deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 06:47:21 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into tags-update

Browse Source
This commit is contained in:
Joey Caparas 2019-12-03 08:55:50 -08:00
commit 24ebcd82fa
88 changed files with 2049 additions and 349 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
devices/hololens/TOC.md
View File

@ -1,5 +1,4 @@
# [HoloLens overview](index.md)
# [Hololens status](hololens-status.md)
# Get Started with HoloLens 2
## [HoloLens 2 hardware](hololens2-hardware.md)
@ -54,11 +53,14 @@
## [Spatial mapping on HoloLens](hololens-spaces.md)
# Update and recovery
## [Join the Windows Insider program](hololens-insider.md)
## [Managing HoloLens updates](hololens-updates.md)
## [Update HoloLens](hololens-update-hololens.md)
## [Manage updates on many HoloLens](hololens-updates.md)
## [Restart, reset, or recover](hololens-recovery.md)
## [Known issues](hololens-known-issues.md)
## [Frequently asked questions](hololens-faq.md)
# [Release Notes](hololens-release-notes.md)
# [Hololens status](hololens-status.md)
# [Give us feedback](hololens-feedback.md)
# [Join the Windows Insider program](hololens-insider.md)
# [Change history for Microsoft HoloLens documentation](change-history-hololens.md)

95
devices/hololens/hololens-release-notes.md Normal file
View File

@ -0,0 +1,95 @@
---
title: What's new in Microsoft HoloLens
description: Learn about updates in each new HoloLens release.
author: scooley
ms.author: scooley
manager: dansimp
ms.prod: hololens
ms.sitesec: library
ms.topic: article
ms.localizationpriority: medium
ms.date: 10/14/2019
audience: ITPro
appliesto:
- HoloLens 1
- HoloLens 2
---
# HoloLens Release Notes
## HoloLens 2
### November Update - build 18362.1039
- Fixes for **"Select"** voice commands during initial set-up for en-CA and en-AU.
- Improvements in visual quality of objects placed far away in latest Unity and MRTK versions.
- Fixes addressing issues with holographic applications being stuck in a paused state on launch until the pins panel is brought up and dismissed again.
- OpenXR runtime conformance fixes and improvements for HoloLens 2 and the emulator.
## HoloLens (1st gen)
### Windows 10 Holographic, version 1809
> **Applies to:** Hololens (1st gen)
| Feature | Details |
|---|---|
| **Quick actions menu** | When you're in an app, the Bloom gesture will now open a Quick actions menu to give you quick access to commonly used system features without having to leave the app. <br> See [Set up HoloLens in kiosk mode](hololens-kiosk.md) for information about the Quick actions menu in kiosk mode.<br><br>![sample of the Quick actions menu](images/minimenu.png) |
| **Stop video capture from the Start or quick actions menu** | If you start video capture from the Start menu or quick actions menu, youll be able to stop recording from the same place. (Dont forget, you can always do this with voice commands too.) |
| **Project to a Miracast-enabled device** | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter. On **Start**, select **Connect**, and then select the device you want to project to. **Note:** You can deploy HoloLens to use Miracast projection without enabling developer mode. |
| **New notifications** | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if youre in an immersive experience, use the bloom gesture). |
| **HoloLens overlays**<br>(file picker, keyboard, dialogs, etc.) | Youll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. |
| **Visual feedback overlay UI for volume change** | When you use the volume up/down buttons on your HoloLens youll see a visual display of the volume level. |
| **New UI for device boot** | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—its between the "Hello" message and the Windows boot logo. |
| **Nearby sharing** | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. When you capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge), select a nearby Windows device to share with. |
| **Share from Microsoft Edge** | Share button is now available on Microsoft Edge windows on HoloLens. In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. |
#### For international customers
| Feature | Details |
| --- | --- |
| Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands.<br>[Learn how to install the Chinese and Japanese versions of HoloLens.](hololens1-install-localized.md) |
| Speech Synthesis (TTS) | Speech synthesis feature now supports Chinese, Japanese, and English. |
#### For administrators
| Feature | Details |
|---|----|
| [Enable post-setup provisioning](hololens-provisioning.md) | You can now apply a runtime provisioning package at any time using **Settings**. |
| Assigned access with Azure AD groups | You can now use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. |
| PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**. |
| Sign in with Web Credential Provider using password | You can now select the Globe sign-in option to launch web sign-in with yourpassword. From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password. <br>**Note:** You can choose to bypass any PIN/Smartcard options when promptedduring web sign-in. |
| Read device hardware info through MDM so devices can be tracked by serial number | IT administrators can see and track HoloLens by device serial number in their MDM console. Refer toyour MDM documentationfor feature availability and instructions. |
| Set HoloLens device name through MDM (rename) |IT administrators can see and rename HoloLens devices in their MDM console. Refer toyour MDM documentationfor feature availability and instructions. |
### Windows 10, version 1803 for Microsoft HoloLens
> **Applies to:** Hololens (1st gen)
Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. This update introduces the following changes:
- Previously, you could only verify that upgrade license for Commercial Suite had been applied to your HoloLens device by checking to see if VPN was an available option on the device. Now, **Settings** > **System** will display **Windows Holographic for Business** after the upgrade license is applied. [Learn how to unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md).
- You can view the operating system build number in device properties in the File Explorer app and in the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq).
- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#wizard).
![Provisioning HoloLens devices](images/provision-hololens-devices.png)
- When you create a local account in a provisioning package, the password no longer expires every 42 days.
- You can [configure HoloLens as a single-app or multi-app kiosk](hololens-kiosk.md). Multi-app kiosk mode lets you set up a HoloLens to only run the apps that you specify, and prevents users from making changes.
- Media Transfer Protocol (MTP) is enabled so that you can connect the HoloLens device to a PC by USB and transfer files between HoloLens and the PC. You can also use the File Explorer app to move and delete files from within HoloLens.
- Previously, after you signed in to the device with an Azure Active Directory (Azure AD) account, you then had to **Add work access** in **Settings** to get access to corporate resources. Now, you sign in with an Azure AD account and enrollment happens automatically.
- Before you sign in, you can choose the network icon below the password field to choose a different Wi-Fi network to connect to. You can also connect to a guest network, such as at a hotel, conference center, or business.
- You can now easily [share HoloLens with multiple people](hololens-multiple-users.md) using Azure AD accounts.
- When setup or sign-in fails, choose the new **Collect info** option to get diagnostic logs for troubleshooting.
- Individual users can sync their corporate email without enrolling their device in mobile device management (MDM). You can use the device with a Microsoft Account, download and install the Mail app, and add an email account directly.
- You can check the MDM sync status for a device in **Settings** > **Accounts** > **Access Work or School** > **Info**. In the **Device sync status** section, you can start a sync, see areas managed by MDM, and create and export an advanced diagnostics report.

92
devices/hololens/hololens-update-hololens.md Normal file
View File

@ -0,0 +1,92 @@
---
title: Update HoloLens
description: Check your HoloLens' build number, update, and roll back updates.
keywords: how-to, update, roll back, HoloLens, check build, build number
ms.prod: hololens
ms.sitesec: library
author: scooley
ms.author: scooley
ms.topic: article
ms.localizationpriority: medium
ms.date: 11/27/2019
audience: ITPro
ms.reviewer:
manager: jarrettr
appliesto:
- HoloLens (1st gen)
- HoloLens 2
---
# Update HoloLens
HoloLens uses Windows Update, just like other Windows 10 devices. Your HoloLens will automatically download and install system updates whenever it is plugged-in to power and connected to the Internet, even when it is in standby.
This article will walk through HoloLens tools for:
- viewing your current operating system version (build number)
- checking for updates
- manually updating HoloLens
- rolling back to an older update
## Check your operating system version (build number)
You can verify the system version number, (build number) by opening the Settings app and selecting **System** > **About**.
## Check for updates and manually update
You can check for updates any time in settings. To see available updates and check for new updates:
1. Open the **Settings** app.
1. Navigate to **Update & Security** > **Windows Update**.
1. Select **Check for updates**.
If an update is available, it will start downloading the new version. After the download is complete, select the **Restart Now** button to trigger the installation. If your device is below 40% and not plugged in, restarting will not start installing the update.
While your HoloLens is installing the update, it will display spinning gears and a progress indicator. Do not turn off your HoloLens during this time. It will restart automatically once it has completed the installation.
HoloLens applies one update at a time. If your HoloLens is more than one version behind the latest you may need to run through the update process multiple times to get it fully up to date.
## Go back to a previous version - HoloLens 2
In some cases, you might want to go back to a previous version of the HoloLens software. You can do this by using the Advanced Recovery Companion to reset your HoloLens to the earlier version.
> [!NOTE]
> Going back to an earlier version deletes your personal files and settings.
To go back to a previous version of HoloLens 2, follow these steps:
1. Make sure that you don't have any phones or Windows devices plugged in to your PC.
1. On your PC, download the [Advanced Recovery Companion](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?activetab=pivot:overviewtab) from the Microsoft Store.
1. Download the [most recent HoloLens 2 release](https://aka.ms/hololens2download).
1. When you have finished these downloads, open **File explorer** > **Downloads**. Right-click the zipped folder that you just downloaded, and select **Extract all** > **Extract** to unzip it.
1. Connect your HoloLens to your PC using a USB-A to USB-C cable. (Even if you've been using other cables to connect your HoloLens, this one works best.)
1. The Advanced Recovery Companion automatically detects your HoloLens. Select the **Microsoft HoloLens** tile.
1. On the next screen, select **Manual package selection** and then select the installation file contained in the folder that you unzipped in step 4. (Look for a file with the .ffu extension.)
1. Select **Install software**, and follow the instructions.
## Go back to a previous version - HoloLens (1st Gen)
In some cases, you might want to go back to a previous version of the HoloLens software. You can do this by using the Windows Device Recovery Tool to reset your HoloLens to the earlier version.
> [!NOTE]
> Going back to an earlier version deletes your personal files and settings.
To go back to a previous version of HoloLens 1, follow these steps:
1. Make sure that you don't have any phones or Windows devices plugged in to your PC.
1. On your PC, download the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379).
1. Download the [HoloLens Anniversary Update recovery package](https://aka.ms/hololensrecovery).
1. When the downloads finish, open **File explorer** > **Downloads**. Right-click the zipped folder you just downloaded, and select **Extract all** > **Extract** to unzip it.
1. Connect your HoloLens to your PC using the micro-USB cable that it came with. (Even if you've been using other cables to connect your HoloLens, this one works best.)
1. The WDRT will automatically detect your HoloLens. Select the **Microsoft HoloLens** tile.
1. On the next screen, select **Manual package selection** and choose the installation file contained in the folder you unzipped in step 4. (Look for a file with the .ffu extension.)
1. Select **Install software**, and follow the instructions.
> [!NOTE]
> If the WDRT doesn't detect your HoloLens, try restarting your PC. If that doesn't work, select **My device was not detected**, select **Microsoft HoloLens**, and then follow the instructions.
## Windows Insider Program on HoloLens
Want to see the latest features in HoloLens? If so, join the Windows Insider Program; you'll get access to preview builds of HoloLens software updates before they're available to the general public.
[Get Windows Insider preview for Microsoft HoloLens](hololens-insider.md).

6
devices/surface-hub/surface-hub-wifi-direct.md
View File

@ -7,7 +7,7 @@ ms.sitesec: library
author: dansimp
ms.author: dansimp
ms.topic: article
ms.date: 06/20/2019
ms.date: 11/27/2019
ms.reviewer:
manager: dansimp
ms.localizationpriority: medium
@ -25,7 +25,7 @@ The intended audiences for this topic include IT and network administrators inte
Microsoft Surface Hub's security depends extensively on Wi-Fi Direct / Miracast and the associated 802.11, Wi-Fi Protected Access (WPA2), and Wireless Protected Setup (WPS) standards. Since the device only supports WPS (as opposed to WPA2 Pre-Shared Key (PSK) or WPA2 Enterprise), issues traditionally associated with 802.11 encryption are simplified by design.
It is important to note Surface Hub operates on par with the field of Miracast receivers, meaning that it is protected from, and vulnerable to, a similar set of exploits as all WPS-based wireless network devices. But Surface Hubs implementation of WPS has extra precautions built in, and its internal architecture helps prevent an attacker even after compromising the Wi-Fi Direct / Miracast layer to move past the network interface onto other attack surfaces and connected enterprise networks see [Wi-Fi Direct vulnerabilities and how Surface Hub addresses them](#vulnerabilities).
It is important to note Surface Hub operates on par with the field of Miracast receivers, meaning that it is protected from, and vulnerable to, a similar set of exploits as all WPS-based wireless network devices. But Surface Hubs implementation of WPS has extra precautions built in, and its internal architecture helps prevent an attacker even after compromising the Wi-Fi Direct / Miracast layer to move past the network interface onto other attack surfaces and connected enterprise networks.
## Wi-Fi Direct background
@ -37,7 +37,7 @@ Security for Wi-Fi Direct is provided by WPA2 using the WPS standard. Authentic
In Wi-Fi Direct, groups are created as either "persistent," allowing for automatic reconnection using stored key material, or "temporary," where devices cannot re-authenticate without user intervention or action. Wi-Fi Direct groups will typically determine a Group Owner (GO) through a negotiation protocol, which mimics the "station" or "Access Point" functionality for the established Wi-Fi Direct Group. This Wi-Fi Direct GO provides authentication (via an “Internal Registrar”), and facilitate upstream network connections. For Surface Hub, this GO negotiation does not take place, as the network only operates in "autonomous" mode, where Surface Hub is always the Group Owner. Finally, Surface Hub does not and will not join other Wi-Fi Direct networks itself as a client.
<span id="vulnerabilities" />
## Wi-Fi Direct vulnerabilities and how Surface Hub addresses them
**Vulnerabilities and attacks in the Wi-Fi Direct invitation, broadcast, and discovery process**: Wi-Fi Direct / Miracast attacks may target weaknesses in the group establishment, peer discovery, device broadcast, or invitation processes.

94
devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
View File

@ -2,8 +2,8 @@
title: Deploy the latest firmware and drivers for Surface devices (Surface)
description: This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.
ms.assetid: 7662BF68-8BF7-43F7-81F5-3580A770294A
ms.reviewer:
manager: dansimp
ms.reviewer: dansimp
manager: kaushika
keywords: update Surface, newest, latest, download, firmware, driver, tablet, hardware, device
ms.localizationpriority: medium
ms.prod: w10
@ -12,70 +12,94 @@ ms.pagetype: surface, devices
ms.sitesec: library
author: dansimp
ms.audience: itpro
ms.date: 10/21/2019
ms.date: 11/25/2019
ms.author: dansimp
ms.topic: article
---
# Deploy the latest firmware and drivers for Surface devices
Although Surface devices are typically automatically updated with the latest device drivers and firmware via Windows Update, sometimes it's necessary to download and install updates manually, such as during a Windows deployment.
## Download MSI files
To download MSI files, refer to the following Microsoft Support page:
> **Home users:** This article is only intended for technical support agents and IT professionals. If you're looking for help to install Surface updates or firmware on a home device, please see [Update Surface firmware and Windows 10](https://support.microsoft.com/help/4023505).
- [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface)<br>
Installation files for administrative tools, drivers for accessories, and updates for Windows are also available for some devices.
Under typical conditions, Windows Update automatically keeps Windows Surface devices up-to-date by downloading and installing the latest device drivers and firmware. However, you may sometimes have to download and install updates manually. For example, you may have to manually manage updates when you deploy a new version of Windows.
## Downloading MSI files
[Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface) provides links to download installation files for the following:
- Administrative tools
- Drivers for accessories
- For some devices, updates for Windows
## Deploying MSI files
Driver and firmware updates for Surface devices consisting of all required cumulative updates are packaged in separate MSI files for specific versions of Windows 10.
The MSI file names contain useful information including the minimum supported Windows build number required to install the drivers and firmware. For example, to install the drivers contained in SurfaceBook_Win10_17763_19.080.2031.0.msi requires Windows 10 Fall Creators Update version 1709 or later installed on your Surface Book.
Specific versions of Windows 10 have separate MSI files. Each MSI file contains all required cumulative driver and firmware updates for Surface devices.
To view build numbers for each version, refer to [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information).
The MSI file names contain useful information, including the minimum supported Windows build number that is required to install the drivers and firmware. For example, to install the drivers that are contained in SurfaceBook_Win10_17763_19.080.2031.0.msi on a Surface Book, the device must be running Windows 10 Fall Creators Update, version 1709 or later.
For more information about build numbers for each Windows version, see [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information).
### Surface MSI naming convention
Beginning in August 2019, MSI files use the following naming formula:
- Product > Windows release > Windows build number > Version number > Revision of version number (typically zero).
Beginning in August, 2019, MSI files have used the following naming convention:
**Example:**
SurfacePro6_Win10_18362_19.073.44195_0.msi :
> *Product*\_*Windows release*\_*Windows build number*\_*Version number*\_*Revision of version number (typically zero)*.
| Product | Windows release | Build | Version | Revision of version |
| --- | --- | --- | --- | --- |
| SurfacePro6 | Win10 | 18362 | 19.073.44195 | 0 |
| | | | Indicates key date and sequence information. | Indicates release history of the update. |
| | | | **19:** Signifies the year (2019).<br>**073**: Signifies the month (July) and week of the release (3). <br>**44195**: Signifies the minute of the month that the MSI file was created. |**0:** Signifies it's the first release of version 1907344195 and has not been re-released for any reason. |
**Example**
Consider the following MSI file:
> SurfacePro6_Win10_18362_19.073.44195_0.msi
This file name provides the following information:
- **Product:** SurfacePro6
- **Windows release:** Win10
- **Build:** 18362
- **Version:** 19.073.44195 &ndash; This shows the date and time that the file was created, as follows:
- **Year:** 19 (2019)
- **Month and week:** 073 (third week of July)
- **Minute of the month:** 44195
- **Revision of version:** 0 (first release of this version)
### Legacy Surface MSI naming convention
Legacy MSI files prior to August 2019 followed the same overall naming formula but used a different method to derive the version number.
**Example:**
SurfacePro6_Win10_16299_1900307_0.msi :
Legacy MSI files (files that were built before August, 2019) followed the same overall naming formula, but used a different method to derive the version number.
| Product | Windows release | Build | Version | Revision of version |
| --- | --- | --- | --- | --- |
| SurfacePro6 | Win10 | 16299 | 1900307 | 0 |
| | | | Indicates key date and sequence information. | Indicates release history of the MSI file. |
| | | | **19:** Signifies the year (2019)<br>**003**: Signifies that its the third release of 2019.<br>**07**: Signifies the product version number. (Surface Pro 6 is officially the seventh version of Surface Pro.) | **0:** Signifies it's the first release of version 1900307 and has not been re-released for any reason. |
**Example**
Look to the **version** number to determine the latest files that contain the most recent security updates. For example, you might need to install the newest file from the following list:
Consider the following MSI file:
> SurfacePro6_Win10_16299_1900307_0.msi
This file name provides the following information:
- **Product:** SurfacePro6
- **Windows release:** Win10
- **Build:** 16299
- **Version:** 1900307 &ndash; This shows the date that the file was created and its position in the release sequence, as follows:
- **Year:** 19 (2019)
- **Number of release:** 003 (third release of the year)
- **Product version number:** 07 (Surface Pro 6 is officially the seventh version of Surface Pro)
- **Revision of version:** 0 (first release of this version)
Use the **version** number to determine the latest files that contain the most recent security updates. For example, consider the following list:
- SurfacePro6_Win10_16299_1900307_0.msi
- SurfacePro6_Win10_17134_1808507_3.msi
- SurfacePro6_Win10_17763_1808707_3.msi
The first file — SurfacePro6_Win10_16299_1900307_0.msi — is the newest because its VERSION field has the newest build in 2019; the other files are from 2018.
In this list, the newest file is the first file (SurfacePro6_Win10_16299_1900307_0.msi). Its **Version** field has the newest date (2019). The other files are from 2018.
## Supported devices
Downloadable MSI files are available for Surface devices from Surface Pro 2 and later. Information about MSI files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3 will be available from this page upon release.
>[!NOTE]
>There are no downloadable firmware or driver updates available for Surface devices with Windows RT, including Surface RT and Surface 2. Updates can only be applied using Windows Update.
For downloadable MSI files for devices that run Surface Pro 2 and later versions, see [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface). This article contains information about MSI files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3, as they are released.
For more information about deploying Surface drivers and firmware, refer to:
> [!NOTE]
> There are no downloadable firmware or driver updates available for Surface devices that run Windows RT, including Surface RT and Surface 2. To update these devices, use Windows Update.
For more information about how to deploy Surface drivers and firmware, see the following articles:
- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates)
- [Microsoft Surface support for business](https://www.microsoft.com/surface/support/business)
- [Surface for Business help](https://www.microsoft.com/surface/support/business)

