
**Stopping RAS trace log and Wireless scenario log**
- To disable and copy the CAPI2 log:
```
wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false
wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx
```
12. Save the following logs on the client and the NPS:
**Client**
- C:\MSLOG\%computername%_psr.zip
- C:\MSLOG\CAPI2_%COMPUTERNAME%.evtx
- C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl
- C:\MSLOG\%COMPUTERNAME%_wireless_cli.cab
- All log files and folders in %Systemroot%\Tracing
**NPS**
- C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx
- C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl (%COMPUTERNAME%_wired_nps.etl for wired scenario)
- C:\MSLOG\%COMPUTERNAME%_wireless_nps.cab (%COMPUTERNAME%_wired_nps.cab for wired scenario)
- All log files and folders in %Systemroot%\Tracing
```dos
netsh trace stop
```
```dos
netsh ras set tracing * disabled
```
**Disabling and copying CAPI2 log**
## Save environmental and configuration information
### On Windows client
```dos
wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false
```
```dos
wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx
```
12. Save the following logs on the client and the NPS.
**Client**
- C:\MSLOG\%computername%_psr.zip
- C:\MSLOG\CAPI2_%COMPUTERNAME%.evtx
- C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl
- C:\MSLOG\%COMPUTERNAME%_wireless_cli.cab
- All log files and folders in %Systemroot%\Tracing
**NPS**
- C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx
- C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl (%COMPUTERNAME%_wired_nps.etl for wired scenario)
- C:\MSLOG\%COMPUTERNAME%_wireless_nps.cab (%COMPUTERNAME%_wired_nps.cab for wired scenario)
- All log files and folders in %Systemroot%\Tracing
### Steps to save environmental / configuration information
**Client**
1. Create C:\MSLOG to store captured logs.
2. Launch a command prompt as an administrator.
3. Run the following commands.
- Environmental information and Group Policies application status
```dos
gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.htm
msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt
ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt
route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt
```
**Event logs**
**Run the following command on Windows 8 and above **
```dos
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx
```
```dos
wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
wevtutil epl Microsoft-Windows-GroupPolicy/Operational C:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-WLAN-AutoConfig-Operational.evtx
wevtutil epl "Microsoft-Windows-Wired-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-Wired-AutoConfig-Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx
```
**Certificates Store information**
```dos
certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt
```
**Wireless LAN Client information**
```dos
netsh wlan show all > c:\MSLOG\%COMPUTERNAME%\_wlan\_show\_all.txt
netsh wlan export profile folder=c:\MSLOG\
```
**Wired LAN Client information**
```dos
netsh lan show all > c:\MSLOG\%COMPUTERNAME%\_lan\_show\_all.txt
netsh lan export profile folder=c:\MSLOG\
```
4. Save the logs stored in C:\MSLOG.
**NPS**
1. Create C:\MSLOG to store captured logs.
2. Launch a command prompt as an administrator.
3. Run the following commands:
**Environmental information and Group Policies application status**
```dos
gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt
- Environmental information and Group Policies application status
```
gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.htm
msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt
ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt
route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt
```
- Event logs
```
wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
wevtutil epl Microsoft-Windows-GroupPolicy/Operational C:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-WLAN-AutoConfig-Operational.evtx
wevtutil epl "Microsoft-Windows-Wired-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-Wired-AutoConfig-Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx
```
- For Windows 8 and later, also run these commands for event logs:
```
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx
```
- Certificates Store information:
```
certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt
```
- Wireless LAN client information:
```
netsh wlan show all > c:\MSLOG\%COMPUTERNAME%\_wlan\_show\_all.txt
netsh wlan export profile folder=c:\MSLOG\
```
- Wired LAN Client information
```
netsh lan show all > c:\MSLOG\%COMPUTERNAME%\_lan\_show\_all.txt
netsh lan export profile folder=c:\MSLOG\
```
4. Save the logs stored in C:\MSLOG.
### On NPS
1. Create C:\MSLOG to store captured logs.
2. Launch a command prompt as an administrator.
3. Run the following commands.
- Environmental information and Group Policies application status:
```
gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt
msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt
ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt
route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt
```
- Event logs:
```
wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx
```
- Run the following 3 commands on Windows Server 2012 and later:
```
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx
```
- Certificates store information
```
certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt
```
- NPS configuration information:
```
netsh nps show config > C:\MSLOG\%COMPUTERNAME%\_nps\_show\_config.txt
netsh nps export filename=C:\MSLOG\%COMPUTERNAME%\_nps\_export.xml exportPSK=YES
```
3. Take the following steps to save an NPS accounting log.
1. Open **Administrative tools > Network Policy Server**.
2. On the Network Policy Server administration tool, select **Accounting** in the left pane.
3. Click **Change Log File Properties**.
4. On the **Log File** tab, note the log file naming convention shown as **Name** and the log file location shown in **Directory** box.
5. Copy the log file to C:\MSLOG.
**Event logs**
**Run the following 3 commands on Windows Server 2012 and above:**
```dos
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx
```
4. Save the logs stored in C:\MSLOG.
```dos
wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx
```
### Certificate Authority (CA) (OPTIONAL)
**Certificates store information**
```dos
certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt
```
**NPS configuration information**
```dos
netsh nps show config > C:\MSLOG\%COMPUTERNAME%\_nps\_show\_config.txt
netsh nps export filename=C:\MSLOG\%COMPUTERNAME%\_nps\_export.xml exportPSK=YES
```
3. Take the following steps to save an NPS accounting log:
4. Launch **Administrative tools** - **Network Policy Server**.
- On the Network Policy Server administration tool, select **Accounting** in the left pane.
- Click **Change Log File Properties** in the right pane.
- Click the **Log File** tab, note the log file naming convention shown as *Name* and the log file location shown in the **Directory** box.
- Copy the log file to C:\MSLOG.
- Save the logs stored in C:\MSLOG.
**Certificate Authority (CA)** *Optional*
1. On a CA, launch a command prompt as an administrator.
2. Create C:\MSLOG to store captured logs.
3. Run the following commands:
Environmental information and Group Policies application status
```dos
gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt
msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt
ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt
route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt
```
**Event logs**
**Run the following 3 lines on Windows 2012 and up:**
```dos
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx
```
```dos
wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx
```
**Certificates store information**
```dos
certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt
```
**CA configuration information**
```dos
reg save HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.hiv
reg export HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.txt
reg save HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.hiv
reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.tx
```
4. Copy the following files, if exist, to C:\MSLOG. %windir%\CAPolicy.inf
5. Log on to a domain controller and create C:\MSLOG to store captured logs.
6. Launch Windows PowerShell as an administrator.
7. Run the following PowerShell commandlets
\* Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for ";test.local"; domain.