4
devices/surface/surface-enterprise-management-mode.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
author: dansimp
ms.author: dansimp
ms.topic: article
ms.date: 11/20/2019
ms.date: 12/02/2019
ms.reviewer: scottmca
manager: dansimp
ms.localizationpriority: medium
@ -90,7 +90,7 @@ The following list shows all the available devices you can manage in SEMM:
| Alternate Boot | Allows you to manage use of an Alternate boot order to boot directly to a USB or Ethernet device by pressing both the Volume Down button and Power button during boot. If you do not configure this setting, Alternate boot is enabled. |
| Boot Order Lock | Allows you to lock the boot order to prevent changes. If you do not configure this setting, Boot Order Lock is disabled. |
| USB Boot | Allows you to manage booting to USB devices. If you do not configure this setting, USB Boot is enabled. |
| Network Stack | Allows you to manage Network Stack boot settings. If you do not configure this setting, the ability to manage Network Stack boot settings is enabled. |
| Network Stack | Allows you to manage Network Stack boot settings. If you do not configure this setting, the ability to manage Network Stack boot settings is disabled. |
| Auto Power On | Allows you to manage Auto Power On boot settings. If you do not configure this setting, Auto Power on is enabled. |
| Simultaneous Multi-Threading (SMT) | Allows you to manage Simultaneous Multi-Threading (SMT) to enable or disable hyperthreading. If you do not configure this setting, SMT is enabled. |
|Enable Battery limit| Allows you to manage Battery limit functionality. If you do not configure this setting, Battery limit is enabled |

9
devices/surface/windows-autopilot-and-surface-devices.md
View File

@ -13,7 +13,7 @@ ms.author: dansimp
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
ms.date: 10/21/2019
ms.date: 11/26/2019
---
# Windows Autopilot and Surface devices
@ -35,10 +35,17 @@ Enrolling Surface devices in Windows Autopilot at the time of purchase is a capa
When you purchase Surface devices from a Surface partner enabled for Windows Autopilot, your new devices can be enrolled in your Windows Autopilot deployment for you by the partner. Surface partners enabled for Windows Autopilot include:
- [ALSO](https://www.also.com/ec/cms5/de_1010/1010_anbieter/microsoft/windows-autopilot/index.jsp)
- [Atea](https://www.atea.com/)
- [Bechtle](https://www.bechtle.com/de-en)
- [Cancom](https://www.cancom.de/)
- [CDW](https://www.cdw.com/)
- [Computacenter](https://www.computacenter.com/uk)
- [Connection](https://www.connection.com/brand/microsoft/microsoft-surface)
- [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface/windows-autopilot.html)
- [SHI](https://www.shi.com/Surface)
- [Synnex](https://www.synnexcorp.com/us/microsoft/surface-autopilot/)
- [Techdata](https://www.techdata.com/)
## Learn more
For more information about Windows Autopilot, refer to:

10
windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
View File

@ -32,6 +32,7 @@ sections:
- type: markdown
text: "
<table border ='0'><tr><td width='65%'>Summary</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>Date resolved</td></tr>
<tr><td><div id='375msg'></div><b>Printing from 32-bit apps might fail on a 64-bit OS</b><br>When attempting to print, you may receive an error or the application may stop responding or close.<br><br><a href = '#375msgdesc'>See details ></a></td><td>August 13, 2019<br><a href ='https://support.microsoft.com/help/4512489' target='_blank'>KB4512489</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4525250' target='_blank'>KB4525250</a></td><td>November 12, 2019 <br>10:00 AM PT</td></tr>
<tr><td><div id='351msg'></div><b>Intermittent issues when printing</b><br>The print spooler service may intermittently have issues completing a print job and results print job failure.<br><br><a href = '#351msgdesc'>See details ></a></td><td>September 24, 2019<br><a href ='https://support.microsoft.com/help/4516041' target='_blank'>KB4516041</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4520005' target='_blank'>KB4520005</a></td><td>October 08, 2019 <br>10:00 AM PT</td></tr>
<tr><td><div id='333msg'></div><b>Windows RT 8.1 devices may have issues opening Internet Explorer 11</b><br>On Windows RT 8.1 devices, Internet Explorer 11 may not open and you may receive an error.<br><br><a href = '#333msgdesc'>See details ></a></td><td>September 10, 2019<br><a href ='https://support.microsoft.com/help/4516067' target='_blank'>KB4516067</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4516041' target='_blank'>KB4516041</a></td><td>September 24, 2019 <br>10:00 AM PT</td></tr>
<tr><td><div id='252msg'></div><b>Devices starting using PXE from a WDS or SCCM servers may fail to start</b><br>Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"<br><br><a href = '#252msgdesc'>See details ></a></td><td>June 11, 2019<br><a href ='https://support.microsoft.com/help/4503276' target='_blank'>KB4503276</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4512478' target='_blank'>KB4512478</a></td><td>August 17, 2019 <br>02:00 PM PT</td></tr>
@ -51,6 +52,15 @@ sections:
<div>
</div>
"
- title: November 2019
- items:
- type: markdown
text: "
<table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='375msgdesc'></div><b>Printing from 32-bit apps might fail on a 64-bit OS</b><div>When attempting to print from a 32-bit app on a 64-bit operating system (OS), you may receive an error, or the application may stop responding or close. <strong>Note</strong> This issue only affects the 64-bit Security Only updates listed and does not affect any Monthly Rollup.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 8.1</li><li>Server: Windows Server 2012 R2; Windows Server 2012</li></ul><div></div><div><strong>Resolution:</strong> This issue is resolved in <a href='https://support.microsoft.com/help/4525250' target='_blank'>KB4525250</a>. However, the issue occurs when you install&nbsp;only <a href='https://support.microsoft.com/help/4512489' target='_blank'>KB4512489</a> (released on August 13, 2019) without installing <a href=\"https://support.microsoft.com/en-us/help/4507457\" rel=\"noopener noreferrer\" target=\"_blank\">KB4507457</a>, the previous Security Only update (released July 9, 2019). <strong>Reminder</strong> When using the Security Only updates, you must install the latest and all previous Security Only updates to ensure that the device contains all resolved security vulnerabilities.</div><br><a href ='#375msg'>Back to top</a></td><td>August 13, 2019<br><a href ='https://support.microsoft.com/help/4512489' target='_blank'>KB4512489</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4525250' target='_blank'>KB4525250</a></td><td>Resolved:<br>November 12, 2019 <br>10:00 AM PT<br><br>Opened:<br>November 27, 2019 <br>04:02 PM PT</td></tr>
</table>
"
- title: September 2019
- items:
- type: markdown

10
windows/release-information/resolved-issues-windows-server-2012.yml
View File

@ -32,6 +32,7 @@ sections:
- type: markdown
text: "
<table border ='0'><tr><td width='65%'>Summary</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>Date resolved</td></tr>
<tr><td><div id='375msg'></div><b>Printing from 32-bit apps might fail on a 64-bit OS</b><br>When attempting to print, you may receive an error or the application may stop responding or close.<br><br><a href = '#375msgdesc'>See details ></a></td><td>August 13, 2019<br><a href ='https://support.microsoft.com/help/4512482' target='_blank'>KB4512482</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4525253' target='_blank'>KB4525253</a></td><td>November 12, 2019 <br>10:00 AM PT</td></tr>
<tr><td><div id='351msg'></div><b>Intermittent issues when printing</b><br>The print spooler service may intermittently have issues completing a print job and results print job failure.<br><br><a href = '#351msgdesc'>See details ></a></td><td>September 24, 2019<br><a href ='https://support.microsoft.com/help/4516069' target='_blank'>KB4516069</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4520007' target='_blank'>KB4520007</a></td><td>October 08, 2019 <br>10:00 AM PT</td></tr>
<tr><td><div id='252msg'></div><b>Devices starting using PXE from a WDS or SCCM servers may fail to start</b><br>Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"<br><br><a href = '#252msgdesc'>See details ></a></td><td>June 11, 2019<br><a href ='https://support.microsoft.com/help/4503285' target='_blank'>KB4503285</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4512512' target='_blank'>KB4512512</a></td><td>August 17, 2019 <br>02:00 PM PT</td></tr>
<tr><td><div id='315msg'></div><b>Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error</b><br>Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.<br><br><a href = '#315msgdesc'>See details ></a></td><td>August 13, 2019<br><a href ='https://support.microsoft.com/help/4512518' target='_blank'>KB4512518</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4517302' target='_blank'>KB4517302</a></td><td>August 16, 2019 <br>02:00 PM PT</td></tr>
@ -50,6 +51,15 @@ sections:
<div>
</div>
"
- title: November 2019
- items:
- type: markdown
text: "
<table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='375msgdesc'></div><b>Printing from 32-bit apps might fail on a 64-bit OS</b><div>When attempting to print from a 32-bit app on a 64-bit operating system (OS), you may receive an error, or the application may stop responding or close. <strong>Note</strong> This issue only affects the 64-bit Security Only updates listed and does not affect any Monthly Rollup.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 8.1</li><li>Server: Windows Server 2012 R2; Windows Server 2012</li></ul><div></div><div><strong>Resolution:</strong> This issue is resolved in <a href='https://support.microsoft.com/help/4525253' target='_blank'>KB4525253</a>. However, the issue occurs when you install&nbsp;only <a href='https://support.microsoft.com/help/4512482' target='_blank'>KB4512482</a> (released on August 13, 2019) without installing <a href=\"https://support.microsoft.com/help/4507447\" rel=\"noopener noreferrer\" target=\"_blank\">KB4507447</a>, the previous Security Only update (released July 9, 2019). <strong>Reminder</strong> When using the Security Only updates, you must install the latest and all previous Security Only updates to ensure that the device contains all resolved security vulnerabilities.</div><br><a href ='#375msg'>Back to top</a></td><td>August 13, 2019<br><a href ='https://support.microsoft.com/help/4512482' target='_blank'>KB4512482</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4525253' target='_blank'>KB4525253</a></td><td>Resolved:<br>November 12, 2019 <br>10:00 AM PT<br><br>Opened:<br>November 27, 2019 <br>04:02 PM PT</td></tr>
</table>
"
- title: September 2019
- items:
- type: markdown

16
windows/release-information/status-windows-10-1903.yml
View File

@ -64,8 +64,8 @@ sections:
- type: markdown
text: "<div>This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.</div><br>
<table border ='0'><tr><td width='65%'>Summary</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>Last updated</td></tr>
<tr><td><div id='322msg'></div><b>Issues with some older versions of Avast and AVG anti-virus products</b><br>Microsoft and Avast has identified compatibility issues with some versions of Avast and AVG Antivirus.<br><br><a href = '#322msgdesc'>See details ></a></td><td>N/A <br><br><a href ='' target='_blank'></a></td><td>Mitigated External<br></td><td>November 25, 2019 <br>05:25 PM PT</td></tr>
<tr><td><div id='231msg'></div><b>Intermittent loss of Wi-Fi connectivity</b><br>Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. <br><br><a href = '#231msgdesc'>See details ></a></td><td>OS Build 18362.116<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Resolved External<br></td><td>November 22, 2019 <br>04:10 PM PT</td></tr>
<tr><td><div id='322msg'></div><b>Issues with some older versions of Avast and AVG anti-virus products</b><br>Microsoft and Avast has identified compatibility issues with some versions of Avast and AVG Antivirus.<br><br><a href = '#322msgdesc'>See details ></a></td><td>N/A <br><br><a href ='' target='_blank'></a></td><td>Mitigated External<br></td><td>November 22, 2019 <br>04:10 PM PT</td></tr>
<tr><td><div id='225msg'></div><b>Unable to discover or connect to Bluetooth devices using some Realtek adapters</b><br>Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.<br><br><a href = '#225msgdesc'>See details ></a></td><td>OS Build 18362.116<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Resolved External<br></td><td>November 15, 2019 <br>05:59 PM PT</td></tr>
<tr><td><div id='317msg'></div><b>Updates may fail to install and you may receive Error 0x80073701</b><br>Installation of updates may fail and you may receive error code 0x80073701.<br><br><a href = '#317msgdesc'>See details ></a></td><td>OS Build 18362.145<br><br>May 29, 2019<br><a href ='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a></td><td>Resolved<br><a href = '' target='_blank'></a></td><td>November 12, 2019 <br>08:11 AM PT</td></tr>
<tr><td><div id='348msg'></div><b>Unable to create local users in Chinese, Japanese and Korean during device setup</b><br>You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.<br><br><a href = '#348msgdesc'>See details ></a></td><td>OS Build 18362.356<br><br>September 10, 2019<br><a href ='https://support.microsoft.com/help/4515384' target='_blank'>KB4515384</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>November 12, 2019 <br>08:05 AM PT</td></tr>
@ -73,8 +73,6 @@ sections:
<tr><td><div id='228msg'></div><b>Intel Audio displays an intcdaud.sys notification</b><br>Devices with a range of Intel Display Audio device drivers may experience battery drain.<br><br><a href = '#228msgdesc'>See details ></a></td><td>OS Build 18362.116<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Resolved External<br></td><td>November 12, 2019 <br>08:04 AM PT</td></tr>
<tr><td><div id='226msg'></div><b>Gamma ramps, color profiles, and night light settings do not apply in some cases</b><br>Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.<br><br><a href = '#226msgdesc'>See details ></a></td><td>OS Build 18362.116<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4505903' target='_blank'>KB4505903</a></td><td>July 26, 2019 <br>02:00 PM PT</td></tr>
<tr><td><div id='229msg'></div><b>Cannot launch Camera app </b><br>Microsoft and Intel have identified an issue affecting Intel RealSense SR300 or Intel RealSense S200 camera apps.<br><br><a href = '#229msgdesc'>See details ></a></td><td>OS Build 18362.116<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4501375' target='_blank'>KB4501375</a></td><td>June 27, 2019 <br>10:00 AM PT</td></tr>
<tr><td><div id='358msg'></div><b>Unable to discover or connect to Bluetooth devices using some Qualcomm adapters</b><br>Microsoft has identified compatibility issues with some versions of Qualcomm Bluetooth radio drivers.<br><br><a href = '#358msgdesc'>See details ></a></td><td>OS Build 18362.116<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4517389' target='_blank'>KB4517389</a></td><td>October 08, 2019 <br>10:00 AM PT</td></tr>
<tr><td><div id='338msg'></div><b>Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters</b><br>Some devices with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards may experience compatibility issues.<br><br><a href = '#338msgdesc'>See details ></a></td><td>N/A <br><br><a href ='' target='_blank'></a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4522355' target='_blank'>KB4522355</a></td><td>October 24, 2019 <br>10:00 AM PT</td></tr>
</table>
"
@ -90,7 +88,7 @@ sections:
- type: markdown
text: "
<table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='322msgdesc'></div><b>Issues with some older versions of Avast and AVG anti-virus products</b><div>Microsoft and Avast has identified compatibility issues with some versions of Avast Antivirus and AVG Antivirus. Any application from Avast or AVG that contains Antivirus version 19.5.4444.567 or earlier is affected.</div><div><br></div><div>To safeguard your upgrade experience, we have applied a hold on devices with affected Avast and AVG Antivirus from being offered or installing Windows 10, version 1903 or Windows 10, version 1909, until&nbsp;the application is updated.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1909; Windows 10, version 1903</li><li>Server: Windows Server, version 1909; Windows Server, version 1903</li></ul><div></div><div><strong>Workaround: </strong>Before updating to Windows 10, version 1903 or Windows 10, version 1909, you will need to download and install an updated version of your Avast or AVG application. Guidance for Avast and AVG customers can be found in the following support articles:</div><ul><li><a href=\"https://support.avast.com/en-ww/article/253?p_pro=131&amp;p_ves=1&amp;p_lng=en&amp;p_lid=en-us&amp;p_vbd=2022&amp;cid=9632b01a-b7ec-4366-95d6-996c79ff9420\" rel=\"noopener noreferrer\" target=\"_blank\">Avast support KB article</a></li><li><a href=\"https://support.avg.com/SupportArticleView?supportType=home&amp;urlName=AVG-Antivirus-Windows-10-update&amp;cid=9632b01a-b7ec-4366-95d6-996c79ff9420&amp;l=en\" rel=\"noopener noreferrer\" target=\"_blank\">AVG support KB article</a></li></ul><div></div><div><strong>Note</strong>&nbsp;We recommend that you do not attempt to manually update using the&nbsp;<strong>Update now</strong>&nbsp;button or the Media Creation Tool until a new version of your Avast or AVG application has been installed and the Windows 10, version 1903 or Windows 10, version 1909 feature update has been automatically offered to you.</div><br><a href ='#322msg'>Back to top</a></td><td>N/A <br><br><a href ='' target='_blank'></a></td><td>Mitigated External<br></td><td>Last updated:<br>November 22, 2019 <br>04:10 PM PT<br><br>Opened:<br>November 22, 2019 <br>04:10 PM PT</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='322msgdesc'></div><b>Issues with some older versions of Avast and AVG anti-virus products</b><div>Microsoft and Avast has identified compatibility issues with some older versions of Avast Antivirus and AVG Antivirus that might still be installed by a small number of users. Any application from Avast or AVG that contains Antivirus version 19.5.4444.567 or earlier is affected.</div><div><br></div><div>To safeguard your upgrade experience, we have applied a hold on devices with affected Avast and AVG Antivirus from being offered or installing Windows 10, version 1903 or Windows 10, version 1909, until&nbsp;the application is updated.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1909; Windows 10, version 1903</li><li>Server: Windows Server, version 1909; Windows Server, version 1903</li></ul><div></div><div><strong>Workaround: </strong>Before updating to Windows 10, version 1903 or Windows 10, version 1909, you will need to download and install an updated version of your Avast or AVG application. Guidance for Avast and AVG customers can be found in the following support articles:</div><ul><li><a href=\"https://support.avast.com/en-ww/article/253?p_pro=131&amp;p_ves=1&amp;p_lng=en&amp;p_lid=en-us&amp;p_vbd=2022&amp;cid=9632b01a-b7ec-4366-95d6-996c79ff9420\" rel=\"noopener noreferrer\" target=\"_blank\">Avast support KB article</a></li><li><a href=\"https://support.avg.com/SupportArticleView?supportType=home&amp;urlName=AVG-Antivirus-Windows-10-update&amp;cid=9632b01a-b7ec-4366-95d6-996c79ff9420&amp;l=en\" rel=\"noopener noreferrer\" target=\"_blank\">AVG support KB article</a></li></ul><div></div><div><strong>Note</strong>&nbsp;We recommend that you do not attempt to manually update using the&nbsp;<strong>Update now</strong>&nbsp;button or the Media Creation Tool until a new version of your Avast or AVG application has been installed and the Windows 10, version 1903 or Windows 10, version 1909 feature update has been automatically offered to you.</div><br><a href ='#322msg'>Back to top</a></td><td>N/A <br><br><a href ='' target='_blank'></a></td><td>Mitigated External<br></td><td>Last updated:<br>November 25, 2019 <br>05:25 PM PT<br><br>Opened:<br>November 22, 2019 <br>04:10 PM PT</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='364msgdesc'></div><b>TLS connections might fail or timeout</b><div>Updates for Windows released October 8, 2019 or later provide protections, tracked by <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1318\" rel=\"noopener noreferrer\" target=\"_blank\">CVE-2019-1318</a>, against an attack that could allow unauthorized access to information or data within TLS connections.&nbsp;This type of attack is known as a man-in-the-middle exploit.&nbsp;Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (<a href=\"https://tools.ietf.org/html/rfc7627\" rel=\"noopener noreferrer\" target=\"_blank\">RFC 7627</a>). Lack of RFC support might cause one or more of the following errors or logged events:</div><ul><li>\"The request was aborted: Could not create SSL/TLS secure Channel\"</li><li>SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.\"</li></ul><div></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1</li><li>Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2</li></ul><div></div><div><br></div><div><strong>Next Steps: </strong>Connections between two devices running any supported version of Windows should not have this issue when fully updated.&nbsp;There is no update for Windows needed for this issue.&nbsp;These changes are required to address a security issue and security compliance. For information, see <a href=\"https://support.microsoft.com/help/4528489\" rel=\"noopener noreferrer\" target=\"_blank\">KB4528489</a>.</div><br><a href ='#364msg'>Back to top</a></td><td>OS Build 18362.418<br><br>October 08, 2019<br><a href ='https://support.microsoft.com/help/4517389' target='_blank'>KB4517389</a></td><td>Mitigated External<br></td><td>Last updated:<br>November 05, 2019 <br>03:36 PM PT<br><br>Opened:<br>November 05, 2019 <br>03:36 PM PT</td></tr>
</table>
"
@ -101,16 +99,6 @@ sections:
text: "
<table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='348msgdesc'></div><b>Unable to create local users in Chinese, Japanese and Korean during device setup</b><div>When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.</div><div><br></div><div><strong>Note</strong> This issue does not affect using a Microsoft Account during OOBE.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709</li><li>Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709</li></ul><div></div><div><strong>Workaround: </strong>To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using <a href=\"https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725595(v=ws.11)\" rel=\"noopener noreferrer\" target=\"_blank\">these instructions</a>. If you prefer to create a new local user, see <a href=\"https://support.microsoft.com/help/4026923\" rel=\"noopener noreferrer\" target=\"_blank\">KB4026923</a>.</div><div><br></div><div><strong>Next steps: </strong>We are working on a resolution and will provide an update in an upcoming release.</div><br><a href ='#348msg'>Back to top</a></td><td>OS Build 18362.356<br><br>September 10, 2019<br><a href ='https://support.microsoft.com/help/4515384' target='_blank'>KB4515384</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>Last updated:<br>November 12, 2019 <br>08:05 AM PT<br><br>Opened:<br>October 29, 2019 <br>05:15 PM PT</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='358msgdesc'></div><b>Unable to discover or connect to Bluetooth devices using some Qualcomm adapters</b><div>Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Qualcomm. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Qualcomm Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903</li><li>Server: Windows Server, version 1903</li></ul><div></div><div><strong>Resolution:&nbsp;</strong>This issue was resolved in&nbsp;<a href='https://support.microsoft.com/help/4517389' target='_blank'>KB4517389</a> and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903.</div><br><a href ='#358msg'>Back to top</a></td><td>OS Build 18362.116<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4517389' target='_blank'>KB4517389</a></td><td>Resolved:<br>October 08, 2019 <br>10:00 AM PT<br><br>Opened:<br>October 25, 2019 <br>04:21 PM PT</td></tr>
</table>
"
- title: September 2019
- items:
- type: markdown
text: "
<table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='338msgdesc'></div><b>Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters</b><div>Microsoft and NEC have found incompatibility issues with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards when running Windows 10, version 1903 on&nbsp;specific models of NEC devices.&nbsp;If these devices are updated to Windows 10, version 1903, they will no longer be able to use any Wi-Fi connections.&nbsp;The Wi-Fi driver may have a&nbsp;yellow exclamation point in device manager.&nbsp;The task tray icon for networking may show the icon for no internet and&nbsp;<strong>Network &amp; Internet settings</strong>&nbsp;may not show any Wi-Fi networks.</div><div><br></div><div>To safeguard your update experience, we have applied a compatibility hold on the affected devices from being offered Windows 10, version 1903.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903</li></ul><div></div><div><strong>Resolution: </strong>This issue was resolved in <a href='https://support.microsoft.com/help/4522355' target='_blank'>KB4522355</a>. The safeguard hold is estimated to be removed in mid-November.</div><br><a href ='#338msg'>Back to top</a></td><td>N/A <br><br><a href ='' target='_blank'></a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4522355' target='_blank'>KB4522355</a></td><td>Resolved:<br>October 24, 2019 <br>10:00 AM PT<br><br>Opened:<br>September 13, 2019 <br>05:25 PM PT</td></tr>
</table>
"

4
windows/release-information/status-windows-10-1909.yml
View File

@ -64,8 +64,8 @@ sections:
- type: markdown
text: "<div>This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.</div><br>
<table border ='0'><tr><td width='65%'>Summary</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>Last updated</td></tr>
<tr><td><div id='322msg'></div><b>Issues with some older versions of Avast and AVG anti-virus products</b><br>Microsoft and Avast has identified compatibility issues with some versions of Avast and AVG Antivirus.<br><br><a href = '#322msgdesc'>See details ></a></td><td>N/A <br><br><a href ='' target='_blank'></a></td><td>Mitigated External<br></td><td>November 25, 2019 <br>05:25 PM PT</td></tr>
<tr><td><div id='231msg'></div><b>Intermittent loss of Wi-Fi connectivity</b><br>Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. <br><br><a href = '#231msgdesc'>See details ></a></td><td>OS Build 18363.476<br><br>November 12, 2019<br><a href ='https://support.microsoft.com/help/4524570' target='_blank'>KB4524570</a></td><td>Resolved External<br></td><td>November 22, 2019 <br>04:10 PM PT</td></tr>
<tr><td><div id='322msg'></div><b>Issues with some older versions of Avast and AVG anti-virus products</b><br>Microsoft and Avast has identified compatibility issues with some versions of Avast and AVG Antivirus.<br><br><a href = '#322msgdesc'>See details ></a></td><td>N/A <br><br><a href ='' target='_blank'></a></td><td>Mitigated External<br></td><td>November 22, 2019 <br>04:10 PM PT</td></tr>
<tr><td><div id='225msg'></div><b>Unable to discover or connect to Bluetooth devices using some Realtek adapters</b><br>Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.<br><br><a href = '#225msgdesc'>See details ></a></td><td>OS Build 18363.476<br><br>November 12, 2019<br><a href ='https://support.microsoft.com/help/4524570' target='_blank'>KB4524570</a></td><td>Resolved External<br></td><td>November 15, 2019 <br>05:59 PM PT</td></tr>
<tr><td><div id='348msg'></div><b>Unable to create local users in Chinese, Japanese and Korean during device setup</b><br>You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.<br><br><a href = '#348msgdesc'>See details ></a></td><td>OS Build 18363.476<br><br>November 12, 2019<br><a href ='https://support.microsoft.com/help/4524570' target='_blank'>KB4524570</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>November 12, 2019 <br>08:05 AM PT</td></tr>
</table>
@ -83,7 +83,7 @@ sections:
- type: markdown
text: "
<table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='322msgdesc'></div><b>Issues with some older versions of Avast and AVG anti-virus products</b><div>Microsoft and Avast has identified compatibility issues with some versions of Avast Antivirus and AVG Antivirus. Any application from Avast or AVG that contains Antivirus version 19.5.4444.567 or earlier is affected.</div><div><br></div><div>To safeguard your upgrade experience, we have applied a hold on devices with affected Avast and AVG Antivirus from being offered or installing Windows 10, version 1903 or Windows 10, version 1909, until&nbsp;the application is updated.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1909; Windows 10, version 1903</li><li>Server: Windows Server, version 1909; Windows Server, version 1903</li></ul><div></div><div><strong>Workaround: </strong>Before updating to Windows 10, version 1903 or Windows 10, version 1909, you will need to download and install an updated version of your Avast or AVG application. Guidance for Avast and AVG customers can be found in the following support articles:</div><ul><li><a href=\"https://support.avast.com/en-ww/article/253?p_pro=131&amp;p_ves=1&amp;p_lng=en&amp;p_lid=en-us&amp;p_vbd=2022&amp;cid=9632b01a-b7ec-4366-95d6-996c79ff9420\" rel=\"noopener noreferrer\" target=\"_blank\">Avast support KB article</a></li><li><a href=\"https://support.avg.com/SupportArticleView?supportType=home&amp;urlName=AVG-Antivirus-Windows-10-update&amp;cid=9632b01a-b7ec-4366-95d6-996c79ff9420&amp;l=en\" rel=\"noopener noreferrer\" target=\"_blank\">AVG support KB article</a></li></ul><div></div><div><strong>Note</strong>&nbsp;We recommend that you do not attempt to manually update using the&nbsp;<strong>Update now</strong>&nbsp;button or the Media Creation Tool until a new version of your Avast or AVG application has been installed and the Windows 10, version 1903 or Windows 10, version 1909 feature update has been automatically offered to you.</div><br><a href ='#322msg'>Back to top</a></td><td>N/A <br><br><a href ='' target='_blank'></a></td><td>Mitigated External<br></td><td>Last updated:<br>November 22, 2019 <br>04:10 PM PT<br><br>Opened:<br>November 22, 2019 <br>04:10 PM PT</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='322msgdesc'></div><b>Issues with some older versions of Avast and AVG anti-virus products</b><div>Microsoft and Avast has identified compatibility issues with some older versions of Avast Antivirus and AVG Antivirus that might still be installed by a small number of users. Any application from Avast or AVG that contains Antivirus version 19.5.4444.567 or earlier is affected.</div><div><br></div><div>To safeguard your upgrade experience, we have applied a hold on devices with affected Avast and AVG Antivirus from being offered or installing Windows 10, version 1903 or Windows 10, version 1909, until&nbsp;the application is updated.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1909; Windows 10, version 1903</li><li>Server: Windows Server, version 1909; Windows Server, version 1903</li></ul><div></div><div><strong>Workaround: </strong>Before updating to Windows 10, version 1903 or Windows 10, version 1909, you will need to download and install an updated version of your Avast or AVG application. Guidance for Avast and AVG customers can be found in the following support articles:</div><ul><li><a href=\"https://support.avast.com/en-ww/article/253?p_pro=131&amp;p_ves=1&amp;p_lng=en&amp;p_lid=en-us&amp;p_vbd=2022&amp;cid=9632b01a-b7ec-4366-95d6-996c79ff9420\" rel=\"noopener noreferrer\" target=\"_blank\">Avast support KB article</a></li><li><a href=\"https://support.avg.com/SupportArticleView?supportType=home&amp;urlName=AVG-Antivirus-Windows-10-update&amp;cid=9632b01a-b7ec-4366-95d6-996c79ff9420&amp;l=en\" rel=\"noopener noreferrer\" target=\"_blank\">AVG support KB article</a></li></ul><div></div><div><strong>Note</strong>&nbsp;We recommend that you do not attempt to manually update using the&nbsp;<strong>Update now</strong>&nbsp;button or the Media Creation Tool until a new version of your Avast or AVG application has been installed and the Windows 10, version 1903 or Windows 10, version 1909 feature update has been automatically offered to you.</div><br><a href ='#322msg'>Back to top</a></td><td>N/A <br><br><a href ='' target='_blank'></a></td><td>Mitigated External<br></td><td>Last updated:<br>November 25, 2019 <br>05:25 PM PT<br><br>Opened:<br>November 22, 2019 <br>04:10 PM PT</td></tr>
</table>
"

2
windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
View File

@ -60,6 +60,7 @@ sections:
- type: markdown
text: "<div>This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.</div><br>
<table border ='0'><tr><td width='65%'>Summary</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>Last updated</td></tr>
<tr><td><div id='375msg'></div><b>Printing from 32-bit apps might fail on a 64-bit OS</b><br>When attempting to print, you may receive an error or the application may stop responding or close.<br><br><a href = '#375msgdesc'>See details ></a></td><td>August 13, 2019<br><a href ='https://support.microsoft.com/help/4512489' target='_blank'>KB4512489</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4525250' target='_blank'>KB4525250</a></td><td>November 12, 2019 <br>10:00 AM PT</td></tr>
<tr><td><div id='364msg'></div><b>TLS connections might fail or timeout</b><br>Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.<br><br><a href = '#364msgdesc'>See details ></a></td><td>October 08, 2019<br><a href ='https://support.microsoft.com/help/4520005' target='_blank'>KB4520005</a></td><td>Mitigated External<br></td><td>November 05, 2019 <br>03:36 PM PT</td></tr>
<tr><td><div id='218msg'></div><b>Unable to access some gov.uk websites</b><br>gov.uk websites that dont support “HSTS” may not be accessible<br><br><a href = '#218msgdesc'>See details ></a></td><td>May 14, 2019<br><a href ='https://support.microsoft.com/help/4499151' target='_blank'>KB4499151</a></td><td>Investigating<br><a href = 'https://support.microsoft.com/help/4505050' target='_blank'>KB4505050</a></td><td>May 16, 2019 <br>06:41 PM PT</td></tr>
<tr><td><div id='217msg'></div><b>Japanese IME doesn't show the new Japanese Era name as a text input option</b><br>With previous dictionary updates installed, the Japanese IME doesn't show the new Japanese Era name as an input option.<br><br><a href = '#217msgdesc'>See details ></a></td><td>April 25, 2019<br><a href ='https://support.microsoft.com/help/4493443' target='_blank'>KB4493443</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>May 15, 2019 <br>05:53 PM PT</td></tr>
@ -79,6 +80,7 @@ sections:
- type: markdown
text: "
<table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='375msgdesc'></div><b>Printing from 32-bit apps might fail on a 64-bit OS</b><div>When attempting to print from a 32-bit app on a 64-bit operating system (OS), you may receive an error, or the application may stop responding or close. <strong>Note</strong> This issue only affects the 64-bit Security Only updates listed and does not affect any Monthly Rollup.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 8.1</li><li>Server: Windows Server 2012 R2; Windows Server 2012</li></ul><div></div><div><strong>Resolution:</strong> This issue is resolved in <a href='https://support.microsoft.com/help/4525250' target='_blank'>KB4525250</a>. However, the issue occurs when you install&nbsp;only <a href='https://support.microsoft.com/help/4512489' target='_blank'>KB4512489</a> (released on August 13, 2019) without installing <a href=\"https://support.microsoft.com/en-us/help/4507457\" rel=\"noopener noreferrer\" target=\"_blank\">KB4507457</a>, the previous Security Only update (released July 9, 2019). <strong>Reminder</strong> When using the Security Only updates, you must install the latest and all previous Security Only updates to ensure that the device contains all resolved security vulnerabilities.</div><br><a href ='#375msg'>Back to top</a></td><td>August 13, 2019<br><a href ='https://support.microsoft.com/help/4512489' target='_blank'>KB4512489</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4525250' target='_blank'>KB4525250</a></td><td>Resolved:<br>November 12, 2019 <br>10:00 AM PT<br><br>Opened:<br>November 27, 2019 <br>04:02 PM PT</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='364msgdesc'></div><b>TLS connections might fail or timeout</b><div>Updates for Windows released October 8, 2019 or later provide protections, tracked by <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1318\" rel=\"noopener noreferrer\" target=\"_blank\">CVE-2019-1318</a>, against an attack that could allow unauthorized access to information or data within TLS connections.&nbsp;This type of attack is known as a man-in-the-middle exploit.&nbsp;Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (<a href=\"https://tools.ietf.org/html/rfc7627\" rel=\"noopener noreferrer\" target=\"_blank\">RFC 7627</a>). Lack of RFC support might cause one or more of the following errors or logged events:</div><ul><li>\"The request was aborted: Could not create SSL/TLS secure Channel\"</li><li>SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.\"</li></ul><div></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1</li><li>Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2</li></ul><div></div><div><br></div><div><strong>Next Steps: </strong>Connections between two devices running any supported version of Windows should not have this issue when fully updated.&nbsp;There is no update for Windows needed for this issue.&nbsp;These changes are required to address a security issue and security compliance. For information, see <a href=\"https://support.microsoft.com/help/4528489\" rel=\"noopener noreferrer\" target=\"_blank\">KB4528489</a>.</div><br><a href ='#364msg'>Back to top</a></td><td>October 08, 2019<br><a href ='https://support.microsoft.com/help/4520005' target='_blank'>KB4520005</a></td><td>Mitigated External<br></td><td>Last updated:<br>November 05, 2019 <br>03:36 PM PT<br><br>Opened:<br>November 05, 2019 <br>03:36 PM PT</td></tr>
</table>
"