```powershell
Import-Module ActiveDirectory
Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter \* -Properties \* | fl \* > C:\MSLOG\Get-ADObject\_$Env:COMPUTERNAME.txt
```
8. Save the following logs:
- All files in C:\MSLOG on the CA
- All files in C:\MSLOG on the domain controller
1. On a CA, launch a command prompt as an administrator. Create C:\MSLOG to store captured logs.
2. Run the following commands.
- Environmental information and Group Policies application status
```
gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt
msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt
ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt
route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt
```
- Event logs
```
wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx
```
- Run the following 3 lines on Windows 2012 and up
```
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx
```
- Certificates store information
```
certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt
```
- CA configuration information
```
reg save HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.hiv
reg export HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.txt
reg save HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.hiv
reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.tx
```
3. Copy the following files, if exist, to C:\MSLOG: %windir%\CAPolicy.inf
4. Log on to a domain controller and create C:\MSLOG to store captured logs.
5. Launch Windows PowerShell as an administrator.
6. Run the following PowerShell cmdlets. Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for ";test.local"; domain.
```powershell
Import-Module ActiveDirectory
Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter \* -Properties \* | fl \* > C:\MSLOG\Get-ADObject\_$Env:COMPUTERNAME.txt
```
7. Save the following logs.
- All files in C:\MSLOG on the CA
- All files in C:\MSLOG on the domain controller

8
windows/client-management/mdm/policy-csp-defender.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/08/2018
ms.date: 11/14/2018
---
# Policy CSP - Defender
@ -1366,7 +1366,7 @@ ADMX Info:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications.
Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator.
Added in Windows 10, version 1709. This policy setting allows user-specified applications to the controlled folder access feature. Adding an allowed application means the controlled folder access feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator.
<!--/Description-->
<!--ADMXMapped-->
@ -1421,7 +1421,7 @@ ADMX Info:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders.
Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator.
Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator.
<!--/Description-->
<!--ADMXMapped-->
@ -1679,7 +1679,7 @@ ADMX Info:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders and changed to EnableControlledFolderAccess.
Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the guard my folders feature. The guard my folders feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2.
Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the controlled folder access feature. The controlled folder access feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2.
<!--/Description-->
<!--ADMXMapped-->

64
windows/client-management/windows-10-support-solutions.md
View File

@ -7,45 +7,54 @@ ms.sitesec: library
ms.author: elizapo
author: kaushika-msft
ms.localizationpriority: medium
ms.date: 11/08/2017
ms.date: 11/08/2018
---
# Top support solutions for Windows 10
Microsoft regularly releases both updates and solutions for Windows 10. To ensure your computers can receive future updates, including security updates, it's important to keep them updated. Check out the following links for a complete list of released updates:
- [Windows 10 Version 1703 update history](https://support.microsoft.com/help/4018124/)
- [Windows 10 Version 1607 update history](https://support.microsoft.com/help/4000825/)
- [Windows 10 Version 1511 update history](https://support.microsoft.com/help/4000824/)
- [Windows 10 version 1803 update history](https://support.microsoft.com/help/4099479)
- [Windows 10 version 1709 update history](https://support.microsoft.com/help/4043454)
- [Windows 10 Version 1703 update history](https://support.microsoft.com/help/4018124)
- [Windows 10 Version 1607 update history](https://support.microsoft.com/help/4000825)
- [Windows 10 Version 1511 update history](https://support.microsoft.com/help/4000824)
These are the top Microsoft Support solutions for the most common issues experienced when using Windows 10 in an enterprise or IT pro environment. The links below include links to KB articles, updates, and library articles.
## Solutions related to installing Windows updates or hotfixes
- [Understanding the Windowsupdate.log file for advanced users](https://support.microsoft.com/help/4035760/understanding-the-windowsupdate-log-file-for-advanced-users)
- [You can't install updates on a Windows-based computer](https://support.microsoft.com/help/2509997/you-can-t-install-updates-on-a-windows-based-computer)
- [Get-WindowsUpdateLog](https://technet.microsoft.com/itpro/powershell/windows/windowsupdate/get-windowsupdatelog)
- [How to read the Windowsupdate.log file](https://support.microsoft.com/help/902093/how-to-read-the-windowsupdate-log-file)
- [Can't download updates from Windows Update from behind a firewall or proxy server](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p)
- [Computer staged from a SysPrepped image doesn't receive WSUS updates](https://support.microsoft.com/help/4010909/computer-staged-from-a-sysprepped-image-doesn-t-receive-wsus-updates)
- [Servicing stack update for Windows 10 Version 1703: June 13, 2017](https://support.microsoft.com/help/4022405/servicingstackupdateforwindows10version1703june13-2017)
- [Servicing stack update for Windows 10 Version 1607 and Windows Server 2016: March 14, 2017](https://support.microsoft.com/help/4013418/servicing-stack-update-for-windows-10-version-1607-and-windows-server)
## Solutions related to installing Windows Updates
- [How does Windows Update work](https://docs.microsoft.com/en-us/windows/deployment/update/how-windows-update-works)
- [Windows Update log files](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-logs)
- [Windows Update troubleshooting](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-troubleshooting)
- [Windows Update common errors and mitigation](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-errors)
- [Windows Update - additional resources](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-resources)
## Solutions related to installing or upgrading Windows
- [Quick Fixes](https://docs.microsoft.com/en-us/windows/deployment/upgrade/quick-fixes)
- [Troubleshooting upgrade errors](https://docs.microsoft.com/en-us/windows/deployment/upgrade/troubleshoot-upgrade-errors)
- [Resolution procedures](https://docs.microsoft.com/en-us/windows/deployment/upgrade/resolution-procedures)
- ["0xc1800118" error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/en-in/help/3194588/0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus)
- [0xC1900101 error when Windows 10 upgrade fails after the second system restart](https://support.microsoft.com/en-in/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system)
## Solutions related to BitLocker
- [BitLocker recovery guide](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan)
- [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock)
- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker)
- [BitLocker Group Policy settings](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings)
## Solutions related to Bugchecks or Stop Errors
- [Troubleshooting Stop error problems for IT Pros](https://support.microsoft.com/help/3106831/troubleshooting-stop-error-problems-for-it-pros)
- [How to use Windows Recovery Environment (WinRE) to troubleshoot common startup issues](https://support.microsoft.com/help/4026030/how-to-use-windows-recovery-environment-winre-to-troubleshoot-common-s)
- [How to troubleshoot Windows-based computer freeze issues](https://support.microsoft.com/help/3118553/how-to-troubleshoot-windows-based-computer-freeze-issues)
- [Understanding Bugchecks](https://blogs.technet.microsoft.com/askperf/2007/12/18/understanding-bugchecks/)
- [Understanding Crash Dump Files](https://blogs.technet.microsoft.com/askperf/2008/01/08/understanding-crash-dump-files/)
- [Introduction of page file in Long-Term Servicing Channel and Semi-Annual Channel of Windows](https://support.microsoft.com/help/4133658)
## Solutions related to Windows Boot issues
- [Troubleshooting Windows boot problems for IT Pros](https://support.microsoft.com/help/4343769)
- [How to use Windows Recovery Environment (WinRE) to troubleshoot common startup issues](https://support.microsoft.com/help/4026030/how-to-use-windows-recovery-environment-winre-to-troubleshoot-common-s)
## Solutions related to installing or upgrading Windows
- [Resolve Windows 10 upgrade errors : Technical information for IT Pros](/windows/deployment/upgrade/resolve-windows-10-upgrade-errors)
- [Windows OOBE fails when you start a new Windows-based computer for the first time](https://support.microsoft.com/help/4020048/windows-oobe-fails-when-you-start-a-new-windows-based-computer-for-the)
- ["0xc1800118" error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/help/3194588/-0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus)
- [0xC1900101 error when Windows 10 upgrade fails after the second system restart](https://support.microsoft.com/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system)
- [Updates fix in-place upgrade to Windows 10 version 1607 problem](https://support.microsoft.com/help/4020149/updates-fix-in-place-upgrade-to-windows-10-version-1607-problem)