2
windows/release-information/status-windows-server-2012.yml
View File

@ -60,6 +60,7 @@ sections:
- type: markdown
text: "<div>This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.</div><br>
<table border ='0'><tr><td width='65%'>Summary</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>Last updated</td></tr>
<tr><td><div id='375msg'></div><b>Printing from 32-bit apps might fail on a 64-bit OS</b><br>When attempting to print, you may receive an error or the application may stop responding or close.<br><br><a href = '#375msgdesc'>See details ></a></td><td>August 13, 2019<br><a href ='https://support.microsoft.com/help/4512482' target='_blank'>KB4512482</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4525253' target='_blank'>KB4525253</a></td><td>November 12, 2019 <br>10:00 AM PT</td></tr>
<tr><td><div id='364msg'></div><b>TLS connections might fail or timeout</b><br>Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.<br><br><a href = '#364msgdesc'>See details ></a></td><td>October 08, 2019<br><a href ='https://support.microsoft.com/help/4520007' target='_blank'>KB4520007</a></td><td>Mitigated External<br></td><td>November 05, 2019 <br>03:36 PM PT</td></tr>
<tr><td><div id='218msg'></div><b>Unable to access some gov.uk websites</b><br>gov.uk websites that dont support “HSTS” may not be accessible<br><br><a href = '#218msgdesc'>See details ></a></td><td>May 14, 2019<br><a href ='https://support.microsoft.com/help/4499171' target='_blank'>KB4499171</a></td><td>Investigating<br><a href = 'https://support.microsoft.com/help/4505050' target='_blank'>KB4505050</a></td><td>May 16, 2019 <br>06:41 PM PT</td></tr>
<tr><td><div id='217msg'></div><b>Japanese IME doesn't show the new Japanese Era name as a text input option</b><br>With previous dictionary updates installed, the Japanese IME doesn't show the new Japanese Era name as an input option.<br><br><a href = '#217msgdesc'>See details ></a></td><td>April 25, 2019<br><a href ='https://support.microsoft.com/help/4493462' target='_blank'>KB4493462</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>May 15, 2019 <br>05:53 PM PT</td></tr>
@ -79,6 +80,7 @@ sections:
- type: markdown
text: "
<table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='375msgdesc'></div><b>Printing from 32-bit apps might fail on a 64-bit OS</b><div>When attempting to print from a 32-bit app on a 64-bit operating system (OS), you may receive an error, or the application may stop responding or close. <strong>Note</strong> This issue only affects the 64-bit Security Only updates listed and does not affect any Monthly Rollup.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 8.1</li><li>Server: Windows Server 2012 R2; Windows Server 2012</li></ul><div></div><div><strong>Resolution:</strong> This issue is resolved in <a href='https://support.microsoft.com/help/4525253' target='_blank'>KB4525253</a>. However, the issue occurs when you install&nbsp;only <a href='https://support.microsoft.com/help/4512482' target='_blank'>KB4512482</a> (released on August 13, 2019) without installing <a href=\"https://support.microsoft.com/help/4507447\" rel=\"noopener noreferrer\" target=\"_blank\">KB4507447</a>, the previous Security Only update (released July 9, 2019). <strong>Reminder</strong> When using the Security Only updates, you must install the latest and all previous Security Only updates to ensure that the device contains all resolved security vulnerabilities.</div><br><a href ='#375msg'>Back to top</a></td><td>August 13, 2019<br><a href ='https://support.microsoft.com/help/4512482' target='_blank'>KB4512482</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4525253' target='_blank'>KB4525253</a></td><td>Resolved:<br>November 12, 2019 <br>10:00 AM PT<br><br>Opened:<br>November 27, 2019 <br>04:02 PM PT</td></tr>
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='364msgdesc'></div><b>TLS connections might fail or timeout</b><div>Updates for Windows released October 8, 2019 or later provide protections, tracked by <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1318\" rel=\"noopener noreferrer\" target=\"_blank\">CVE-2019-1318</a>, against an attack that could allow unauthorized access to information or data within TLS connections.&nbsp;This type of attack is known as a man-in-the-middle exploit.&nbsp;Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (<a href=\"https://tools.ietf.org/html/rfc7627\" rel=\"noopener noreferrer\" target=\"_blank\">RFC 7627</a>). Lack of RFC support might cause one or more of the following errors or logged events:</div><ul><li>\"The request was aborted: Could not create SSL/TLS secure Channel\"</li><li>SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.\"</li></ul><div></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1</li><li>Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2</li></ul><div></div><div><br></div><div><strong>Next Steps: </strong>Connections between two devices running any supported version of Windows should not have this issue when fully updated.&nbsp;There is no update for Windows needed for this issue.&nbsp;These changes are required to address a security issue and security compliance. For information, see <a href=\"https://support.microsoft.com/help/4528489\" rel=\"noopener noreferrer\" target=\"_blank\">KB4528489</a>.</div><br><a href ='#364msg'>Back to top</a></td><td>October 08, 2019<br><a href ='https://support.microsoft.com/help/4520007' target='_blank'>KB4520007</a></td><td>Mitigated External<br></td><td>Last updated:<br>November 05, 2019 <br>03:36 PM PT<br><br>Opened:<br>November 05, 2019 <br>03:36 PM PT</td></tr>
</table>
"

2
windows/security/identity-protection/TOC.md
View File

@ -1,5 +1,7 @@
# [Identity and access management](index.md)
## [Technical support policy for lost or forgotten passwords](password-support-policy.md)
## [Access Control Overview](access-control/access-control.md)
### [Dynamic Access Control Overview](access-control/dynamic-access-control.md)
### [Security identifiers](access-control/security-identifiers.md)

20
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
View File

@ -30,12 +30,12 @@ ms.reviewer:
- Azure Active Directory
- Hybrid Windows Hello for Business deployment
- Azure AD registered, Azure AD joined, and Hybrid Azure AD joined
- Windows 10, version 1709 or later, **Enterprise Edition**
- Windows 10, version 1709 to 1809, **Enterprise Edition**. There is no licensing requirement for this feature since version 1903.
The Microsoft PIN reset services enables you to help users recover who have forgotten their PIN. Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment.
>[!IMPORTANT]
> The Microsoft PIN Reset service only works with Windows 10, version 1709 or later **Enterprise Edition**. The feature does not work with the **Pro** edition.]
> The Microsoft PIN Reset service only works with Windows 10, version 1709 to 1809 with **Enterprise Edition**. The feature works with **Pro** edition with Windows 10, version 1903 and newer.
### Onboarding the Microsoft PIN reset service to your Intune tenant
@ -43,11 +43,17 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se
### Connect Azure Active Directory with the PIN reset service
1. Visit [Microsoft PIN Reset Service Integration website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Azure Active Directory tenant.
2. After you log in, click **Accept** to give consent for the PIN reset service to access your account.<br>
![PIN reset service application in Azure](images/pinreset/pin-reset-service-home-screen.png)<br>
3. In the Azure portal, you can verify that the Microsoft PIN reset service is integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.<br>
![PIN reset service permissions page](images/pinreset/pin-reset-service-application.png)
1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Azure Active Directory tenant.
2. After you log in, click **Accept** to give consent for the PIN reset service to access your account.
![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png)
3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Azure Active Directory tenant.
4. After you log in, click **Accept** to give consent for the PIN reset client to access your account.
![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png)
5. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.
![PIN reset service permissions page](images/pinreset/pin-reset-applications.png)
>[!NOTE]
>After you Accept the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN Reset applications are listed for your tenant.
### Configure Windows devices to use PIN reset using Group Policy

227
windows/security/identity-protection/hello-for-business/hello-features.md
View File

@ -15,7 +15,7 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 05/05/2018
ms.date: 11/27/2019
---
# Windows Hello for Business Features
@ -27,236 +27,23 @@ Consider these additional features you can use after your organization deploys W
## Conditional access
**Requirements:**
* Azure Active Directory
* Hybrid Windows Hello for Business deployment
In a mobile-first, cloud-first world, Azure Active Directory enables single sign-on to devices, applications, and services from anywhere. With the proliferation of devices (including BYOD), work off corporate networks, and 3rd party SaaS applications, IT professionals are faced with two opposing goals:+
* Empower the end users to be productive wherever and whenever
* Protect the corporate assets at any time
To improve productivity, Azure Active Directory provides your users with a broad range of options to access your corporate assets. With application access management, Azure Active Directory enables you to ensure that only the right people can access your applications. What if you want to have more control over how the right people are accessing your resources under certain conditions? What if you even have conditions under which you want to block access to certain applications even for the right people? For example, it might be OK for you if the right people are accessing certain applications from a trusted network; however, you might not want them to access these applications from a network you don't trust. You can address these questions using conditional access.
Read [Conditional access in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-azure-portal) to learn more about Conditional Access. Afterwards, read [Getting started with conditional access in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-azure-portal-get-started) to start deploying Conditional access.
Azure Active Directory provides a wide set of options for protecting access to corporate resources. Conditional access provides more fine grained control over who can access certain resources and under what conditions. For more information see [Conditional Access](hello-feature-conditional-access.md).
## Dynamic lock
**Requirements:**
* Windows 10, version 1703
Dynamic lock enables you to configure Windows 10 devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. The name of the policy is **Configure dynamic lock factors**.
The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value:
> [!IMPORTANT]
>Microsoft recommends using the default values for this policy settings. Measurements are relative based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting.
```
<rule schemaVersion="1.0">
<signal type="bluetooth" scenario="Dynamic Lock" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
</rule>
```
For this policy setting, the **type** and **scenario** attribute values are static and cannot change. The **classofDevice** attribute defaults Phones and uses the values from the following table
|Description|Value|
|:-------------|:-------:|
|Miscellaneous|0|
|Computer|256|
|Phone|512|
|LAN/Network Access Point|768|
|Audio/Video|1024|
|Peripheral|1280|
|Imaging|1536|
|Wearable|1792|
|Toy|2048|
|Health|2304|
|Uncategorized|7936|
The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows 10 to lock the device once the signal strength weakens by more than measurement of 10.
RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
Dynamic lock uses a paired Bluetooth device to determine user presence and locks the device if a user is not present. For more information and configuration steps see [Dynamic Lock](hello-feature-dynamic-lock.md).
## PIN reset
**Applies to:**
- Windows 10, version 1709 or later
### Hybrid Deployments
**Requirements:**
- Azure Active Directory
- Hybrid Windows Hello for Business deployment
- Azure AD registered, Azure AD joined, and Hybrid Azure AD joined
- Windows 10, version 1709 or later, **Enterprise Edition**
The Microsoft PIN reset services enables you to help users who have forgotten their PIN. Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment.
>[!IMPORTANT]
> The Microsoft PIN Reset service only works with Windows 10, version 1709 or later **Enterprise Edition**. The feature does not work with the **Pro** edition.
#### Onboarding the Microsoft PIN reset service to your Intune tenant
Before you can remotely reset PINs, you must on-board the Microsoft PIN reset service to your Azure Active Directory tenant, and configure devices you manage.
#### Connect Azure Active Directory with the PIN reset service
1. Visit [Microsoft PIN Reset Service Integration website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Azure Active Directory tenant.
2. After you log in, click **Accept** to give consent for the PIN reset service to access your account.<br>
![PIN reset service application in Azure](images/pinreset/pin-reset-service-home-screen.png)<br>
3. In the Azure portal, you can verify that the Microsoft PIN reset service is integrated from the **Enterprise applications**, **All applications** blade.<br>
![PIN reset service permissions page](images/pinreset/pin-reset-service-application.png)
#### Configure Windows devices to use PIN reset using Group Policy
You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object.
1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
2. Edit the Group Policy object from step 1.
3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**.
4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC.
#### Configure Windows devices to use PIN reset using Microsoft Intune
To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 custom device policy](https://docs.microsoft.com/intune/custom-settings-windows-10) to enable the feature. Configure the policy using the following Windows policy configuration service provider (CSP):
##### Create a PIN Reset Device configuration profile using Microsoft Intune
1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account.
2. You need your tenant ID to complete the following task. You can discovery your tenant ID viewing the **Properties** of your Azure Active Directory from the Azure Portal. You can also use the following command in a command Window on any Azure AD joined or hybrid Azure AD joined computer.</br>
```
dsregcmd /status | findstr -snip "tenantid"
```
3. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. Click **Create profile**.
4. Type **Use PIN Recovery** in the **Name** field. Select **Windows 10 and later** from the **Platform** list. Select **Custom** from the **Profile type** list.
5. In the **Custom OMA-URI Settings** blade, Click **Add**.
6. In the **Add Row** blade, type **PIN Reset Settings** in the **Name** field. In the **OMA-URI** field, type **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery** where <b>*tenant ID*</b> is your Azure Active Directory tenant ID from step 2.
7. Select **Boolean** from the **Data type** list and select **True** from the **Value** list.
8. Click **OK** to save the row configuration. Click **OK** to close the <strong>Custom OMA-URI Settings blade. Click **Create</strong> to save the profile.
##### Assign the PIN Reset Device configuration profile using Microsoft Intune
1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account.
2. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. From the list of device configuration profiles, click the profile that contains the PIN reset configuration.
3. In the device configuration profile, click **Assignments**.
4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups.
### On-premises Deployments
**Requirements**
* Active Directory
* On-premises Windows Hello for Business deployment
* Reset from settings - Windows 10, version 1703, Professional
* Reset above Lock - Windows 10, version 1709, Professional
On-premises deployments provide users with the ability to reset forgotten PINs either through the settings page or from above the user's lock screen. Users must know or be provided their password for authentication, must perform a second factor of authentication, and then re-provision Windows Hello for Business.
>[!IMPORTANT]
>Users must have corporate network connectivity to domain controllers and the federation service to reset their PINs.
#### Reset PIN from Settings
1. Sign-in to Windows 10, version 1703 or later using an alternate credential.
2. Open **Settings**, click **Accounts**, click **Sign-in options**.
3. Under **PIN**, click **I forgot my PIN** and follow the instructions.
#### Reset PIN above the Lock Screen
1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in
2. Enter your password and press enter.
3. Follow the instructions provided by the provisioning process
4. When finished, unlock your desktop using your newly created PIN.
>[!NOTE]
> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video.
Windows Hello for Business supports user self-management of their PIN. If a user forgets their PIN, they have the ability to reset it from Settings or the lock screen. The Microsoft PIN reset service can be used for completing this reset without the user needing to enroll a new Windows Hello for Business credential. For more information and configuration steps see [Pin Reset](hello-feature-pin-reset.md).
## Dual Enrollment
**Requirements**
* Hybrid and On-premises Windows Hello for Business deployments
* Enterprise Joined or Hybrid Azure joined devices
* Windows 10, version 1709
This feature enables provisioning of administrator Windows Hello for Business credentials that can be used by non-privileged accounts to perform administrative actions. These credentials can be used from the non-privileged accounts using **Run as different user** or **Run as administrator**. For more information and configuration steps see [Dual Enrollment](hello-feature-dual-enrollment.md).
> [!NOTE]
> This feature was previously known as **Privileged Credential** but was renamed to **Dual Enrollment** to prevent any confusion with the **Privileged Access Workstation** feature.
> [!IMPORTANT]
> Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature. Microsoft encourages enterprises to use the Privileged Access Workstations for their privileged credential users. Enterprises can consider Windows Hello for Business dual enrollment in situations where the Privileged Access feature cannot be used. Read [Privileged Access Workstations](https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstations) for more information.
Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device.
By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices.
With this setting, administrative users can sign-in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign-in and out, or use fast user switching when alternating between privileged and non-privileged workloads.
> [!IMPORTANT]
> You must configure a Windows 10 computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business. Dual enrollment is a special setting that is configured on the Windows Hello container during creation.
### Configure Windows Hello for Business Dual Enroll
In this task you will
- Configure Active Directory to support Domain Administrator enrollment
- Configure Dual Enrollment using Group Policy
#### Configure Active Directory to support Domain Administrator enrollment
The designed Windows for Business configuration has you give the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy.
Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but will they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute.
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the **Key Admins** (or **KeyCredential Admins**) group on the AdminSDHolder object.</br>
```dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink```</br>
where **DC=domain,DC=com** is the LDAP path of your Active Directory domain and **domainName\keyAdminGroup]** is the NetBIOS name of your domain and the name of the group you use to give access to keys based on your deployment. For example:</br>
```dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink```
2. To trigger security descriptor propagation, open **ldp.exe**.
3. Click **Connection** and select **Connect...** Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and click **OK**.
4. Click **Connection** and select **Bind...** Click **OK** to bind as the currently signed-in user.
5. Click **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type **1**. Click **Enter** to add this to the **Entry List**.
6. Click **Run** to start the task.
7. Close LDP.
#### Configuring Dual Enrollment using Group Policy
You configure Windows 10 to support dual enrollment using the computer configuration portion of a Group Policy object.
1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users.
2. Edit the Group Policy object from step 1.
3. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**.
4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC.
5. Restart computers targeted by this Group Policy object.
The computer is ready for dual enrollment. Sign-in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign-out and sign-in as the non-privileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.
## Remote Desktop with Biometrics
> [!Warning]
> Some information relates to pre-released product that may change before it is commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
**Requirements**
- Hybrid and On-premises Windows Hello for Business deployments
- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
- Certificate trust deployments
- Biometric enrollments
- Windows 10, version 1809
Users using earlier versions of Windows 10 could remote desktop to using Windows Hello for Business but were limited to the using their PIN as their authentication gesture. Windows 10, version 1809 introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture. The feature is on by default, so your users can take advantage of it as soon as they upgrade to Windows 10, version 1809.
> [!IMPORTANT]
> The remote desktop with biometrics feature only works with certificate trust deployments. The feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Microsoft continues to investigate supporting this feature for key trust deployments.
### How does it work
It start with creating cryptographic keys. Windows generates and stores cryptographic keys using a software component called a key storage provider (KSP). Software-based keys are created and stored using the Microsoft Software Key Storage Provider. Smart card keys are created and stored using the Microsoft Smart Card Key Storage Provider. Keys created and protected by Windows Hello for Business are created and stored using the Microsoft Passport Key Storage Provider.
A certificate on a smart card starts with creating an asymmetric key pair using the Microsoft Smart Card KSP. Windows requests a certificate based on the key pair from your enterprises issuing certificate authority, which returns a certificate that is stored in the user's Personal certificate store. The private key remains on the smart card and the public key is stored with the certificate. Metadata on the certificate (and the key) store the key storage provider used to create the key (remember the certificate contains the public key).
This same concept applies to Windows Hello for Business. Except, the keys are created using the Microsoft Passport KSP and the user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric). The certificate APIs hide this complexity. When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider. The key storage providers directs the certificate APIs on which provider they use to find the private key associated with the certificate. This is how Windows knows you have a smart card certificate without the smart card inserted (and prompts you to insert the smart card).
Windows Hello for Business emulates a smart card for application compatibility. Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN. Windows 10, version 1809 no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows 10 to prompt the user for their biometric gesture or PIN.
### Compatibility
Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a [MDM URI](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it.
![WHFB Certificate GP Setting](images/rdpbio/rdpbiopolicysetting.png)
> [!IMPORTANT]
> The remote desktop with biometric feature does not work with [Dual Enrollment](#dual-enrollment) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature.
## Remote Desktop
Users with Windows Hello for Business certificate trust can use their credential to authenticate to remote desktop sessions over RDP. When authenticating to the session, biometric gestures can be used if they are enrolled. For more information and configuration steps see [Remote Desktop](hello-feature-remote-desktop.md).
## Related topics

BIN
windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-applications.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

BIN
windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-prompt.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 225 KiB

BIN
windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-application.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 140 KiB

BIN
windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-home-screen.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 104 KiB

BIN
windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 215 KiB

1
windows/security/identity-protection/index.md
View File

@ -21,6 +21,7 @@ Learn more about identity and access management technologies in Windows 10 and
| Section | Description |
|-|-|
| [Technical support policy for lost or forgotten passwords](password-support-policy.md)| Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so. |
| [Access control](access-control/access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. |
| [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
| [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. |

58
windows/security/identity-protection/password-support-policy.md Normal file
View File

@ -0,0 +1,58 @@
---
title: Technical support policy for lost or forgotten passwords
description: Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so.
ms.reviewer: kaushika
manager: kaushika
ms.custom:
- CI ID 110060
- CSSTroubleshoot
ms.author: v-tea
ms.prod: w10
ms.sitesec: library
ms.pagetype: security
author: Teresa-Motiv
ms.topic: article
ms.localizationpriority: medium
ms.date: 11/20/2019
audience: ITPro
---
# Technical support policy for lost or forgotten passwords
Microsoft takes security seriously. This is for your protection. Microsoft accounts, the Windows operating system, and other Microsoft products include passwords to help secure your information. This article provides some options that you can use to reset or recover your password if you forget it. Be aware that, if these options dont work, Microsoft support engineers can't help you retrieve or circumvent a lost or forgotten password.
If you lose or forget a password, you can use the links in this article to find published support information that will help you reset the password.
## How to reset a password for a domain account
If you lose or forget the password for a domain account, contact your IT administrator or Helpdesk. For more information, see [Change or reset your Windows password](https://support.microsoft.com/help/4490115).
## How to reset a password for a Microsoft account
If you lose or forget the password for your Microsoft Account, use the [Recover your account](https://account.live.com/ResetPassword.aspx) wizard.
This wizard requests your security proofs. If you have forgotten your security proofs, or no longer have access to them, select **I no longer have these anymore**. After you select this option, fill out a form for the Microsoft Account team. Provide as much information as you can on this form. The Microsoft Account team reviews the information that you provide to determine whether you are the account holder. This decision is final. Microsoft does not influence the team's choice of action.
## How to reset a password for a local account on a Windows device
Local accounts on a device include the device's Administrator account.
### Windows 10
If you lose or forget the password for a local account on a device that runs Windows 10, see [Reset your Windows 10 local account password](https://support.microsoft.com/help/4028457).
### Windows 8.1 or Windows 7
If you lose or forget the password for a local account on a device that runs Windows 8.1 or Windows 7, see [Change or reset your Windows password](https://support.microsoft.com/help/4490115). In that article, you can select your operating system version from the **Select Product Version** menu.
## How to reset a hardware BIOS password
If you lose or forget the password for the hardware BIOS of a device, contact the device manufacturer for help and support. If you do contact the manufacturer online, make sure that you visit the manufacturer website and not the website of some third party.
## How to reset a password for an individual file
Some applications let you password-protect individual files. If you lose or forget such a password, you can rely on that application only to reset or recover it. Microsoft support engineers cannot help you reset, retrieve, or circumvent such passwords.
## Using third-party password tools
Some third-party companies claim to be able to circumvent passwords that have been applied to files and features that Microsoft programs use. For legal reasons, we cannot recommend or endorse any one of these companies. If you want help to circumvent or reset a password, you can locate and contact a third party for this help. However, you use such third-party products and services at your own risk.

11
windows/security/information-protection/TOC.md
View File

@ -24,6 +24,17 @@
### [BitLocker Recovery Guide](bitlocker\bitlocker-recovery-guide-plan.md)
### [BitLocker Countermeasures](bitlocker\bitlocker-countermeasures.md)
### [Protecting cluster shared volumes and storage area networks with BitLocker](bitlocker\protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)
### Troubleshoot BitLocker
#### [Troubleshoot BitLocker](bitlocker\troubleshoot-bitlocker.md)
#### [BitLocker cannot encrypt a drive: known issues](bitlocker\ts-bitlocker-cannot-encrypt-issues.md)
#### [Enforcing BitLocker policies by using Intune: known issues](bitlocker\ts-bitlocker-intune-issues.md)
#### [BitLocker Network Unlock: known issues](bitlocker\ts-bitlocker-network-unlock-issues.md)
#### [BitLocker recovery: known issues](bitlocker\ts-bitlocker-recovery-issues.md)
#### [BitLocker configuration: known issues](bitlocker\ts-bitlocker-config-issues.md)
#### Troubleshoot BitLocker and TPM issues
##### [BitLocker cannot encrypt a drive: known TPM issues](bitlocker\ts-bitlocker-cannot-encrypt-tpm-issues.md)
##### [BitLocker and TPM: other known issues](bitlocker\ts-bitlocker-tpm-issues.md)
##### [Decode Measured Boot logs to track PCR changes](bitlocker\ts-bitlocker-decode-measured-boot-logs.md)
## [Encrypted Hard Drive](encrypted-hard-drive.md)

1
windows/security/information-protection/bitlocker/bitlocker-overview.md
View File

@ -93,6 +93,7 @@ When installing the BitLocker optional component on a server you will also need
| [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This topic for IT professionals describes the BCD settings that are used by BitLocker.|
| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic for IT professionals describes how to recover BitLocker keys from AD DS. |
| [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)| This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a devices configuration. |
| [Troubleshoot BitLocker](troubleshoot-bitlocker.md) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. |
| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.|
| [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker) | This topic covers how to use BitLocker with Windows 10 IoT Core |

BIN
windows/security/information-protection/bitlocker/images/4509186-en-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 111 KiB

BIN
windows/security/information-protection/bitlocker/images/4509188-en-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 82 KiB

BIN
windows/security/information-protection/bitlocker/images/4509189-en-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 76 KiB

BIN
windows/security/information-protection/bitlocker/images/4509190-en-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
windows/security/information-protection/bitlocker/images/4509191-en-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 59 KiB

BIN
windows/security/information-protection/bitlocker/images/4509193-en-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 95 KiB

BIN
windows/security/information-protection/bitlocker/images/4509194-en-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 502 KiB

BIN
windows/security/information-protection/bitlocker/images/4509195-en-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 94 KiB

BIN
windows/security/information-protection/bitlocker/images/4509196-en-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 342 KiB

BIN
windows/security/information-protection/bitlocker/images/4509198-en-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 185 KiB

BIN
windows/security/information-protection/bitlocker/images/4509199-en-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 172 KiB

BIN
windows/security/information-protection/bitlocker/images/4509200-en-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 138 KiB

BIN
windows/security/information-protection/bitlocker/images/4509201-en-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 112 KiB

BIN
windows/security/information-protection/bitlocker/images/4509202-en-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 193 KiB

BIN
windows/security/information-protection/bitlocker/images/4509203-en-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 179 KiB

BIN
windows/security/information-protection/bitlocker/images/4509204-en-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 201 KiB

BIN
windows/security/information-protection/bitlocker/images/4509205-en-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 82 KiB

BIN
windows/security/information-protection/bitlocker/images/4509206-en-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 331 KiB

BIN
windows/security/information-protection/bitlocker/images/pcptool-output.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 87 KiB

BIN
windows/security/information-protection/bitlocker/images/psget-winevent-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 340 KiB

BIN
windows/security/information-protection/bitlocker/images/psget-winevent-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 348 KiB

BIN
windows/security/information-protection/bitlocker/images/sccm-imageconfig.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 125 KiB

BIN
windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-default-sddl.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 298 KiB

BIN
windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-sddl.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 302 KiB

BIN
windows/security/information-protection/bitlocker/images/ts-tpm-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

BIN
windows/security/information-protection/bitlocker/images/ts-tpm-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 92 KiB

BIN
windows/security/information-protection/bitlocker/images/ts-tpm-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 146 KiB

BIN
windows/security/information-protection/bitlocker/images/ts-tpm-4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 106 KiB

BIN
windows/security/information-protection/bitlocker/images/ts-tpm-5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 62 KiB

BIN
windows/security/information-protection/bitlocker/images/ts-tpm-6.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 327 KiB

BIN
windows/security/information-protection/bitlocker/images/ts-tpm-7.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 354 KiB

136
windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md Normal file
View File

@ -0,0 +1,136 @@
---
title: Guidelines for troubleshooting BitLocker
description: Describes approaches for investigating BitLocker issues, including how to gather diagnostic information
ms.reviewer: kaushika
ms.technology: windows
ms.prod: w10
ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tea
manager: kaushika
audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/17/2019
---
# Guidelines for troubleshooting BitLocker
This article addresses common issues in BitLocker and provides guidelines to troubleshoot these issues. This article also provides pointers to start the troubleshooting process, including what data to collect and what settings to check in order to narrow down the location in which these issues occur.
## Review the event logs
Open Event Viewer and review the following logs under Applications and Services logs\\Microsoft\\Windows:
- **BitLocker-API**. Review the Management log, the Operational log, and any other logs that are generated in this folder. The default logs have the following unique names:
- Microsoft-Windows-BitLocker/BitLocker Operational
- Microsoft-Windows-BitLocker/BitLocker Management
- **BitLocker-DrivePreparationTool**. Review the Admin log, the **Operational log, and any other logs that are generated in this folder. The default logs have the following unique names:
- Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
- Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
Additionally, review the Windows logs\\System log for events that were produced by the TCM and TCM-WMI event sources.
To filter and display or export logs, you can use the [wevtutil.exe](https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutil) command-line tool or the [Get-WinEvent](https://docs.microsoft.com/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-6) cmdlet.
For example, to use wevtutil to export the contents of the Operational log from the BitLocker-API folder to a text file that is named BitLockerAPIOpsLog.txt, open a Command Prompt window, and run a command that resembles the following:
```cmd
wevtutil qe "Microsoft-Windows-BitLocker/BitLocker Operational" /f:text > BitLockerAPIOpsLog.txt
```
To use the **Get-WinEvent** cmdlet to export the same log to a comma-separated text file, open a Windows Powershell window and run a command that resembles the following:
```ps
Get-WinEvent -logname "Microsoft-Windows-BitLocker/BitLocker Operational"  | Export-Csv -Path Bitlocker-Operational.csv
```
You can use Get-WinEvent in an elevated PowerShell window to display filtered information from the System or Application log by using syntax that resembles the following:
- To display BitLocker-related information:
```ps
Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'BitLocker' | fl
```
The output of such a command resembles the following.
![Display of events that is produced by using Get-WinEvent and a BitLocker filter](./images/psget-winevent-1.png)
- To export BitLocker-related information:
```ps
Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'BitLocker' | Export-Csv -Path System-BitLocker.csv
```
- To display TPM-related information:
```ps
Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'TPM' | fl
```
- To export TPM-related information:
```ps
Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'TPM' | Export-Csv -Path System-TPM.csv
```
The output of such a command resembles the following.
![Display of events that is produced by using Get-WinEvent and a TPM filter](./images/psget-winevent-2.png)
> [!NOTE]
> If you intend to contact Microsoft Support, we recommend that you export the logs listed in this section.
## Gather status information from the BitLocker technologies
Open an elevated Windows PowerShell window, and run each of the following commands.
|Command |Notes |
| - | - |
|[**get-tpm \> C:\\TPM.txt**](https://docs.microsoft.com/powershell/module/trustedplatformmodule/get-tpm?view=win10-ps) |Exports information about the local computer's Trusted Platform Module (TPM). This cmdlet shows different values depending on whether the TPM chip is version 1.2 or 2.0. This cmdlet is not supported in Windows 7. |
|[**manage-bde status \>&nbsp;C:\\BDEStatus.txt**](https://docs.microsoft.com/windows-server/administration/windows-commands/manage-bde-status) |Exports information about the general encryption status of all drives on the computer. |
|[**manage-bde c: <br />-protectors -get \>&nbsp;C:\\Protectors**](https://docs.microsoft.com/windows-server/administration/windows-commands/manage-bde-protectors) |Exports information about the protection methods that are used for the BitLocker encryption key. |
|[**reagentc&nbsp;/info&nbsp;\>&nbsp;C:\\reagent.txt**](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reagentc-command-line-options) |Exports information about an online or offline image about the current status of the Windows Recovery Environment (WindowsRE) and any available recovery image. |
|[**get-BitLockerVolume \| fl**](https://docs.microsoft.com/powershell/module/bitlocker/get-bitlockervolume?view=win10-ps) |Gets information about volumes that BitLocker Drive Encryption can protect. |
## Review the configuration information
1. Open an elevated Command Prompt window, and run the following commands.
|Command |Notes |
| - | - |
|[**gpresult /h \<Filename>**](https://docs.microsoft.com/windows-server/administration/windows-commands/gpresult) |Exports the Resultant Set of Policy information, and saves the information as an HTML file. |
|[**msinfo /report \<Path> /computer&nbsp;\<ComputerName>**](https://docs.microsoft.com/windows-server/administration/windows-commands/msinfo32) |Exports comprehensive information about the hardware, system components, and software environment on the local computer. The **/report** option saves the information as a .txt file. |
1. Open Registry Editor, and export the entries in the following subkeys:
- **HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE**
- **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\**
## Check the BitLocker prerequisites
Common settings that can cause issues for BitLocker include the following:
- The TPM must be unlocked. You can check the output of the **get-tpm** command for the status of the TPM.
- Windows RE must be enabled. You can check the output of the **reagentc** command for the status of WindowsRE.
- The system reserved partition must use the correct format.
- On Unified Extensible Firmware Interface (UEFI) computers, the system reserved partition must be formatted as FAT32.
- On legacy computers, the system reserved partition must be formatted as NTFS.
- If the device that you are troubleshooting is a slate or tablet PC, use <https://gpsearch.azurewebsites.net/#8153> to verify the status of the **Enable use of BitLocker authentication requiring preboot keyboard input on slates** option.
For more information about the BitLocker prerequisites, see [BitLocker basic deployment: Using BitLocker to encrypt volumes](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-basic-deployment#using-bitlocker-to-encrypt-volumes)
## Next steps
If the information that you have examined so far indicates a specific issue (for example, WindowsRE is not enabled), the issue may have a straightforward fix.
Resolving issues that do not have obvious causes depends on exactly which components are involved and what behavior you see. The information that you have gathered can help you narrow down the areas to investigate.
- If you are working on a device that is managed by Microsoft Intune, see [Enforcing BitLocker policies by using Intune: known issues](ts-bitlocker-intune-issues.md).
- If BitLocker does not start or cannot encrypt a drive and you notice errors or events that are related to the TPM, see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
- If BitLocker does not start or cannot encrypt a drive, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
- If BitLocker Network Unlock does not behave as expected, see [BitLocker Network Unlock: known issues](ts-bitlocker-network-unlock-issues.md).
- If BitLocker does not behave as expected when you recover an encrypted drive, or if you did not expect BitLocker to recover the drive, see [BitLocker recovery: known issues](ts-bitlocker-recovery-issues.md).
- If BitLocker does not behave as expected or the encrypted drive does not behave as expected, and you notice errors or events that are related to the TPM, see [BitLocker and TPM: other known issues](ts-bitlocker-tpm-issues.md).
- If BitLocker does not behave as expected or the encrypted drive does not behave as expected, see [BitLocker configuration: known issues](ts-bitlocker-config-issues.md).
We recommend that you keep the information that you have gathered handy in case you decide to contact Microsoft Support for help to resolve your issue.

103
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md Normal file
View File

@ -0,0 +1,103 @@
---
title: BitLocker cannot encrypt a drive known issues
description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive
ms.reviewer: kaushika
ms.technology: windows
ms.prod: w10
ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tea
manager: kaushika
audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/17/2019
---
# BitLocker cannot encrypt a drive: known issues
This article describes common issues that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
> [!NOTE]
> If you have determined that your BitLocker issue involves the Trusted Platform Module (TPM), see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
## Error 0x80310059: BitLocker Drive Encryption is already performing an operation on this drive
When you turn on BitLocker Drive Encryption on a computer that is running Windows 10 Professional, you receive a message that resembles the following:
> **ERROR:** An error occurred (code 0x80310059):BitLocker Drive Encryption is already performing an operation on this drive. Please complete all operations before continuing.NOTE: If the -on switch has failed to add key protectors or start encryption,you may need to call manage-bde -off before attempting -on again.
### Cause
This issue may be caused by settings that are controlled by Group Policy Objects (GPOs).
### Resolution
> [!IMPORTANT]
> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
To resolve this issue, follow these steps:
1. Start Registry Editor, and navigate to the following subkey:
**HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE**
1. Delete the following entries:
- **OSPlatformValidation\_BIOS**
- **OSPlatformValidation\_UEFI**
- **PlatformValidation**
1. Exit Registry Editor, and turn on BitLocker Drive Encryption again.
## "Access is denied" message when you try to encrypt removable drives
You have a computer that is running Windows 10, version 1709 or version 1607. You try to encrypt a USB drive by following these steps:
1. In Windows Explorer, right-click the USB drive and select **Turn on BitLocker**.
1. On the **Choose how you want to unlock this drive** page, select **Use a password to unlock the drive**.
1. Follow the instructions on the page to enter your password.
1. On the **Are you ready to encrypt this drive?** page, select **Start encrypting**.
1. The **Starting encryption** page displays the message "Access is denied."
You receive this message on any computer that runs Windows 10 version 1709 or version 1607, when you use any USB drive.
### Cause
The security descriptor of the BitLocker Drive Encryption service (BDESvc) has an incorrect entry. Instead of NT AUTHORITY\Authenticated Users, the security descriptor uses NT AUTHORITY\INTERACTIVE.
To verify that this issue has occurred, follow these steps:
1. On an affected computer, open an elevated Command Prompt window and an elevated PowerShell window.
1. At the command prompt, enter the following command:
```cmd
C:\>sc sdshow bdesvc
```
The output of this command resembles the following:
> D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](https://docs.microsoft.com/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring?view=powershell-6) command in the PowerShell window, as follows.
![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE](./images/ts-bitlocker-usb-sddl.png)
If you see NT AUTHORITY\INTERACTIVE (as highlighted), in the output of this command, this is the cause of the issue. Under typical conditions, the output should resemble the following:
![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users](./images/ts-bitlocker-usb-default-sddl.png)
> [!NOTE]
> GPOs that change the security descriptors of services have been known to cause this issue.
### Resolution
1. To repair the security descriptor of BDESvc, open an elevated PowerShell window and enter the following command:
```ps
sc sdset bdesvc D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
```
1. Restart the computer.
The issue should now be resolved.