- [OOBE update for Windows 10 Version 1703: May 9, 2017](https://support.microsoft.com/help/4020008)
- [OOBE update for Windows 10 Version 1607: May 30, 2017](https://support.microsoft.com/help/4022632)
- [OOBE update for Windows 10 Version 1511: May 30, 2017](https://support.microsoft.com/help/4022633)
## Solutions related to configuring or managing the Start menu
- [Manage Windows 10 Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies)
@ -57,7 +66,8 @@ These are the top Microsoft Support solutions for the most common issues experie
- [Modern apps are blocked by security software when you start the applications on Windows 10 Version 1607](https://support.microsoft.com/help/4016973/modern-apps-are-blocked-by-security-software-when-you-start-the-applic)
## Solutions related to wireless networking and 802.1X authentication
- [Advanced Troubleshooting Wireless Network](Connectivity]https://docs.microsoft.com/en-us/windows/client-management/advanced-troubleshooting-wireless-network-connectivity)
- [Advanced Troubleshooting 802.1x Authentication](https://docs.microsoft.com/en-us/windows/client-management/advanced-troubleshooting-802-authentication)
- [Troubleshooting Windows 802.11 Wireless Connections](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc766215(v=ws.10))
- [Troubleshooting Windows Secure 802.3 Wired Connections](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749352(v%3dws.10))
- [Windows 10 devices can't connect to an 802.1X environment](https://support.microsoft.com/kb/3121002)
- [Windows 10 wireless connection displays "Limited" status](https://support.microsoft.com/kb/3114149)
- [Computer that has VPN software installed can't detect wireless network after upgrading to Windows 10](https://support.microsoft.com/kb/3084164)

2
windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
View File

@ -84,7 +84,7 @@ Review the following tables for details about Office support in UE-V:
<p>Microsoft PowerPoint 2016</p>
<p>Microsoft Project 2016</p>
<p>Microsoft Publisher 2016</p>
<p>Microsoft SharePoint Designer 2013 (not udpated for 2016)</p>
<p>Microsoft SharePoint Designer 2013 (not updated for 2016)</p>
<p>Microsoft Visio 2016</p>
<p>Microsoft Word 2016</p>
<p>Microsoft Office Upload Manager</p></td>

4
windows/deployment/deploy-enterprise-licenses.md
View File

@ -73,7 +73,7 @@ For more information about integrating on-premises AD DS domains with Azure AD,
## Preparing for deployment: reviewing requirements
Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
## Assigning licenses to users
@ -225,7 +225,7 @@ Use the following figures to help you troubleshoot when users experience these c
### Review requirements on devices
Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
**To determine if a device is Azure Active Directory joined:**

9
windows/deployment/update/waas-wufb-group-policy.md
View File

@ -28,9 +28,16 @@ Using Group Policy to manage Windows Update for Business is simple and familiar:
In Windows 10 version 1511, only Current Branch for Business (CBB) upgrades could be delayed, restricting the Current Branch (CB) builds to a single deployment ring. Windows 10 version 1607, however, has a new Group Policy setting that allows you to delay feature updates for both CB and CBB, broadening the use of the CB servicing branch.
>[!NOTE]
>[!NOTES]
>The terms *feature updates* and *quality updates* in Windows 10, version 1607, correspond to the terms *upgrades* and *updates* in version 1511.
>To follow the instructions in this article, you will need to download and install the relevant ADMX templates for your Windows 10 version.
>See the following articles for instructions on the ADMX templates in your environment.
> - [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759)
> - [Step-By-Step: Managing Windows 10 with Administrative templates](https://blogs.technet.microsoft.com/canitpro/2015/10/20/step-by-step-managing-windows-10-with-administrative-templates/)
To use Group Policy to manage quality and feature updates in your environment, you must first create Active Directory security groups that align with your constructed deployment rings. Most customers have many deployment rings already in place in their environment, and these rings likely align with existing phased rollouts of current patches and operating system upgrades.
## Configure Windows Update for Business in Windows 10 version 1511

5
windows/privacy/TOC.md
View File

@ -14,7 +14,10 @@
## Full level categories
### [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md)
### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md)
## [Manage Windows 10 connection endpoints](manage-windows-endpoints.md)
## Manage Windows 10 connection endpoints
### [Connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
### [Connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
### [Connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
### [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
### [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)

358
windows/privacy/manage-windows-endpoints.md → windows/privacy/manage-windows-1709-endpoints.md
View File

@ -1,5 +1,5 @@
---
title: Windows 10 connection endpoints
title: Connection endpoints for Windows 10, version 1709
description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
@ -10,11 +10,11 @@ author: danihalfin
ms.author: daniha
ms.date: 6/26/2018
---
# Manage Windows 10 connection endpoints
# Manage connection endpoints for Windows 10, version 1709
**Applies to**
- Windows 10, version 1709 and later
- Windows 10, version 1709
Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
@ -46,102 +46,101 @@ We used the following methodology to derive these network endpoints:
The following endpoint is used to download updates to the Weather app Live Tile.
If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| explorer | HTTP | tile-service.weather.microsoft.com | 1709 |
| | HTTP | blob.weather.microsoft.com | 1803 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| explorer | HTTP | tile-service.weather.microsoft.com |
The following endpoint is used for OneNote Live Tile.
To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTPS | cdn.onenote.net/livetile/?Language=en-US |
The following endpoints are used for Twitter updates.
To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| | HTTPS | wildcard.twimg.com | 1709 |
| svchost.exe | | oem.twimg.com/windows/tile.xml | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTPS | wildcard.twimg.com |
| svchost.exe | | oem.twimg.com/windows/tile.xml |
The following endpoint is used for Facebook updates.
To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| | | star-mini.c10r.facebook.com | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | star-mini.c10r.facebook.com |
The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online.
To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net |
The following endpoint is used for Candy Crush Saga updates.
To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| | TLS v1.2 | candycrushsoda.king.com | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | TLS v1.2 | candycrushsoda.king.com |
The following endpoint is used for by the Microsoft Wallet app.
To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com |
The following endpoint is used by the Groove Music app for update HTTP handler status.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com |
## Cortana and Search
The following endpoint is used to get images that are used for Microsoft Store suggestions.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| searchui | HTTPS |store-images.s-microsoft.com | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| searchui | HTTPS |store-images.s-microsoft.com |
The following endpoint is used to update Cortana greetings, tips, and Live Tiles.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| backgroundtaskhost | HTTPS | www.bing.com/client | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| backgroundtaskhost | HTTPS | www.bing.com/client |
The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| backgroundtaskhost | HTTPS | www.bing.com/proactive | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| backgroundtaskhost | HTTPS | www.bing.com/proactive |
The following endpoint is used by Cortana to report diagnostic and diagnostic data information.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| searchui <br> backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| searchui <br> backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx |
## Certificates
@ -152,142 +151,139 @@ These settings are critical for both Windows security and the overall security o
We do not recommend blocking this endpoint.
If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| svchost | HTTP | ctldl.windowsupdate.com | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTP | ctldl.windowsupdate.com |
## Device authentication
The following endpoint is used to authenticate a device.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| | HTTPS | login.live.com/ppsecure | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTPS | login.live.com/ppsecure |
## Device metadata
The following endpoint is used to retrieve device metadata.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| | | dmd.metaservices.microsoft.com.akadns.net | 1709 |
| | HTTP | dmd.metaservices.microsoft.com | 1803 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | dmd.metaservices.microsoft.com.akadns.net |
## Diagnostic Data
The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| svchost | | cy2.vortex.data.microsoft.com.akadns.net | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | | cy2.vortex.data.microsoft.com.akadns.net |
The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 |
The following endpoints are used by Windows Error Reporting.