129
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md Normal file
View File

@ -0,0 +1,129 @@
---
title: BitLocker cannot encrypt a drive known TPM issues
description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive, and that you can attribute to the TPM
ms.reviewer: kaushika
ms.technology: windows
ms.prod: w10
ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tea
manager: kaushika
audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/18/2019
---
# BitLocker cannot encrypt a drive: known TPM issues
This article describes common issues that affect the Trusted Platform Module (TPM) and that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
> [!NOTE]
> If you have determined that your BitLocker issue does not involve the TPM, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
## The TPM is locked and you see "The TPM is defending against dictionary attacks and is in a time-out period"
When you turn on BitLocker Drive Encryption, it does not start. Instead, you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period."
### Cause
The TPM is locked out.
### Resolution
To resolve this issue, follow these steps:
1. Open an elevated PowerShell window and run the following script:
```ps
$Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm" $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
```
1. Restart the computer. If you are prompted at the restart screen, press F12 to agree.
1. Try again to start BitLocker Drive Encryption.
## You cannot prepare the TPM, and you see "The TPM is defending against dictionary attacks and is in a time-out period"
You cannot turn on BitLocker Drive Encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period."
### Cause
The TPM is locked out.
### Resolution
To resolve this issue, disable and re-enable the TPM. To do this, follow these steps:
1. Restart the device, and change the BIOS configuration to disable the TPM.
1. Restart the device again, and return to the TPM management console. You should receive a message that resembles the following:
> Compatible Trusted Platform Module (TPM) cannot be found on this computer. Verify that this computer has 1.2 TPM and it is turned on in the BIOS.
1. Restart the device, and change the BIOS configuration to enable the TPM.
1. Restart the device, and return to the TPM management console.
If you still cannot prepare the TPM, clear the existing TPM keys. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm#clear-all-the-keys-from-the-tpm).
> [!WARNING]
> Clearing the TPM can cause data loss.
## Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005
You have an environment that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. You try to turn on BitLocker Drive Encryption on a computer that runs Windows 7, but the operation fails. You receive a message that resembles "Access Denied" or "Insufficient Rights."
### Cause
The TPM did not have sufficient permissions on the TPM Devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information could not be backed up to AD DS, and BitLocker Drive Encryption could not run.
This issue appears to be limited to computers that run versions of Windows that are earlier than Windows 10.
### Resolution
To verify that you have correctly identified this issue, use one of the following methods:
- Disable the policy or remove the computer from the domain. Then try to turn on BitLocker Drive Encryption again. The operation should now succeed.
- Use LDAP and network trace tools to examine the LDAP exchanges between the client and the AD DS domain controller to identify the cause of the "Access Denied" or "Insufficient Rights" error. In this case, you should see the error when the client tries to access its object in the "CN=TPM Devices,DC=\<*domain*>,DC=com" container.
1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command:
```ps
Get-ADComputer -Filter {Name -like "ComputerName"} -Property * | Format-Table name,msTPM-TPMInformationForComputer
```
In this command, *ComputerName* is the name of the affected computer.
1. To resolve the issue, use a tool such as dsacls.exe to make sure that the access control list of msTPM-TPMInformationForComputer grants both Read and Write permissions to NTAUTHORITY/SELF.
## Cannot prepare the TPM, error 0x80072030: "There is no such object on the server"
Your domain controllers were upgraded from Windows Server 2008 R2to Windows Server 2012 R2. A Group Policy Object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy.
You cannot turn on BitLocker Drive Encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you see a message that resembles the following:
> 0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled
You have confirmed that the **ms-TPM-OwnerInformation** and **msTPM-TpmInformationForComputer** attributes are present.
### Cause
The domain and forest functional level of the environment may still be set to Windows 2008 R2. Additionally, the permissions in AD DS may not be correctly set.
### Resolution
To resolve this issue, follow these steps:
1. Upgrade the functional level of the domain and forest to Windows Server 2012 R2.
1. Download [Add-TPMSelfWriteACE.vbs](https://go.microsoft.com/fwlink/p/?LinkId=167133).
1. In the script, modify the value of **strPathToDomain** to your domain name.
1. Open an elevated PowerShell window, and run the following command:
```ps
cscript <Path>Add-TPMSelfWriteACE.vbs
```
In this command \<*Path*> is the path to the script file.
For more information, see the following articles:
- [Back up the TPM recovery information to AD DS](https://docs.microsoft.com/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds)
- [Prepare your organization for BitLocker: Planning and policies](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies)

182
windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md Normal file
View File

@ -0,0 +1,182 @@
---
title: BitLocker configuration known issues
description: Describes common issues that involve your BitLocker configuration and BitLocker's general functionality, and provides guidance for addressing those issues.
ms.reviewer: kaushika
ms.technology: windows
ms.prod: w10
ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tea
manager: kaushika
audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/17/2019
---
# BitLocker configuration: known issues
This article describes common issues that affect your BitLocker configuration and BitLocker's general functionality. This article also provides guidance to address these issues.
## BitLocker encryption is slower in Windows 10
In both Windows 10 and Windows 7, BitLocker runs in the background to encrypt drives. However, in Windows 10, BitLocker is less aggressive about requesting resources. This behavior reduces the chance that BitLocker will affect the computer's performance.
To compensate for these changes, BitLocker uses a new conversion model. This model, (referred to as Encrypt-On-Write), makes sure that any new disk writes on all client SKUs and any internal drives are always encrypted *as soon as you turn on BitLocker*.
> [!IMPORTANT]
> To preserve backward compatibility, BitLocker uses the previous conversion model to encrypt removable drives.
### Benefits of using the new conversion model
By using the previous conversion model, you cannot consider an internal drive to be protected (and compliant with data protection standards) until the BitLocker conversion is 100 percent complete. Before the process finishes, the data that existed on the drive before encryption began&mdash;that is, potentially compromised data&mdash;can still be read and written without encryption. Therefore, you must wait for the encryption process to finish before you store sensitive data on the drive. Depending on the size of the drive, this delay can be substantial.
By using the new conversion model, you can safely store sensitive data on the drive as soon as you turn on BitLocker. You don't have to wait for the encryption process to finish, and encryption does not adversely affect performance. The tradeoff is that the encryption process for pre-existing data takes more time.
### Other BitLocker enhancements
After Windows 7 was released, several other areas of BitLocker were improved:
- **New encryption algorithm, XTS-AES**. The new algorithm provides additional protection from a class of attacks on encrypted data that rely on manipulating cipher text to cause predictable changes in plain text.
By default, this algorithm complies with the Federal Information Processing Standards (FIPS). FIPS are United States Government standards that provide a benchmark for implementing cryptographic software.
- **Improved administration features**. You can manage BitLocker on PCs or other devices by using the following interfaces:
- BitLocker Wizard
- manage-bde
- Group Policy Objects (GPOs)
- Mobile Device Management (MDM) policy
- Windows PowerShell
- Windows Management Interface (WMI)
- **Integration with Azure Active Directory** (Azure AD). BitLocker can store recovery information in Azure AD to make it easier to recover.
- **[Direct memory access (DMA) Port Protection](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**. By using MDM policies to manage BitLocker, you can block a device's DMA ports and secure the device during its startup.
- **[BitLocker Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock)**. If your BitLocker-enabled desktop or server computer is connected to a wired corporate network in a domain environment, you can automatically unlock its operating system volume during a system restart.
- **Support for [Encrypted Hard Drives](https://docs.microsoft.com/windows/security/information-protection/encrypted-hard-drive)**. Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. By taking on that workload, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption.
- **Support for classes of HDD/SSD hybrid disks**. BitLocker can encrypt a disk that uses a small SSD as a non-volatile cache in front of the HDD, such as Intel Rapid Storage Technology.
## Hyper-V Gen 2 VM: Cannot access the volume after BitLocker encryption
Consider the following scenario:
1. You turn on BitLocker on a generation-2 virtual machine (VM) that runs on Hyper-V.
1. You add data to the data disk as it encrypts.
1. You restart the VM, and observe the following:
- The system volume is not encrypted.
- The encrypted volume is not accessible, and the computer lists the volume's file system as "Unknown."
- You see a message that resembles: "You need to format the disk in \<*x:*> drive before you can use it"
### Cause
This issue occurs because the third-party filter driver Stcvsm.sys (from StorageCraft) is installed on the VM.
### Resolution
To resolve this issue, remove the third-party software.
## Production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks
You have a Windows Server 2019 or 2016 Hyper-V Server that is hosting VMs (guests) that are configured as Windows domain controllers. BitLocker has encrypted the disks that store the Active Directory database and log files. When you run a “production snapshot” of the domain controller guests, the Volume Snap-Shot (VSS) service does not correctly process the backup.
This issue occurs regardless of any of the following variations in the environment:
- How the domain controller volumes are unlocked.
- Whether the VMs are generation 1 or generation 2.
- Whether the guest operating system is Windows Server 2019, 2016 or 2012 R2.
In the domain controller Application log, the VSS event source records event ID 8229:
> ID: 8229
> Level: Warning
> Source: VSS
> Message: A VSS writer has rejected an event with error 0x800423f4, The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur.
>
> Changes that the writer made to the writer components while handling the event will not be available to the requester.
>
> Check the event log for related events from the application hosting the VSS writer.
>
> Operation:
> PostSnapshot Event
>
> Context:
> Execution Context: Writer
> Writer Class Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}
> Writer Name: NTDS
> Writer Instance ID: {d170b355-a523-47ba-a5c8-732244f70e75}
> Command Line: C:\\Windows\\system32\\lsass.exe
>
> Process ID: 680
In the domain controller Directory Services event log, you see an event that resembles the following:
> Error Microsoft-Windows-ActiveDirectory\_DomainService 1168
> Internal Processing Internal error: An Active Directory Domain Services error has occurred.
>
> &nbsp;Additional Data
> &nbsp;&nbsp;Error value (decimal): -1022
>
> Error value (hex): fffffc02
>
> Internal ID: 160207d9
> [!NOTE]
> The internal ID of this event may differ based on your operating system release and path level.
After this issue occurs, if you run the **VSSADMIN list writers** command, you see output that resembles the following for the Active Directory Domain Services (NTDS) VSS Writer:
> Writer name: 'NTDS'
> &nbsp;&nbsp;Writer Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}
> &nbsp;&nbsp;Writer Instance Id: {08321e53-4032-44dc-9b03-7a1a15ad3eb8}
> &nbsp;&nbsp;State: \[11\] Failed
> &nbsp;&nbsp;Last error: Non-retryable error
Additionally, you cannot back up the VMs until you restart them.
### Cause
After VSS creates a snapshot of a volume, the VSS writer takes "post snapshot" actions. In the case of a "production snapshot," which you initiate from the host server, Hyper-V tries to mount the snapshotted volume. However, it cannot unlock the volume for unencrypted access. BitLocker on the Hyper-V server does not recognize the volume. Therefore, the access attempt fails and then the snapshot operation fails.
This behavior is by design.
### Workaround
There is one supported way to perform backup and restore of a virtualized domain controller:
- Run Windows Server Backup in the guest operating system.
If you have to take a production snapshot of a virtualized domain controller, you can suspend BitLocker in the guest operating system before you start the production snapshot. However, this approach is not recommended.
For more information and recommendations about backing up virtualized domain controllers, see [Virtualizing Domain Controllers using Hyper-V: Backup and Restore Considerations for Virtualized Domain Controllers](https://docs.microsoft.com/windows-server/identity/ad-ds/get-started/virtual-dc/virtualized-domain-controllers-hyper-v#backup-and-restore-considerations-for-virtualized-domain-controllers)
### More information
When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem Service (LSASS) generates an error entry that resembles the following:
```
\# for hex 0xc0210000 / decimal -1071579136
STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h
\# This volume is locked by BitLocker Drive Encryption.
```
The operation produces the following call stack:
```
\# Child-SP RetAddr Call Site
00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\]
01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\]
02 00000086\`b357ac10 00007ffc\`e824afa1 ESENT\!COSFileFind::ErrInit+0x10b \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 2476\]
03 00000086\`b357b700 00007ffc\`e827bf02 ESENT\!COSFileSystem::ErrFileFind+0xa1 \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 1443\]
04 00000086\`b357b960 00007ffc\`e82882a9 ESENT\!JetGetDatabaseFileInfoEx+0xa2 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11503\]
05 00000086\`b357c260 00007ffc\`e8288166 ESENT\!JetGetDatabaseFileInfoExA+0x59 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11759\]
06 00000086\`b357c390 00007ffc\`e84c64fb ESENT\!JetGetDatabaseFileInfoA+0x46 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 12076\]
07 00000086\`b357c3f0 00007ffc\`e84c5f23 ntdsbsrv\!CVssJetWriterLocal::RecoverJetDB+0x12f \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2009\]
08 00000086\`b357c710 00007ffc\`e80339e0 ntdsbsrv\!CVssJetWriterLocal::OnPostSnapshot+0x293 \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2190\]
09 00000086\`b357cad0 00007ffc\`e801fe6d VSSAPI\!CVssIJetWriter::OnPostSnapshot+0x300 \[d:\\rs1\\base\\stor\\vss\\modules\\jetwriter\\ijetwriter.cpp @ 1704\]
0a 00000086\`b357ccc0 00007ffc\`e8022193 VSSAPI\!CVssWriterImpl::OnPostSnapshotGuard+0x1d \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 5228\]
0b 00000086\`b357ccf0 00007ffc\`e80214f0 VSSAPI\!CVssWriterImpl::PostSnapshotInternal+0xc3b \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 3552\]
```

113
windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md Normal file
View File

@ -0,0 +1,113 @@
---
title: Decode Measured Boot logs to track PCR changes
description: Provides instructions for installing and using a tool for analyzing log information to identify changes to PCRs
ms.reviewer: kaushika
ms.technology: windows
ms.prod: w10
ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tea
manager: kaushika
audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/17/2019
---
# Decode Measured Boot logs to track PCR changes
Platform Configuration Registers (PCRs) are memory locations in the Trusted Platform Module (TPM). BitLocker and its related technologies depend on specific PCR configurations. Additionally, specific change in PCRs can cause a device or computer to enter BitLocker recovery mode.
By tracking changes in the PCRs, and identifying when they changed, you can gain insight into issues that occur or learn why a device or computer entered BitLocker recovery mode. The Measured Boot logs record PCR changes and other information. These logs are located in the C:\\Windows\\Logs\\MeasuredBoot\\ folder.
This article describes tools that you can use to decode these logs: TBSLogGenerator and PCPTool.
For more information about Measured Boot and PCRs, see the following articles:
- [TPM fundamentals: Measured Boot with support for attestation](https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-fundamentals#measured-boot-with-support-for-attestation)
- [Understanding PCR banks on TPM 2.0 devices](https://docs.microsoft.com/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices)
## Use TBSLogGenerator to decode Measured Boot logs
Use TBSLogGenerator to decode Measured Boot logs that you have collected from Windows 10 and earlier versions. You can install this tool on the following systems:
- A computer that is running Windows Server 2016 and that has a TPM enabled
- A Gen 2 virtual machine (running on Hyper-V) that is running Windows Server 2016 (you can use the virtual TPM)
To install the tool, follow these steps:
1. Download the Windows Hardware Lab Kit from one of the following locations:
- [Windows Hardware Lab Kit](https://docs.microsoft.com/windows-hardware/test/hlk/)
- Direct download link for Windows Server 2016: [Windows HLK, version 1607](https://go.microsoft.com/fwlink/p/?LinkID=404112)
1. Accept the default installation path.
![Specify Location page of the Windows Hardware Lab Kit installation wizard](./images/ts-tpm-1.png)
1. Under **Select the features you want to install**, select **Windows Hardware Lab Kit&mdash;Controller + Studio**.
![Select features page of the Windows Hardware Lab Kit installation wizard](./images/ts-tpm-2.png)
1. Finish the installation.
To use TBSLogGenerator, follow these steps:
1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder:
**C:\\Program Files (x86)\\Windows Kits\\10\\Hardware Lab Kit\\Tests\\amd64\\NTTEST\\BASETEST\\ngscb**
This folder contains the TBSLogGenerator.exe file.
![Properties and location of the TBSLogGenerator.exe file](./images/ts-tpm-3.png)
1. Run the following command:
```cmd
TBSLogGenerator.exe -LF <LogFolderName>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.txt
```
where the variables represent the following values:
- \<*LogFolderName*> = the name of the folder that contains the file to be decoded
- \<*LogFileName*> = the name of the file to be decoded
- \<*DestinationFolderName*> = the name of the folder for the decoded text file
- \<*DecodedFileName*> = the name of the decoded text file
For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file:
```cmd
TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt
```
![Command Prompt window that shows an example of how to use TBSLogGenerator](./images/ts-tpm-4.png)
The command produces a text file that uses the specified name. In the case of the example, the file is **0000000005-0000000000.txt**. The file is located in the same folder as the original .log file.
![Windows Explorer window that shows the text file that TBSLogGenerator produces](./images/ts-tpm-5.png)
The content of this text file resembles the following.
![Contents of the text file, as shown in NotePad](./images/ts-tpm-6.png)
To find the PCR information, go to the end of the file.
![View of NotePad that shows the PCR information at the end of the text file](./images/ts-tpm-7.png)
## Use PCPTool to decode Measured Boot logs
PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a Measured Boot log file and converts it into an XML file.
To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions.
To decode a log, run the following command:
```cmd
PCPTool.exe decodelog <LogFolderPath>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.xml
```
where the variables represent the following values:
- \<*LogFolderPath*> = the path to the folder that contains the file to be decoded
- \<*LogFileName*> = the name of the file to be decoded
- \<*DestinationFolderName*> = the name of the folder for the decoded text file
- \<*DecodedFileName*> = the name of the decoded text file
The content of the XML file resembles the following.
![Command Prompt window that shows an example of how to use PCPTool](./images/pcptool-output.jpg)

346
windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md Normal file
View File

@ -0,0 +1,346 @@
---
title: Enforcing BitLocker policies by using Intune known issues
description: provides assistance for issues that you may see if you use Microsoft Intune policy to manage silent BitLocker encryption on devices.
ms.reviewer: kaushika
ms.technology: windows
ms.prod: w10
ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tea
manager: kaushika
audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/18/2019
---
# Enforcing BitLocker policies by using Intune: known issues
This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices.
![The BitLocker status indictors on the Intune portal](./images/4509189-en-1.png)
To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages:
- [Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer](#issue-1)
- [Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer](#issue-2)
- [Event ID 854: WinRE is not configured](#issue-3)
- [Event ID 851: Contact manufacturer for BIOS upgrade](#issue-4)
- [Error message: The UEFI variable 'SecureBoot' could not be read](#issue-6)
- [Event ID 846, 778, and 851: Error 0x80072f9a](#issue-7)
- [Error message: Conflicting Group Policy settings for recovery options on operating system drives](#issue-5)
If you do not have a clear trail of events or error messages to follow, other areas to investigate include the following:
- [Review the hardware requirements for using Intune to manage BitLocker on devices](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption-hardware-requirements)
- [Review your BitLocker policy configuration](#policy)
For information about how to verify that Intune policies are enforcing BitLocker correctly, see [Verifying that BitLocker is operating correctly](#verifying-that-bitlocker-is-operating-correctly).
## <a id="issue-1"></a>Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer
Event ID 853 can carry different error messages, depending on the context. In this case, the Event ID 853 error message indicates that the device does not appear to have a TPM. The event information resembles the following:
![Details of event ID 853 (TPM is not available, cannot find TPM)](./images/4509190-en-1.png)
### Cause
The device that you are trying to secure may not have a TPM chip, or the device BIOS might be configured to disable the TPM.
### Resolution
To resolve this issue, verify the following:
- The TPM is enabled in the device BIOS.
- The TPM status in the TPM management console resembles the following:
- Ready (TPM 2.0)
- Initialized (TPM 1.2)
For more information, see [Troubleshoot the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm).
## <a id="issue-2"></a>Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer
In this case, you see event ID 853, and the error message in the event indicates that bootable media is available to the device. The event information resembles the following.
![Details of event ID 853 (TPM is not available, bootable media found)](./images/4509191-en-1.png)
### Cause
During the provisioning process, BitLocker Drive Encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if you remove the media), BitLocker recovery mode automatically starts.
To avoid this situation, the provisioning process stops if it detects removable bootable media.
### Resolution
Remove the bootable media, and restart the device. After the device restarts, verify the encryption status.
## <a id="issue-3"></a>Event ID 854: WinRE is not configured
The event information resembles the following:
> Failed to enable Silent Encryption. WinRe is not configured.
>
> Error: This PC cannot support device encryption because WinRE is not properly configured.
### Cause
Windows Recovery Environment (WinRE) is a minimal Windows operating system that is based on Windows Preinstallation Environment (Windows PE). WinRE includes several tools that an administrator can use to recover or reset Windows and diagnose Windows issues. If a device cannot start the regular Windows operating system, the device tries to start WinRE.
The provisioning process enables BitLocker Drive Encryption on the operating system drive during the Windows PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is installed. The provisioning process also creates a system partition for WinRE to use if the system crashes.
If WinRE is not available on the device, provisioning stops.
### Resolution
You can resolve this issue by verifying the configuration of the disk partitions, the status of WinRE, and the Windows Boot Loader configuration. To do this, follow these steps.
#### Step 1: Verify the configuration of the disk partitions
The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 10 automatically creates a recovery partition that contains the Winre.wim file. The partition configuration resembles the following.
![Default disk partitions, including the recovery partition](./images/4509194-en-1.png)
To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands:
```
diskpart
list volume
```
![Output of the list volume command in the Diskpart app](./images/4509195-en-1.png)
If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from System Center Configuration Manager).
![Windows image configuration in System Center Configuration Manager](./images/sccm-imageconfig.jpg)
#### Step 2: Verify the status of WinRE
To verify the status of WinRE on the device, open an elevated Command Prompt window and run the following command:
```cmd
reagentc /info
```
The output of this command resembles the following.
![Output of the reagentc /info command](./images/4509193-en-1.png)
If the **Windows RE status** is not **Enabled**, run the following command to enable it:
```cmd
reagentc /enable
```
#### Step 3: Verify the Windows Boot Loader configuration
If the partition status is healthy, but the **reagentc /enable** command results in an error, verify that Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window:
```cmd
bcdedit /enum all
```
The output of this command resembles the following.
![Output of the bcdedit /enum all command](./images/4509196-en-1.png)
In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros.
## <a id="issue-4"></a>Event ID 851: Contact the manufacturer for BIOS upgrade instructions
The event information resembles the following:
> Failed to enable Silent Encryption.
>
> Error: BitLocker Drive Encryption cannot be enabled on the operating system drive. Contact the computer manufacturer for BIOS upgrade instructions.
### Cause
The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker Drive Encryption does not support legacy BIOS.
### Resolution
To verify the BIOS mode, use the System Information app. To do this, follow these steps:
1. Select **Start**, and enter **msinfo32** in the **Search** box.
1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**.
![System Information app, showing the BIOS Mode setting](./images/4509198-en-1.png)
1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device.
> [!NOTE]
> If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device.
## <a id="issue-6"></a>Error message: The UEFI variable 'SecureBoot' could not be read
You receive an error message that resembles the following:
> **Error:** BitLocker cannot use Secure Boot for integrity because the UEFI variable SecureBoot could not be read. A required privilege is not held by the client.
### Cause
A Platform Configuration Register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of Secure Boot. Silent BitLocker Drive Encryption requires that Secure Boot is turned on.
### Resolution
You can resolve this issue by verifying the PCR validation profile of the TPM and the Secure Boot state. To do this, follow these steps:
#### Step 1: Verify the PCR validation profile of the TPM
To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command:
```cmd
Manage-bde -protectors -get %systemdrive%
```
In the TPM section of the output of this command, verify that the **PCR Validation Profile** setting includes **7**, as follows.
![Output of the manage-bde command](./images/4509199-en-1.png)
If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then Secure Boot is not turned on.
![Output of the manage-bde command when PCR 7 is not present](./images/4509200-en-1.png)
#### 2. Verify the Secure Boot state
To verify the Secure Boot state, use the System Information app. To do this, follow these steps:
1. Select **Start**, and enter **msinfo32** in the **Search** box.
1. Verify that the **Secure Boot State** setting is **On**, as follows:
![System Information app, showing a supported Secure Boot State](./images/4509201-en-1.png)
1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device.
![System Information app, showing a supported Secure Boot State](./images/4509202-en-1.png)
> [!NOTE]
> You can also use the [Confirm-SecureBootUEFI](https://docs.microsoft.com/powershell/module/secureboot/confirm-securebootuefi?view=win10-ps) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command:
> ```ps
> PS C:\> Confirm-SecureBootUEFI
> ```
> If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True."
>
> If the computer supports Secure Boot and Secure Boot is disabled, this cmdlet returns "False."
>
> If the computer does not support Secure Boot or is a BIOS (non-UEFI) computer, this cmdlet returns "Cmdlet not supported on this platform."
## <a id="issue-7"></a>Event ID 846, 778, and 851: Error 0x80072f9a
In this case, you are deploying Intune policy to encrypt a Windows 10, version 1809 device and store the recovery password in Azure Active Directory (Azure AD). As part of the policy configuration, you have selected the **Allow standard users to enable encryption during Azure AD Join** option.
The policy deployment fails and generates the following events (visible in Event Viewer in the **Applications and Services Logs\\Microsoft\\Windows\\BitLocker API** folder):
> Event ID:846
>
> Event:
> Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
>
> TraceId: {cbac2b6f-1434-4faa-a9c3-597b17c1dfa3}
> Error: Unknown HResult Error code: 0x80072f9a
> Event ID:778
>
> Event: The BitLocker volume C: was reverted to an unprotected state.
> Event ID: 851
>
> Event:
> Failed to enable Silent Encryption.
>
> Error: Unknown HResult Error code: 0x80072f9a.
These events refer to Error code 0x80072f9a.
### Cause
These events indicate that the signed-in user does not have permission to read the private key on the certificate that is generated as part of the provisioning and enrollment process. Therefore, the BitLocker MDM policy refresh fails.
The issue affects Windows 10 version 1809.
### Resolution
To resolve this issue, install the [May 21, 2019](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934) update.
## <a id="issue-5"></a>Error message: There are conflicting Group Policy settings for recovery options on operating system drives
You receive a message that resembles the following:
> **Error:** BitLocker Drive Encryption cannot be applied to this drive because there are conflicting Group Policy settings for recovery options on operating system drives. Storing recovery information to Active Directory Domain Services cannot be required when the generation of recovery passwords is not permitted. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker…
### Resolution
To resolve this issue, review your Group Policy Object (GPO) settings for conflicts. For further guidance, see the next section, [Review your BitLocker policy configuration](#policy).
For more information about GPOs and BitLocker, see [BitLocker Group Policy Reference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10)?redirectedfrom=MSDN).
## <a id="policy"></a>Review your BitLocker policy configuration
For information about how to use policy together with BitLocker and Intune, see the following resources:
- [BitLocker management for enterprises: Managing devices joined to Azure Active Directory](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises#managing-devices-joined-to-azure-active-directory)
- [BitLocker Group Policy Reference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10)?redirectedfrom=MSDN)
- [Configuration service provider reference](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference)
- [Policy CSP &ndash; BitLocker](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-bitlocker)
- [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp)
- [Enable ADMX-backed policies in MDM](https://docs.microsoft.com/windows/client-management/mdm/enable-admx-backed-policies-in-mdm)
- [gpresult](https://docs.microsoft.com/windows-server/administration/windows-commands/gpresult)
Intune offers the following enforcement types for BitLocker:
- **Automatic** (Enforced when the device joins Azure AD during the provisioning process. This option is available in Windows 10 version 1703 and later.)
- **Silent** (Endpoint protection policy. This option is available in Windows 10 version 1803 and later.)
- **Interactive** (Endpoint policy for Windows versions that are older than Windows 10 version 1803.)
If your device runs Windows 10 version 1703 or later, supports Modern Standby (also known as Instant Go) and is HSTI-compliant, joining the device to Azure AD triggers automatic device encryption. A separate endpoint protection policy is not required to enforce device encryption.
If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker Drive Encryption. The settings for this policy should resemble the following:
![Intune policy settings](./images/4509186-en-1.png)
The OMA-URI references for these settings are as follows:
- OMA-URI: **./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption**
Value Type: **Integer**
Value: **1**  (1 = Require, 0 = Not Configured)
- OMA-URI: **./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption**
Value Type: **Integer**
Value: **0** (0 = Blocked, 1 = Allowed)
> [!NOTE]
> Because of an update to the BitLocker Policy CSP, if the device uses Windows 10 version 1809 or later, you can use an endpoint protection policy to enforce silent BitLocker Device Encryption even if the device is not HSTI-compliant.
> [!NOTE]
> If the **Waiting for other disk encryption** setting is set to **Not configured**, you have to manually start the BitLocker Drive Encryption wizard.
If the device does not support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is earlier than Windows 10, version 1803, an endpoint protection policy that has the settings that are described in this article delivers the policy configuration to the device. However, Windows then notifies the user to manually enable BitLocker Drive Encryption. To do this, the user selects the notification. This action starts the BitLocker Drive Encryption wizard.
The Intune 1901 release provides settings that you can use to configure automatic device encryption for Autopilot devices for standard users. Each device must meet the following requirements:
- Be HSTI-compliant
- Support Modern Standby
- Use Windows 10 version 1803 or later
![Intune policy setting](./images/4509188-en-1.png)
The OMA-URI references for these settings are as follows:
- OMA-URI: **./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption**
Value Type: **Integer**
Value: **1**
> [!NOTE]
> This node works together with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** nodes. For this reason, when you set **RequireDeviceEncryption** to **1**, **AllowStandardUserEncryption** to **1**, and **AllowWarningForOtherDiskEncryption** to **0**. Intune can enforce silent BitLocker encryption for Autopilot devices that have standard user profiles.
## Verifying that BitLocker is operating correctly
During regular operations, BitLocker Drive Encryption generates events such as Event ID 796 and Event ID 845.
![Event ID 796, as shown in Event Viewer](./images/4509203-en-1.png)
![Event ID 845, as shown in Event Viewer](./images/4509204-en-1.png)
You can also determine whether the BitLocker recovery password has been uploaded to Azure AD by checking the device details in the Azure AD Devices section.
![BitLocker recovery information as viewed in Azure AD](./images/4509205-en-1.png)
On the device, check the Registry Editor to verify the policy settings on the device. Verify the entries under the following subkeys:
- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\BitLocker**
- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device**
![Registry subkeys that relate to Intune policy](./images/4509206-en-1.png)

87
windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md Normal file
View File

@ -0,0 +1,87 @@
---
title: BitLocker Network Unlock known issues
description: Describes several known issues that you may encounter while using Network Unlock, and provided guidance for addressing those issues.
ms.reviewer: kaushika
ms.technology: windows
ms.prod: w10
ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tea
manager: kaushika
audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/7/2019
---
# BitLocker Network Unlock: known issues
By using the BitLocker Network Unlock feature, you can manage computers remotely without having to enter a BitLocker PIN when each computer starts up. To do this, You have to configure your environment to meet the following requirements:
- Each computer belongs to a domain
- Each computer has a wired connection to the corporate network
- The corporate network uses DHCP to manage IP addresses
- Each computer has a DHCP driver implemented in its Unified Extensible Firmware Interface (UEFI) firmware
For general guidelines about how to troubleshoot Network Unlock, see [How to enable Network Unlock: Troubleshoot Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock#troubleshoot-network-unlock).
This article describes several known issues that you may encounter when you use Network Unlock, and provides guidance to address these issues.
## Tip: Detect whether BitLocker Network Unlock is enabled on a specific computer
You can use the following steps on computers that have either x64 or x32 UEFI systems. You can also script these commands.
1. Open an elevated Command Prompt window and run the following command:
```cmd
manage-bde protectors get <Drive>
```
where \<*Drive*> is the drive letter, followed by a colon (:), of the bootable drive.
If the output of this command includes a key protector of type **TpmCertificate (9)**, the configuration is correct for BitLocker Network Unlock.
1. Start Registry Editor, and verify the following settings:
- Entry **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE: OSManageNKP** is set to **1**
- Subkey **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP\\Certificates** has an entry whose name matches the name of the certificate thumbprint of the Network Unlock key protector that you found in step 1.
## On a Surface Pro 4 device, BitLocker Network Unlock does not work because the UEFI network stack is incorrectly configured
You have configured BitLocker Network Unlock as described in [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have configured the UEFI of the device to use DHCP. However, when you restart the device, it still prompts you for the BitLocker PIN.
You test another device, such as a different type of tablet or laptop PC, that is configured to use the same infrastructure. The device restarts as expected, without prompting for the BitLocker PIN. You conclude that the infrastructure is correctly configured, and the issue is specific to the device.
### Cause
The UEFI network stack on the device was incorrectly configured.
### Resolution
To correctly configure the UEFI network stack of the Surface Pro 4, you have to use Microsoft Surface Enterprise Management Mode (SEMM). For information about SEMM, see [Enroll and configure Surface devices with SEMM](https://docs.microsoft.com/surface/enroll-and-configure-surface-devices-with-semm).
> [!NOTE]
> If you cannot use SEMM, you may be able to configure the Surface Pro 4 to use BitLocker Network Unlock by configuring the device to use the network as its first boot option.
## Unable to use BitLocker Network Unlock feature on a Windows client computer
You have configured BitLocker Network Unlock as described in [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have a Windows 8-based client computer that is connected to the corporate LAN by using an Ethernet Cable. However, when you restart the computer, it still prompts you for the BitLocker PIN.
### Cause
A Windows 8-based or Windows Server 2012-based client computer sometimes does not receive or use the Network Unlock protector, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server.
DHCP servers may send any DHCP options to a BOOTP client as allowed by the DHCP options and BOOTP vendor extensions. This means that because a DHCP server supports BOOTP clients, the DHCP server replies to BOOTP requests.
The manner in which a DHCP server handles an incoming message depends in part on whether the message uses the Message Type option:
- The first two messages that the BitLocker Network Unlock client sends are DHCP DISCOVER\REQUEST messages. They use the Message Type option, so the DHCP server treats them as DHCP messages.
- The third message that the BitLocker Network Unlock client sends does not have the Message Type option. The DHCP server treats the message as a BOOTP request.
A DHCP server that supports BOOTP clients must interact with those clients according to the BOOTP protocol. The server must create a BOOTP BOOTREPLY message instead of a DHCP DHCPOFFER message. (In other words, the server must not include the DHCP message option type and must not exceed the size limit for BOOTREPLY messages.) After the server sends the BOOTP BOOTREPLY message, the server marks a binding for a BOOTP client as BOUND. A non-DHCP client does not send a DHCPREQUEST message, nor does that client expect a DHCPACK message.
If a DHCP server that is not configured to support BOOTP clients receives a BOOTREQUEST message from a BOOTP client, that server silently discards the BOOTREQUEST message.
For more information about DHCP and BitLocker Network Unlock, see [BitLocker: How to enable Network Unlock: Network Unlock sequence](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence)
### Resolution
To resolve this issue, change the configuration of the DHCP server by changing the **DHCP** option from **DHCP and BOOTP** to **DHCP**.

290
windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md Normal file
View File