To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| wermgr | | watson.telemetry.microsoft.com | 1709 |
| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| wermgr | | watson.telemetry.microsoft.com |
| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net |
## Font streaming
The following endpoints are used to download fonts on demand.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| svchost | | fs.microsoft.com | 1709 |
| | | fs.microsoft.com/fs/windows/config.json | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | | fs.microsoft.com |
| | | fs.microsoft.com/fs/windows/config.json |
## Licensing
The following endpoint is used for online activation and some app licensing.
To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content |
## Location
The following endpoint is used for location data.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| | HTTP | location-inference-westus.cloudapp.net | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTP | location-inference-westus.cloudapp.net |
## Maps
The following endpoint is used to check for updates to maps that have been downloaded for offline use.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| svchost | HTTPS | *g.akamaiedge.net | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTPS | *g.akamaiedge.net |
## Microsoft account
The following endpoints are used for Microsoft accounts to sign in.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| | | login.msa.akadns6.net | 1709 |
| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | login.msa.akadns6.net |
| system32\Auth.Host.exe | HTTPS | auth.gfx.ms |
## Microsoft Store
The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| | | *.wns.windows.com | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | *.wns.windows.com |
The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.
To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| | HTTP | storecatalogrevocation.storequality.microsoft.com | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTP | storecatalogrevocation.storequality.microsoft.com |
The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps).
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | 1709 |
| backgroundtransferhost | HTTPS | store-images.microsoft.com | 1803 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net |
The following endpoints are used to communicate with Microsoft Store.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| | HTTP | storeedgefd.dsx.mp.microsoft.com | 1709 |
| | HTTP | pti.store.microsoft.com | 1709 |
||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| 1709 |
| svchost | HTTPS | displaycatalog.mp.microsoft.com | 1803 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTP | storeedgefd.dsx.mp.microsoft.com |
| | HTTP | pti.store.microsoft.com |
||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.|
## Network Connection Status Indicator (NCSI)
Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| | HTTP | www.msftconnecttest.com/connecttest.txt | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTP | www.msftconnecttest.com/connecttest.txt |
## Office
@ -295,74 +291,73 @@ The following endpoints are used to connect to the Office 365 portal's shared in
You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| | | *.a-msedge.net | 1709 |
| hxstr | | *.c-msedge.net | 1709 |
| | | *.e-msedge.net | 1709 |
| | | *.s-msedge.net | 1709 |
| | HTTPS | ocos-office365-s2s.msedge.net | 1803 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | *.a-msedge.net |
| hxstr | | *.c-msedge.net |
| | | *.e-msedge.net |
| | | *.s-msedge.net |
The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity).
You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| system32\Auth.Host.exe | HTTPS | outlook.office365.com | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| system32\Auth.Host.exe | HTTPS | outlook.office365.com |
The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net|
## OneDrive
The following endpoint is a redirection service thats used to automatically update URLs.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction |
The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| onedrive | HTTPS | oneclient.sfx.ms | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| onedrive | HTTPS | oneclient.sfx.ms |
## Settings
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| dmclient | | cy2.settings.data.microsoft.com.akadns.net | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| dmclient | | cy2.settings.data.microsoft.com.akadns.net |
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| dmclient | HTTPS | settings.data.microsoft.com | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| dmclient | HTTPS | settings.data.microsoft.com |
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| svchost | HTTPS | settings-win.data.microsoft.com | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTPS | settings-win.data.microsoft.com |
## Skype
The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com |
@ -371,102 +366,101 @@ The following endpoint is used to retrieve Skype configuration values. To turn o
The following endpoint is used for Windows Defender when Cloud-based Protection is enabled.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| | | wdcp.microsoft.com | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | wdcp.microsoft.com |
The following endpoints are used for Windows Defender definition updates.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| | | definitionupdates.microsoft.com | 1709 |
|MpCmdRun.exe|HTTPS|go.microsoft.com | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | definitionupdates.microsoft.com |
|MpCmdRun.exe|HTTPS|go.microsoft.com |
## Windows Spotlight
The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight).
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| backgroundtaskhost | HTTPS | arc.msn.com | 1709 |
| backgroundtaskhost | | g.msn.com.nsatc.net | 1709 |
| |TLS v1.2| *.search.msn.com | 1709 |
| | HTTPS | ris.api.iris.microsoft.com | 1709 |
| | HTTPS | query.prod.cms.rt.microsoft.com | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| backgroundtaskhost | HTTPS | arc.msn.com |
| backgroundtaskhost | | g.msn.com.nsatc.net |
| |TLS v1.2| *.search.msn.com |
| | HTTPS | ris.api.iris.microsoft.com |
| | HTTPS | query.prod.cms.rt.microsoft.com |
## Windows Update
The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com |
The following endpoints are used to download operating system patches and updates.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| svchost | HTTP | *.windowsupdate.com | 1709 |
| | HTTP | fg.download.windowsupdate.com.c.footprint.net | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTP | *.windowsupdate.com |
| | HTTP | fg.download.windowsupdate.com.c.footprint.net |
The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| | | cds.d2s7q6s2.hwcdn.net | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | cds.d2s7q6s2.hwcdn.net |
The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| | HTTP | *wac.phicdn.net | 1709 |
| | | *wac.edgecastcdn.net | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTP | *wac.phicdn.net |
| | | *wac.edgecastcdn.net |
The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired).
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net |
The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| svchost | | emdl.ws.microsoft.com | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | | emdl.ws.microsoft.com |
The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| svchost | HTTPS | fe2.update.microsoft.com | 1709 |
| svchost | | fe3.delivery.mp.microsoft.com | 1709 |
| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | 1709 |
| svchost | HTTPS | sls.update.microsoft.com | 1709 |
| | HTTP | *.dl.delivery.mp.microsoft.com | 1803 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTPS | fe2.update.microsoft.com |
| svchost | | fe3.delivery.mp.microsoft.com |
| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net |
| svchost | HTTPS | sls.update.microsoft.com |
The following endpoint is used for content regulation.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com |
The following endpoints are used to download content.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
| | | a122.dscd.akamai.net | 1709 |
| | | a1621.g.akamai.net | 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | a122.dscd.akamai.net |
| | | a1621.g.akamai.net |
## Microsoft forward link redirection service (FWLink)
@ -474,11 +468,15 @@ The following endpoint is used by the Microsoft forward link redirection service
If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.
| Source process | Protocol | Destination | Applies from Windows 10 version |
|----------------|----------|------------|----------------------------------|
|Various|HTTPS|go.microsoft.com| 1709 |
| Source process | Protocol | Destination |
|----------------|----------|------------|
|Various|HTTPS|go.microsoft.com|
## Other Windows 10 editions
## Other Windows 10 versions and editions
To view endpoints for other versions of Windows 10 enterprise, see:
- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
To view endpoints for non-Enterprise Windows 10 editions, see:
- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)

498
windows/privacy/manage-windows-1803-endpoints.md Normal file
View File

@ -0,0 +1,498 @@
---
title: Connection endpoints for Windows 10, version 1803
description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
author: danihalfin
ms.author: daniha
ms.date: 6/26/2018
---
# Manage connection endpoints for Windows 10, version 1803
**Applies to**
- Windows 10, version 1803
Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
- Connecting to email servers to send and receive email.
- Connecting to the web for every day web browsing.
- Connecting to the cloud to store and access backups.
- Using your location to show a weather forecast.
This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later.
Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it.
We used the following methodology to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
## Windows 10 Enterprise connection endpoints
## Apps
The following endpoint is used to download updates to the Weather app Live Tile.
If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| explorer | HTTP | tile-service.weather.microsoft.com |
| | HTTP | blob.weather.microsoft.com |
The following endpoint is used for OneNote Live Tile.
To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTPS | cdn.onenote.net/livetile/?Language=en-US |
The following endpoints are used for Twitter updates.
To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTPS | wildcard.twimg.com |
| svchost.exe | | oem.twimg.com/windows/tile.xml |
The following endpoint is used for Facebook updates.
To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | star-mini.c10r.facebook.com |
The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online.
To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net |
The following endpoint is used for Candy Crush Saga updates.
To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | TLS v1.2 | candycrushsoda.king.com |
The following endpoint is used for by the Microsoft Wallet app.
To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com |
The following endpoint is used by the Groove Music app for update HTTP handler status.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com |
## Cortana and Search
The following endpoint is used to get images that are used for Microsoft Store suggestions.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| searchui | HTTPS |store-images.s-microsoft.com |
The following endpoint is used to update Cortana greetings, tips, and Live Tiles.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| backgroundtaskhost | HTTPS | www.bing.com/client |
The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| backgroundtaskhost | HTTPS | www.bing.com/proactive |
The following endpoint is used by Cortana to report diagnostic and diagnostic data information.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| searchui <br> backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx |
## Certificates
The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTP | ctldl.windowsupdate.com |
The following endpoints are used to download certificates that are publicly known to be fraudulent.
These settings are critical for both Windows security and the overall security of the Internet.
We do not recommend blocking this endpoint.
If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTP | ctldl.windowsupdate.com |
## Device authentication
The following endpoint is used to authenticate a device.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTPS | login.live.com/ppsecure |
## Device metadata
The following endpoint is used to retrieve device metadata.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | dmd.metaservices.microsoft.com.akadns.net |
| | HTTP | dmd.metaservices.microsoft.com |
## Diagnostic Data
The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | | cy2.vortex.data.microsoft.com.akadns.net |
The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 |
The following endpoints are used by Windows Error Reporting.
To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| wermgr | | watson.telemetry.microsoft.com |
| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net |
## Font streaming
The following endpoints are used to download fonts on demand.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | | fs.microsoft.com |
| | | fs.microsoft.com/fs/windows/config.json |
## Licensing
The following endpoint is used for online activation and some app licensing.
To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content |
## Location
The following endpoint is used for location data.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTP | location-inference-westus.cloudapp.net |
## Maps
The following endpoint is used to check for updates to maps that have been downloaded for offline use.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTPS | *g.akamaiedge.net |
## Microsoft account
The following endpoints are used for Microsoft accounts to sign in.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | login.msa.akadns6.net |
| system32\Auth.Host.exe | HTTPS | auth.gfx.ms |
## Microsoft Store
The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | *.wns.windows.com |
The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.
To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTP | storecatalogrevocation.storequality.microsoft.com |
The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps).
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net |
| backgroundtransferhost | HTTPS | store-images.microsoft.com |
The following endpoints are used to communicate with Microsoft Store.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTP | storeedgefd.dsx.mp.microsoft.com |
| | HTTP | pti.store.microsoft.com |
||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.|
| svchost | HTTPS | displaycatalog.mp.microsoft.com |
## Network Connection Status Indicator (NCSI)
Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTP | www.msftconnecttest.com/connecttest.txt |
## Office
The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity).
You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | *.a-msedge.net |
| hxstr | | *.c-msedge.net |
| | | *.e-msedge.net |
| | | *.s-msedge.net |
| | HTTPS | ocos-office365-s2s.msedge.net |
The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity).
You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| system32\Auth.Host.exe | HTTPS | outlook.office365.com |
The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination |
|----------------|----------|------------|
|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net|
## OneDrive
The following endpoint is a redirection service thats used to automatically update URLs.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction |
The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| onedrive | HTTPS | oneclient.sfx.ms |
## Settings
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| dmclient | | cy2.settings.data.microsoft.com.akadns.net |
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| dmclient | HTTPS | settings.data.microsoft.com |
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTPS | settings-win.data.microsoft.com |
## Skype
The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination |
|----------------|----------|------------|
|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com |
## Windows Defender
The following endpoint is used for Windows Defender when Cloud-based Protection is enabled.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | wdcp.microsoft.com |
The following endpoints are used for Windows Defender definition updates.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | definitionupdates.microsoft.com |
|MpCmdRun.exe|HTTPS|go.microsoft.com |
## Windows Spotlight
The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight).
| Source process | Protocol | Destination |
|----------------|----------|------------|
| backgroundtaskhost | HTTPS | arc.msn.com |
| backgroundtaskhost | | g.msn.com.nsatc.net |
| |TLS v1.2| *.search.msn.com |
| | HTTPS | ris.api.iris.microsoft.com |
| | HTTPS | query.prod.cms.rt.microsoft.com |
## Windows Update
The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com |
The following endpoints are used to download operating system patches and updates.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTP | *.windowsupdate.com |
| | HTTP | fg.download.windowsupdate.com.c.footprint.net |
The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | cds.d2s7q6s2.hwcdn.net |
The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTP | *wac.phicdn.net |
| | | *wac.edgecastcdn.net |
The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired).
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net |
The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | | emdl.ws.microsoft.com |
The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTPS | fe2.update.microsoft.com |
| svchost | | fe3.delivery.mp.microsoft.com |
| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net |
| svchost | HTTPS | sls.update.microsoft.com |
| | HTTP | *.dl.delivery.mp.microsoft.com |
The following endpoint is used for content regulation.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com |
The following endpoints are used to download content.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | a122.dscd.akamai.net |
| | | a1621.g.akamai.net |
## Microsoft forward link redirection service (FWLink)
The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer.
If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.
| Source process | Protocol | Destination |
|----------------|----------|------------|
|Various|HTTPS|go.microsoft.com|
## Other Windows 10 editions
To view endpoints for other versions of Windows 10 enterprise, see:
- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
To view endpoints for non-Enterprise Windows 10 editions, see:
- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune)

528
windows/privacy/manage-windows-1809-endpoints.md Normal file
View File

@ -0,0 +1,528 @@
---
title: Connection endpoints for Windows 10, version 1803
description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
author: danihalfin
ms.author: daniha
ms.date: 6/26/2018
---
# Manage connection endpoints for Windows 10, version 1809
**Applies to**
- Windows 10, version 1809
Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
- Connecting to email servers to send and receive email.
- Connecting to the web for every day web browsing.
- Connecting to the cloud to store and access backups.
- Using your location to show a weather forecast.
This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later.
Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it.
We used the following methodology to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
## Windows 10 Enterprise connection endpoints
## Apps
The following endpoint is used to download updates to the Weather app Live Tile.
If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| explorer | HTTP | tile-service.weather.microsoft.com |
| | HTTP | blob.weather.microsoft.com |
The following endpoint is used for OneNote Live Tile.
To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTPS | cdn.onenote.net/livetile/?Language=en-US |
The following endpoints are used for Twitter updates.
To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTPS | wildcard.twimg.com |
| svchost.exe | | oem.twimg.com/windows/tile.xml |
The following endpoint is used for Facebook updates.
To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | star-mini.c10r.facebook.com |
The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online.
To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net |
The following endpoint is used for Candy Crush Saga updates.
To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | TLS v1.2 | candycrushsoda.king.com |
The following endpoint is used for by the Microsoft Wallet app.
To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com |
The following endpoint is used by the Groove Music app for update HTTP handler status.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com |
The following endpoints are used when using the Whiteboard app.
To turn off traffic for this endpoint [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTPS | wbd.ms |
| | HTTPS | int.whiteboard.microsoft.com |
| | HTTPS | whiteboard.microsoft.com |
| | HTTP / HTTPS | whiteboard.ms |
## Cortana and Search
The following endpoint is used to get images that are used for Microsoft Store suggestions.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| searchui | HTTPS |store-images.s-microsoft.com |
The following endpoint is used to update Cortana greetings, tips, and Live Tiles.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| backgroundtaskhost | HTTPS | www.bing.com/client |
The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| backgroundtaskhost | HTTPS | www.bing.com/proactive |
The following endpoint is used by Cortana to report diagnostic and diagnostic data information.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| searchui <br> backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx |
## Certificates
The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTP | ctldl.windowsupdate.com |
The following endpoints are used to download certificates that are publicly known to be fraudulent.
These settings are critical for both Windows security and the overall security of the Internet.
We do not recommend blocking this endpoint.
If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTP | ctldl.windowsupdate.com |
## Device authentication
The following endpoint is used to authenticate a device.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTPS | login.live.com/ppsecure |
## Device metadata
The following endpoint is used to retrieve device metadata.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | dmd.metaservices.microsoft.com.akadns.net |
| | HTTP | dmd.metaservices.microsoft.com |
## Diagnostic Data
The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | | cy2.vortex.data.microsoft.com.akadns.net |
The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTPS | v10.vortex-win.data.microsoft.com/collect/v1 |
The following endpoints are used by Windows Error Reporting.
To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| wermgr | | watson.telemetry.microsoft.com |
| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net |
## Font streaming
The following endpoints are used to download fonts on demand.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | | fs.microsoft.com |
| | | fs.microsoft.com/fs/windows/config.json |
## Licensing
The following endpoint is used for online activation and some app licensing.
To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content |
## Location
The following endpoint is used for location data.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTP | location-inference-westus.cloudapp.net |
| | HTTPS | inference.location.live.net |
## Maps
The following endpoint is used to check for updates to maps that have been downloaded for offline use.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTPS | *g.akamaiedge.net |
## Microsoft account
The following endpoints are used for Microsoft accounts to sign in.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | login.msa.akadns6.net |
| system32\Auth.Host.exe | HTTPS | auth.gfx.ms |
| | | us.configsvc1.live.com.akadns.net |
## Microsoft Store
The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTPS | *.wns.windows.com |
The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.
To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTP | storecatalogrevocation.storequality.microsoft.com |
The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps).
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net |
| backgroundtransferhost | HTTPS | store-images.microsoft.com |
The following endpoints are used to communicate with Microsoft Store.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTP | storeedgefd.dsx.mp.microsoft.com |
| | HTTP \ HTTPS | pti.store.microsoft.com |
||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.|
| svchost | HTTPS | displaycatalog.mp.microsoft.com |
## Network Connection Status Indicator (NCSI)
Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTP | www.msftconnecttest.com/connecttest.txt |
## Office
The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity).
You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | *.a-msedge.net |
| hxstr | | *.c-msedge.net |
| | | *.e-msedge.net |
| | | *.s-msedge.net |
| | HTTPS | ocos-office365-s2s.msedge.net |
| | HTTPS | nexusrules.officeapps.live.com |
| | HTTPS | officeclient.microsoft.com |
The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity).
You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| system32\Auth.Host.exe | HTTPS | outlook.office365.com |
The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination |
|----------------|----------|------------|
|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net|
The following endpoint is used to connect the Office To-Do app to it's cloud service.
To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
| Source process | Protocol | Destination |
|----------------|----------|------------|
| |HTTPS|to-do.microsoft.com|
## OneDrive
The following endpoint is a redirection service thats used to automatically update URLs.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction |
The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| onedrive | HTTPS | oneclient.sfx.ms |
## Settings
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| dmclient | | cy2.settings.data.microsoft.com.akadns.net |
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| dmclient | HTTPS | settings.data.microsoft.com |
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTPS | settings-win.data.microsoft.com |
## Skype
The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination |
|----------------|----------|------------|
|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com |
| | HTTPS | browser.pipe.aria.microsoft.com |
| | | skypeecs-prod-usw-0-b.cloudapp.net |
## Windows Defender
The following endpoint is used for Windows Defender when Cloud-based Protection is enabled.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | wdcp.microsoft.com |
The following endpoints are used for Windows Defender definition updates.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | definitionupdates.microsoft.com |
|MpCmdRun.exe|HTTPS|go.microsoft.com |
The following endpoints are used for Windows Defender Smartscreen reporting and notifications.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender-smartscreen), Smartscreen notifications will no appear.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTPS | ars.smartscreen.microsoft.com |
| | HTTPS | unitedstates.smartscreen-prod.microsoft.com |
| | | smartscreen-sn3p.smartscreen.microsoft.com |
## Windows Spotlight
The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight).
| Source process | Protocol | Destination |
|----------------|----------|------------|
| backgroundtaskhost | HTTPS | arc.msn.com |
| backgroundtaskhost | | g.msn.com.nsatc.net |
| |TLS v1.2| *.search.msn.com |
| | HTTPS | ris.api.iris.microsoft.com |
| | HTTPS | query.prod.cms.rt.microsoft.com |
## Windows Update
The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com |
The following endpoints are used to download operating system patches and updates.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTP | *.windowsupdate.com |
| | HTTP | fg.download.windowsupdate.com.c.footprint.net |
The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | cds.d2s7q6s2.hwcdn.net |
The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | HTTP | *wac.phicdn.net |
| | | *wac.edgecastcdn.net |
The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired).
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net |
The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | | emdl.ws.microsoft.com |
The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTPS | fe2.update.microsoft.com |
| svchost | | fe3.delivery.mp.microsoft.com |
| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net |
| svchost | HTTPS | sls.update.microsoft.com |
| | HTTP | *.dl.delivery.mp.microsoft.com |
The following endpoint is used for content regulation.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com |
The following endpoints are used to download content.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | a122.dscd.akamai.net |
| | | a1621.g.akamai.net |
## Microsoft forward link redirection service (FWLink)
The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer.
If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.
| Source process | Protocol | Destination |
|----------------|----------|------------|
|Various|HTTPS|go.microsoft.com|
## Other Windows 10 editions
To view endpoints for other versions of Windows 10 enterprise, see:
- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
To view endpoints for non-Enterprise Windows 10 editions, see:
- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune)

31
windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md Normal file
View File

@ -0,0 +1,31 @@
---
title: Microsoft-compatible security key
description: Windows 10 enables users to sign in to their device using a security key. How is a Microsoft-compatible security key different (and better) than any other FIDO2 security key
keywords: FIDO2, security key, CTAP, Hello, WHFB
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
author: aabhathipsay
ms.author: aathipsa
ms.localizationpriority: medium
ms.date: 11/14/2018
---
# What is a Microsoft-compatible security key?
> [!Warning]
> Some information relates to pre-released product that may change before it is commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Microsoft has been aligned with the [FIDO Alliance](https://fidoalliance.org/) with a mission to replace passwords with an easy to use, strong 2FA credential. We have been working with our partners to extensively test and deliver a seamless and secure authentication experience to end users.
The [FIDO2 CTAP specification](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html) contains a few optional features and extensions which are crucial to provide that seamless and secure experience.
A security key **MUST** implement the following features and extensions from the FIDO2 CTAP protocol to be Microsoft-compatible:
| #</br> | Feature / Extension trust</br> | Why is this required? </br> |
| --- | --- | --- |
| 1 | Resident key | This feature enables the security key to be portable, where your credential is stored on the security key |
| 2 | Client pin | This feature enables you to protect your credentials with a second factor and applies to security keys that do not have an user interface|
| 3 | hmac-secret | This extension ensures you can sign-in to your device when it's off-line or in airplane mode |
| 4 | Multiple accounts per RP | This feature ensures you can use the same security key across multiple services like Microsoft Account (MSA) and Azure Active Directory (AAD) |

4
windows/security/identity-protection/user-account-control/how-user-account-control-works.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: operate
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 09/19/2018
ms.date: 11/16/2018
---
# How User Account Control works
@ -182,7 +182,7 @@ To better understand each component, review the table below:
</ul>
<p>Not recommended. Choose this only if it takes a long time to dim the desktop on your computer.</p><br>
</li>
<li><p><b>Never notify (Disable UAC)</b> will:</p>
<li><p><b>Never notify (Disable UAC prompts)</b> will:</p>
<ul>
<li>Not notify you when programs try to install software or make changes to your computer.</li>
<li>Not notify you when you make changes to Windows settings.</li>

6
windows/security/information-protection/secure-the-windows-10-boot-process.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
ms.sitesec: library
ms.localizationpriority: medium
author: brianlic-msft
ms.date: 10/13/2017
ms.date: 11/16/2018
---
# Secure the Windows 10 boot process
@ -122,9 +122,5 @@ Measured Boot uses the power of UEFI, TPM, and Windows 10 to give you a way to
## Summary
Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows 10, these features have the potential to eliminate kernel-level malware from your network. This is the most ground-breaking anti-malware solution that Windows has ever had; its leaps and bounds ahead of everything else. With Windows 10, you can truly trust the integrity of your operating system.
For more information:
- Watch a [video demonstration of Secure Boot](https://technet.microsoft.com/windows/jj737995.aspx)
## Additional resources
- [Windows 10 Enterprise Evaluation](https://technet.microsoft.com/evalcenter/hh699156.aspx?ocid=wc-tn-wctc)

10
windows/security/threat-protection/TOC.md
View File

@ -123,10 +123,12 @@
##### [Hardware-based isolation](windows-defender-application-guard/install-wd-app-guard.md)
###### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
##### [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
###### [Memory integrity](windows-defender-exploit-guard/memory-integrity.md)
####### [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
####### [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
##### Device control
###### [Control USB devices](device-control/control-usb-devices-using-intune.md)
###### [Device Guard](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
####### [Memory integrity](windows-defender-exploit-guard/memory-integrity.md)
######## [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
######## [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
##### [Exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md)
###### [Customize exploit protection](windows-defender-exploit-guard/customize-exploit-protection.md)
###### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)

86
windows/security/threat-protection/device-control/control-usb-devices-using-intune.md Normal file
View File

@ -0,0 +1,86 @@
---
title: How to control USB devices and other removable media using Intune (Windows 10)
description: You can configure Intune settings to reduce threats from removable storage such as USB devices.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
ms.author: justinha
author: justinha
ms.date: 11/15/2018
---
# How to control USB devices and other removable media using Intune
**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
You can configure Intune settings to reduce threats from removable storage such as USB devices, including:
- [Block unwanted removeable storage](#block-unwanted-removable-storage)
- [Protect allowed removable storage](#protect-allowed-removable-storage)
Protecting allowed removeable storage requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
We recommend enabling real-time protection for improved scanning performance, especially for large storage devices.
If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives.
You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted.
> [!NOTE]
> These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For data loss prevention on Windows 10 devices, you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device.
## Block unwanted removeable storage
1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
![Create device configuration profile](images/create-device-configuration-profile.png)
3. Use the following settings:
- Name: Windows 10 Device Configuration
- Description: Block removeable storage and USB connections
- Platform: Windows 10 and later
- Profile type: Device restrictions
![Create profile](images/create-profile.png)
4. Click **Configure** > **General**.
5. For **Removable storage** and **USB connection (mobile only)**, choose **Block**.
![General settings](images/general-settings.png)
6. Click **OK** to close **General** settings and **Device restrictions**.
7. Click **Create** to save the profile.
Alternatively, you can create a custom profile in Intune and configure [DeviceInstallation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) policies.
## Protect allowed removable storage
These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
![Create device configuration profile](images/create-device-configuration-profile.png)
3. Use the following settings:
- Name: Type a name for the profile
- Description: Type a description
- Platform: Windows 10 or later
- Profile type: Endpoint protection
![Create enpoint protection profile](images/create-endpoint-protection-profile.png)
4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**.
5. For **Unsigned and untrusted processes that run from USB**, choose **Block**.
![Block untrusted processes](images/block-untrusted-processes.png)
6. Click **OK** to close **Attack Surface Reduction**, **Windows Defender Exploit Guard**, and **Endpoint protection**.
7. Click **Create** to save the profile.

BIN
windows/security/threat-protection/device-control/images/block-untrusted-processes.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 98 KiB

BIN
windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.5 KiB

BIN
windows/security/threat-protection/device-control/images/create-device-configuration-profile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
windows/security/threat-protection/device-control/images/create-profile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

BIN
windows/security/threat-protection/device-control/images/general-settings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 125 KiB

4
windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: brianlic-msft
ms.date: 08/29/2017
ms.date: 11/16/2018
---
# System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
@ -50,7 +50,7 @@ Additionally, if a data drive is password-protected, it can be accessed by a FIP
### Best practices
- For use with TLS, set this policy to **Enabled**. Client devices with this policy setting enabled will be unable to communicate through digitally encrypted or signed protocols with servers that do not support these algorithms. Client devices that are connected to the network and do not support these algorithms cannot use servers that require the algorithms for network communications. If you enable this policy setting, you must also configure Internet Explorer to use TLS.
There are no best practices for this setting. Our previous guidance had recommended a setting of **Enabled**, primarily to align with US Federal government recommendations. [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend this setting be **Not Defined**, meaning that we leave the decision to customers. For a deeper explanation, see [Why Were Not Recommending “FIPS Mode” Anymore](https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/).
### Location

12
windows/security/threat-protection/windows-defender-atp/TOC.md
View File

@ -113,17 +113,19 @@
##### [Network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
#### [Evaluate next generation protection](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
### [Access the Windows Security app](community-windows-defender-advanced-threat-protection.md)
### [Access the Windows Defender Security Center Community Center](community-windows-defender-advanced-threat-protection.md)
## [Configure and manage capabilities](onboard.md)
### [Configure attack surface reduction](configure-attack-surface-reduction.md)
#### [Hardware-based isolation](../windows-defender-application-guard/install-wd-app-guard.md)
##### [Configuration settings](../windows-defender-application-guard/configure-wd-app-guard.md)
#### [Application control](../windows-defender-application-control/windows-defender-application-control.md)
#### [Device control](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
##### [Memory integrity](../windows-defender-exploit-guard/memory-integrity.md)
###### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
###### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
#### Device control
##### [Control USB devices](../device-control/control-usb-devices-using-intune.md)
##### [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
###### [Memory integrity](../windows-defender-exploit-guard/memory-integrity.md)
####### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
####### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
#### [Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)
##### [Customize exploit protection](../windows-defender-exploit-guard/customize-exploit-protection.md)
##### [Import/export configurations](../windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)

22
windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 09/12/2018
ms.date: 11/14/2018
---
@ -98,8 +98,28 @@ United Kingdom | ```uk.vortex-win.data.microsoft.com``` <br>```uk-v20.events.dat
United States | ```us.vortex-win.data.microsoft.com```<br> ```us-v20.events.data.microsoft.com```<br>```winatp-gw-cus.microsoft.com``` <br>```winatp-gw-eus.microsoft.com```
If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs.
## Windows Defender ATP service backend IP range
If you network devices don't support the URLs white-listed in the prior section, you can use the following information.
Windows Defender ATP is built on Azure cloud, deployed in the following regions:
- \+\<Region Name="uswestcentral">
- \+\<Region Name="useast2">
- \+\<Region Name="useast">
- \+\<Region Name="europenorth">
- \+\<Region Name="europewest">
- \+\<Region Name="uksouth">
- \+\<Region Name="ukwest">
You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653).
>[!NOTE]
> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
## Verify client connectivity to Windows Defender ATP service URLs

2
windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md
View File

@ -38,7 +38,7 @@ ms.date: 30/07/2018
> To use a specific version, use this format: https://api.securitycenter.windows.com/api/{Version}. For example: https://api.securitycenter.windows.com/api/v1.0/alerts
> If you don't specify any version ( without /v1.0/ ) you will get to the latest version.
> If you don't specify any version (e.g., https://api.securitycenter.windows.com/api/alerts ) you will get to the latest version.
Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses.

78
windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 09/24/2018
ms.date: 11/15/2018
---
# OData queries with Windows Defender ATP
@ -19,14 +19,58 @@ ms.date: 09/24/2018
[!include[Prerelease information](prerelease.md)]
> If you are not familiar with OData queries, please see: [OData V4 queries](https://www.odata.org/documentation/)
- If you are not familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/)
> ** Currently, [Machine](machine-windows-defender-advanced-threat-protection-new.md) and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities supports all OData queries.**
> ** [Alert](alerts-windows-defender-advanced-threat-protection-new.md) entity support all OData queries except $filter.**
- Currently, [Machine](machine-windows-defender-advanced-threat-protection-new.md) and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities supports all OData queries.
- [Alert](alerts-windows-defender-advanced-threat-protection-new.md) entity support all OData queries except $filter.
### Example 1
**Get all the machines with 'High' 'RiskScore'**
**Get all the machines with the tag 'ExampleTag'**
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag')
```
**Response:**
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "b9d4c51123327fb2a25db29ff1b8f3b64888e7ba",
"computerDnsName": "examples.dev.corp.Contoso.com",
"firstSeen": "2018-03-07T11:19:11.7234147Z",
"lastSeen": "2018-11-15T11:23:38.3196947Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "123.17.255.241",
"lastExternalIpAddress": "123.220.196.180",
"agentVersion": "10.6400.18282.1001",
"osBuild": 18282,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [
"ExampleTag"
],
"rbacGroupId": 5,
"rbacGroupName": "Developers",
"riskScore": "North",
"aadDeviceId": null
},
.
.
.
]
}
```
### Example 2
- Get all the machines with 'High' 'RiskScore'
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore eq 'High'
@ -42,7 +86,7 @@ Content-type: application/json
"value": [
{
"id": "e3a77eeddb83d581238792387b1239b01286b2f",
"computerDnsName": "examples.dev.corp.microsoft.com",
"computerDnsName": "examples.dev.corp.Contoso.com",
"firstSeen": "2016-11-02T23:26:03.7882168Z",
"lastSeen": "2018-11-12T10:27:08.708723Z",
"osPlatform": "Windows10",
@ -55,7 +99,7 @@ Content-type: application/json
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 5,
"rbacGroupName": "North",
"rbacGroupName": "Developers",
"riskScore": "High",
"aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a"
},
@ -66,9 +110,9 @@ Content-type: application/json
}
```
### Example 2
### Example 3
**Get top 100 machines with 'HealthStatus' not equals to 'Active'**
- Get top 100 machines with 'HealthStatus' not equals to 'Active'
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus ne 'Active'&$top=100
@ -84,7 +128,7 @@ Content-type: application/json
"value": [
{
"id": "1113333ddb83d581238792387b1239b01286b2f",
"computerDnsName": "examples.dev.corp.microsoft.com",
"computerDnsName": "examples.dev.corp.Contoso.com",
"firstSeen": "2016-11-02T23:26:03.7882168Z",
"lastSeen": "2018-11-12T10:27:08.708723Z",
"osPlatform": "Windows10",
@ -97,7 +141,7 @@ Content-type: application/json
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 5,
"rbacGroupName": "North",
"rbacGroupName": "Developers",
"riskScore": "Medium",
"aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a"
},
@ -108,9 +152,9 @@ Content-type: application/json
}
```
### Example 3
### Example 4
**Get all the machines that last seen after 2018-10-20**
- Get all the machines that last seen after 2018-10-20
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-10-20Z
@ -138,8 +182,8 @@ Content-type: application/json
"healthStatus": "Active",
"isAadJoined": false,
"machineTags": [],
"rbacGroupId": 4,
"rbacGroupName": "East",
"rbacGroupId": 5,
"rbacGroupName": "Developers",
"riskScore": "None",
"aadDeviceId": null
},
@ -150,9 +194,9 @@ Content-type: application/json
}
```
### Example 4
### Example 5
**Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using WDATP**
- Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Windows Defender ATP
```
HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@WcdTestPrd.onmicrosoft.com' and type eq 'RunAntiVirusScan'

4
windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -41,7 +41,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
GET /api/users/{id}/alerts
```
**Note that the id is not the Full UPN, its only the user name. For example, for user1@contoso.com you will need to send /api/users/user1/alerts**
**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts) **
## Request headers
@ -54,7 +54,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and user and alert exists - 200 OK. If user or alerts does not exist - 404 Not Found.
If successful and user and alert exist - 200 OK. If user or alerts do not exist - 404 Not Found.
## Example

2
windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 12/08/2017
ms.date: 11/15/2018
---
# Get user related alerts API (deprecated)

2
windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -41,7 +41,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
GET /api/users/{id}/machines
```
**Note that the id is not the Full UPN, its only the user name. For example, for user1@contoso.com you will need to send /api/users/user1/machines**
**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines) **
## Request headers

4
windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.author: justinha
author: brianlic-msft
ms.date: 08/08/2018
ms.date: 11/15/2018
---
# Enable virtualization-based protection of code integrity
@ -42,7 +42,7 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP]
1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one.
2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**.
3. Double-click **Turn on Virtualization Based Security**.
4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be enabled remotely or select **Enabled without UEFI lock**.
4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**.
![Enable HVCI using Group Policy](images\enable-hvci-gp.png)