@ -0,0 +1,290 @@
---
title: BitLocker recovery known issues
description: Describes common issues that can occur that prevent BitLocker from behaving as expected when recovering a drive, or may cause BitLocker to start recovery unexpectedly. The article provides guidance for addressing those issues.
ms.reviewer: kaushika
ms.technology: windows
ms.prod: w10
ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tea
manager: kaushika
audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/18/2019
---
# BitLocker recovery: known issues
This article describes common issues that may prevent BitLocker from behaving as expected when you recover a drive, or that may cause BitLocker to start recovery unexpectedly. The article provides guidance to address these issues.
> [!NOTE]
> In this article, "recovery password" refers to the 48-digit recovery password and "recovery key" refers to 32-digit recovery key. For more information, see [BitLocker key protectors](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bitlocker-key-protectors).
## Windows 10 prompts for a non-existing BitLocker recovery password
Windows 10 prompts you for a BitLocker recovery password. However, you did not configure a BitLocker recovery password.
### Resolution
The BitLocker and Active Directory Domain Services (AD DS) FAQ addresses situations that may produce this symptom, and provides information about how to resolve the issue:
- [What if BitLocker is enabled on a computer before the computer has joined the domain?](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain)
- [What happens if the backup initially fails? Will BitLocker retry the backup?](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-happens-if-the-backup-initially-fails-will-bitlocker-retry-the-backup)
## The recovery password for a laptop was not backed up, and the laptop is locked
You have a Windows 10 Home-based laptop, and you have to recover its hard disk. The disk was encrypted by using BitLocker Driver Encryption. However, the BitLocker recovery password was not backed up, and the usual user of the laptop is not available to provide the password.
### Resolution
You can use either of the following methods to manually back up or synchronize an online client's existing recovery information:
- Create a Windows Management Instrumentation (WMI) script that backs up the information. For more information, see [BitLocker Drive Encryption Provider](https://docs.microsoft.com/windows/win32/secprov/bitlocker-drive-encryption-provider).
- In an elevated Command Prompt window, use the [manage-bde](https://docs.microsoft.com/windows-server/administration/windows-commands/manage-bde) command to back up the information.
For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated Command Prompt window and run the following command:
```cmd
manage-bde -protectors -adbackup C:
```
> [!NOTE]
> BitLocker does not automatically manage this backup process.
## Tablet devices do not support using Manage-bde -forcerecovery to test recovery mode
You have a tablet or slate device, and you try to test BitLocker Recovery by running the following command:
```cmd
Manage-bde -forcerecovery
```
However, after you enter the recovery password, the device cannot start.
### Cause
> [!IMPORTANT]
> Tablet devices do not support the **manage-bde -forcerecovery** command.
This issue occurs because the Windows Boot Manager cannot process touch input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch input.
If WindowsRE detects the TPM protector on the hard disk, it does a PCR reseal. However, the **manage-bde -forcerecovery** command deletes the TPM protectors on the hard disk. Therefore, WinRE cannot reseal the PCRs. This failure triggers an infinite BitLocker recovery cycle and prevents Windows from starting.
This behavior is by design for all versions of Windows.
### Workaround
To resolve the restart loop, follow these steps:
1. On the BitLocker Recovery screen, select **Skip this drive**.
1. Select **Troubleshoot** \> **Advanced Options** \> **Command Prompt**.
1. In the Command Prompt window, run the following commands :
```cmd
manage-bde unlock C: -rp <48-digit BitLocker recovery password>
manage-bde -protectors -disable C:
```
1. Close the Command Prompt window.
1. Shut down the device.
1. Start the device. Windows should start as usual.
## After you install UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
You have a Surface device that has BitLocker Drive Encryption turned on. You update the firmware of the device TPM or install an update that changes the signature of the system firmware. For example, you install the Surface TPM (IFX) update.
You experience one or more of the following symptoms on the Surface device:
- At startup, you are prompted for your BitLocker recovery password. You enter the correct recovery password, but Windows doesnt start up.
- Startup progresses directly into the Surface Unified Extensible Firmware Interface (UEFI) settings.
- The Surface device appears to be in an infinite restart loop.
### Cause
This issue occurs if the Surface device TPM is configured to use Platform Configuration Register (PCR) values other than the default values of PCR 7 and PCR 11. For example, the following settings can configure the TPM this way:
- Secure Boot is turned off.
- PCR values have been explicitly defined, such as by Group Policy.
Devices that support Connected Standby (also known as *InstantGO* or *Always On, Always Connected PCs*), including Surface devices, must use PCR 7 of the TPM. In its default configuration on such systems, BitLocker binds to PCR 7 and PCR 11 if PCR 7 and Secure Boot are correctly configured. For more information, see "About the Platform Configuration Register (PCR)" at [BitLocker Group Policy Settings](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj679890(v=ws.11)#about-the-platform-configuration-register-pcr)).
### Resolution
To verify the PCR values that are in use on a device, open and elevated Command Prompt window and run the following command:
```cmd
manage-bde.exe -protectors -get <OSDriveLetter>:
```
In this command, &lt;*OSDriveLetter*&gt; represents the drive letter of the operating system drive.
To resolve this issue and repair the device, follow these steps.
#### <a id="step-1"></a>Step 1: Disable the TPM protectors on the boot drive
If you have installed a TPM or UEFI update and your device cannot start, even if you enter the correct BitLocker recovery password, you can restore the ability to start by using the BitLocker recovery password and a Surface recovery image to remove the TPM protectors from the boot drive.
To do this, follow these steps:
1. Obtain your BitLocker recovery password from [your Microsoft.com account](https://account.microsoft.com/devices/recoverykey). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), contact your administrator for help.
1. Use another computer to download the Surface recovery image from [Download a recovery image for your Surface](https://support.microsoft.com/surfacerecoveryimage). Use the downloaded image to create a USB recovery drive.
1. Insert the USB Surface recovery image drive into the Surface device, and start the device.
1. When you are prompted, select the following items:
1. Your operating system language.
1. Your keyboard layout.
1. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**.
1. In the Command Prompt window, run the following commands:
```cmd
manage-bde -unlock -recoverypassword <Password> <DriveLetter>:
manage-bde -protectors -disable <DriveLetter>:
```
In these commands, \<*Password*\> is the BitLocker recovery password that you obtained in step 1, and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive.
> [!NOTE]
> For more information about how to use this command, see [manage-bde: unlock](https://docs.microsoft.com/windows-server/administration/windows-commands/manage-bde-unlock).
1. Restart the computer.
1. When you are prompted, enter the BitLocker recovery password that you obtained in step 1.
> [!NOTE]
> After you disable the TPM protectors, BitLocker Drive Encryption no longer protects your device. To re-enable BitLocker Drive Encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
#### <a id="step-2"></a>Step 2: Use Surface BMR to recover data and reset your device
To recover data from your Surface device if you cannot start Windows, follow steps 1 through 5 of [Step 1](#step-1) to return to the Command Prompt window, and then follow these steps:
1. At the command prompt, run the following command:
```cmd
manage-bde -unlock -recoverypassword <Password> <DriveLetter>:
```
In this command, \<*Password*\> is the BitLocker recovery password that you obtained in step 1 of [Step 1](#step-1), and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive.
1. After the drive is unlocked, use the **copy** or **xcopy** command to copy the user data to another drive.
> [!NOTE]
> For more information about the these commands, see the [Windows commands](https://docs.microsoft.com/windows-server/administration/windows-commands/windows-commands).
1. To reset your device by using a Surface recovery image, follow the instructions in the "How to reset your Surface using your USB recovery drive" section in [Creating and using a USB recovery drive](https://support.microsoft.com/help/4023512).
#### Step 3: Restore the default PCR values
To prevent this issue from recurring, we strongly recommend that you restore the default configuration of Secure Boot and the PCR values.
To enable Secure Boot on a Surface device, follow these steps:
1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet:
```ps
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0
```
In this command, <*DriveLetter*> is the letter that is assigned to your drive.
1. Restart the device, and then edit the BIOS to set the **Secure Boot** option to **Microsoft Only**.
1. Restart the device.
1. Open an elevated PowerShell window, and run the following cmdlet:
```ps
Resume-BitLocker -MountPoint "<DriveLetter>:"
```
To reset the PCR settings on the TPM, follow these steps:
1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies.
For more information, see [BitLocker Group Policy settings](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings).
1. Suspend BitLocker. To do this, open an elevated Windows PowerShell window, and run the following cmdlet:
```ps
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0
```
where <*DriveLetter*> is the letter assigned to your drive.
1. Run the following cmdlet:
```ps
Resume-BitLocker -MountPoint "<DriveLetter>:"
#### Step 4: Suspend BitLocker during TPM or UEFI firmware updates
You can avoid this scenario when you install updates to system firmware or TPM firmware by temporarily suspending BitLocker before you apply such updates.
> [!IMPORTANT]
> TPM and UEFI firmware updates may require multiple restarts while they install. To keep BitLocker suspended during this process, you must use [Suspend-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/suspend-bitlocker?view=winserver2012r2-ps) and set the **Reboot Count** parameter to either of the following values:
> - **2** or greater: This value sets the number of times the device can restart before BitLocker Device Encryption resumes.
> - **0**: This value suspends BitLocker Drive Encryption indefinitely, until you use [Resume-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/resume-bitlocker?view=winserver2012r2-ps) or another mechanism to resume protection.
To suspend BitLocker while you install TPM or UEFI firmware updates:
1. Open an elevated Windows PowerShell window, and run the following cmdlet:
```ps
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0
```
In this cmdlet <*DriveLetter*> is the letter that is assigned to your drive.
1. Install the Surface device driver and firmware updates.
1. After you install the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following cmdlet:
```ps
Resume-BitLocker -MountPoint "<DriveLetter>:"
```
To re-enable BitLocker Drive Encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
## After you install an update to a Hyper V-enabled computer, BitLocker prompts for the recovery password and returns error 0xC0210000
You have a device that runs Windows 10, version 1703, Windows 10, version 1607, or Windows Server 2016. Also, Hyper-V is enabled on the device. After you install an affected update and restart the device, the device enters BitLocker Recovery mode and you see error code 0xC0210000.
### Workaround
If your device is already in this state, you can successfully start Windows after suspending BitLocker from the Windows Recovery Environment (WinRE). To do this, follow these steps:
1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from your organization's portal or from wherever the password was stored when BitLocker Drive Encryption was first turned on.
1. On the Recovery screen, press Enter. When you are prompted, enter the recovery password.
1. If your device starts in the (WinRE) and prompts you for the recovery password again, select **Skip the drive**.
1. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**.
1. In the Command Prompt window, run the following commands:
```cmd
Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by - in 6 digit group>
Manage-bde -protectors -disable c:
exit
```
These commands unlock the drive and then suspend BitLocker by disabling the TPM protectors on the drive. The final command closes the Command Prompt window.
> [!NOTE]
> These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment.
1. Select **Continue**. Windows should start.
1. After Windows has started, open an elevated Command Prompt window and run the following command:
```cmd
Manage-bde -protectors -enable c:
```
> [!IMPORTANT]
> Unless you suspend BitLocker before you start the device, this issue recurs.
To temporarily suspend BitLocker just before you restart the device, open an elevated Command Prompt window and run the following command:
```cmd
Manage-bde -protectors -disable c: -rc 1
```
### Resolution
To resolve this issue, install the appropriate update on the affected device:
- For Windows 10, version 1703: [July 9, 2019—KB4507450 (OS Build 15063.1928)](https://support.microsoft.com/help/4507450/windows-10-update-kb4507450)
- For Windows 10, version 1607 and Windows Server 2016: [July 9, 2019—KB4507460 (OS Build 14393.3085)](https://support.microsoft.com/help/4507460/windows-10-update-kb4507460)
## Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000
You have a device that uses TPM 1.2 and runs Windows 10, version 1809. Also, the device uses [Virtualization-based Security](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-vbs) features such as [Device Guard and Credential Guard](https://docs.microsoft.com/windows-hardware/drivers/bringup/device-guard-and-credential-guard). Every time that you start the device, the device enters BitLocker Recovery mode and you see error code 0xc0210000, and a message that resembles the following.
> Recovery
>
> Your PC/Device needs to be repaired.
> A required file couldn't be accessed because your BitLocker key wasn't loaded correctly.
>
> Error code 0xc0210000
>
> You'll need to use recovery tools. If you don't have any installation media (like a disc or USB device), contact your PC administrator or PC/Device manufacturer.
### Cause
TPM 1.2 does not support Secure Launch. For more information, see [System Guard Secure Launch and SMM protection: Requirements Met by System Guard Enabled Machines](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection\#requirements-met-by-system-guard-enabled-machines)
For more information about this technology, see [Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows)
### Resolution
To resolve this issue, do one of the following:
- Remove any device that uses TPM 1.2 from any group that is subject to Group Policy Objects (GPOs) that enforce Secure Launch.
- Edit the **Turn On Virtualization Based Security** GPO to set **Secure Launch Configuration** to **Disabled**.

113
windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md Normal file
View File

@ -0,0 +1,113 @@
---
title: BitLocker and TPM other known issues
description: Describes common issues that relate directly to the TPM, and provides guidance for resolving those issues.
ms.reviewer: kaushika
ms.technology: windows
ms.prod: w10
ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tea
manager: kaushika
audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/18/2019
---
# BitLocker and TPM: other known issues
This article describes common issues that relate directly to the Trusted Platform Module (TPM), and provides guidance to address these issues.
## Azure AD: Windows Hello for Business and single sign-on do not work
You have an Azure Active Directory (Azure AD)-joined client computer that cannot authenticate correctly. You experience one or more of the following symptoms:
- Windows Hello for Business does not work.
- Conditional access fails.
- Single sign-on (SSO) does not work.
Additionally, the computer logs an entry for Event ID 1026, which resembles the following:
> Log Name: System
> Source: Microsoft-Windows-TPM-WMI
> Date: \<Date and Time>
> Event ID: 1026
> Task Category: None
> Level: Information
> Keywords:
> User: SYSTEM
> Computer: \<Computer name\>
> Description:
> The Trusted Platform Module (TPM) hardware on this computer cannot be provisioned for use automatically.  To set up the TPM interactively use the TPM management console (Start-\>tpm.msc) and use the action to make the TPM ready.
> Error: The TPM is defending against dictionary attacks and is in a time-out period.
> Additional Information: 0x840000
### Cause
This event indicates that the TPM is not ready or has some setting that prevents access to the TPM keys.
Additionally, the behavior indicates that the client computer cannot obtain a [Primary Refresh Token (PRT)](https://docs.microsoft.com/azure/active-directory/devices/concept-primary-refresh-token).
### Resolution
To verify the status of the PRT, use the [dsregcmd /status command](https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-device-dsregcmd) to collect information. In the tool output, verify that either **User state** or **SSO state** contains the **AzureAdPrt** attribute. If the value of this attribute is **No**, the PRT was not issued. This may indicate that the computer could not present its certificate for authentication.
To resolve this issue, follow these steps to troubleshoot the TPM:
1. Open the TPM management console (tpm.msc). To do this, select **Start**, and enter **tpm.msc** in the **Search** box.
1. If you see a notice to either unlock the TPM or reset the lockout, follow those instructions.
1. If you do not see such a notice, review the BIOS settings of the computer for any setting that you can use to reset or disable the lockout.
1. Contact the hardware vendor to determine whether there is a known fix for the issue.
1. If you still cannot resolve the issue, clear and re-initialize the TPM. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm#clear-all-the-keys-from-the-tpm).
> [!WARNING]
> Clearing the TPM can cause data loss.
## TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider is not ready for use
You have a Windows 10 version 1703-based computer that uses TPM version 1.2. When you try to open the TPM management console, you receive a message that resembles the following:
> Loading the management console failed. The device that is required by the cryptographic provider is not ready for use.
> HRESULT 0x800900300x80090030 - NTE\_DEVICE\_NOT\_READY
> The device that is required by this cryptographic provider is not ready for use.
> TPM Spec version: TPM v1.2
On a different device that is running the same version of Windows, you can open the TPM management console.
### Cause (suspected)
These symptoms indicate that the TPM has hardware or firmware issues.
### Resolution
To resolve this issue, switch the TPM operating mode from version 1.2 to version 2.0.
If this does not resolve the issue, consider replacing the device motherboard. After you replace the motherboard, switch the TPM operating mode from version 1.2 to version 2.0.
## Devices do not join hybrid Azure AD because of a TPM issue
You have a device that you are trying to join to a hybrid Azure AD. However, the join operation appears to fail.
To verify that the join succeeded, use the [dsregcmd /status command](https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-device-dsregcmd). In the tool output, the following attributes indicate that the join succeeded:
- **AzureAdJoined: YES**
- **DomainName: \<*on-prem Domain name*\>**
If the value of **AzureADJoined** is **No**, the join failed.
### Causes and Resolutions
This issue may occur when the Windows operating system is not the owner of the TPM. The specific fix for this issue depends on which errors or events you experience, as shown in the following table:
|Message |Reason | Resolution|
| - | - | - |
|NTE\_BAD\_KEYSET (0x80090016/-2146893802) |TPM operation failed or was invalid |This issue was probably caused by a corrupted sysprep image. Make sure that you create the sysprep image by using a computer that is not joined to or registered in Azure AD or hybrid Azure AD. |
|TPM\_E\_PCP\_INTERNAL\_ERROR (0x80290407/-2144795641) |Generic TPM error. |If the device returns this error, disable its TPM. Windows 10, version 1809 and later versions automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
|TPM\_E\_NOTFIPS (0x80280036/-2144862154) |The FIPS mode of the TPM is currently not supported. |If the device gives this error, disable its TPM. Windows 10, version 1809 and later versions automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
|NTE\_AUTHENTICATION\_IGNORED (0x80090031/-2146893775) |The TPM is locked out. |This error is transient. Wait for the cooldown period, and then retry the join operation. |
For more information about TPM issues, see the following articles:
- [TPM fundamentals: Anti-hammering](https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-fundamentals#anti-hammering)
- [Troubleshooting hybrid Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current)
- [Troubleshoot the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm)

3
windows/security/information-protection/windows-information-protection/wip-learning.md
View File

@ -1,6 +1,5 @@
---
title:
# Fine-tune Windows Information Policy (WIP) with WIP Learning
title: Fine-tune Windows Information Policy (WIP) with WIP Learning
description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company.
ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2
ms.reviewer:

1
windows/security/threat-protection/TOC.md
View File

@ -4,6 +4,7 @@
### [What is Microsoft Defender Advanced Threat Protection?](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md)
### [Overview of Microsoft Defender ATP capabilities](microsoft-defender-atp/overview.md)
### [Threat & Vulnerability Management]()
#### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
#### [Next-generation capabilities](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
#### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
#### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)

3
windows/security/threat-protection/index.md
View File

@ -46,6 +46,7 @@ ms.topic: conceptual
This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
- [Risk-based Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
- [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
- [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
- [Configuration score](microsoft-defender-atp/configuration-score.md)
@ -58,7 +59,7 @@ This built-in capability uses a game-changing risk-based approach to the discove
<a name="asr"></a>
**[Attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)**<br>
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation.
- [Hardware based isolation](microsoft-defender-atp/overview-hardware-based-isolation.md)
- [Application control](windows-defender-application-control/windows-defender-application-control.md)

62
windows/security/threat-protection/intelligence/criteria.md
View File

@ -2,7 +2,7 @@
title: How Microsoft identifies malware and potentially unwanted applications
ms.reviewer:
description: Learn how Microsoft reviews software for unwanted behavior, advertising, privacy violations, and negative consumer opinion to determine if it is malware (malicious software) or potentially unwanted applications.
keywords: security, malware, virus research threats, research malware, pc protection, computer infection, virus infection, descriptions, remediation, latest threats, MMPC, Microsoft Malware Protection Center, PUA, potentially unwanted applications
keywords: security, malware, virus research threats, research malware, device protection, computer infection, virus infection, descriptions, remediation, latest threats, MMdevice, Microsoft Malware Protection Center, PUA, potentially unwanted applications
ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
@ -18,33 +18,31 @@ search.appverid: met150
# How Microsoft identifies malware and potentially unwanted applications
Microsoft aims to provide customers with the most delightful and productive Windows experience possible. To help achieve that, we try our best to ensure our customers are safe and in control of their devices.
Microsoft aims to provide a delightful and productive Windows experience by working to ensure you are safe and in control of your devices. When you download, install, and run software, you have access to information and tools to do so safely. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. That information is then compared against criteria described in this article.
Microsoft gives you the information and tools you need when downloading, installing, and running software, as well as tools that protect you when we know that something unsafe is happening. Microsoft does this by identifying and analyzing software and online content against criteria described in this article.
You can participate in this process by submitting software for analysis. Our analysts and intelligent systems can then help identify undesirable software and ensure they are covered by our security solutions.
You can participate in this process by [submitting software for analysis](submission-guide.md) to ensure undesirable software is covered by our security solutions.
Because new forms of malware and potentially unwanted applications are being developed and distributed rapidly, Microsoft reserves the right to adjust, expand, and update these criteria without prior notice or announcements.
## Malware
Malware is the overarching name for applications and other code, i.e. software, that Microsoft classifies more granularly as *malicious software* or *unwanted software*.
Malware is the overarching name for applications and other code, like software, that Microsoft classifies more granularly as *malicious software* or *unwanted software*.
### Malicious software
Malicious software is an application or code that compromises user security. Malicious software might steal your personal information, lock your PC until you pay a ransom, use your PC to send spam, or download other malicious software. In general, malicious software tricks, cheats, or defrauds users, places users in vulnerable states, or performs other malicious activities.
Malicious software is an application or code that compromises user security. Malicious software may steal your personal information, lock your device until you pay a ransom, use your device to send spam, or download other malicious software. In general, malicious software wants to trick, cheat, or defrauds users, placing them in vulnerable states.
Microsoft classifies most malicious software into one of the following categories:
* **Backdoor:** A type of malware that gives malicious hackers remote access to and control of your PC.
* **Backdoor:** A type of malware that gives malicious hackers remote access to and control of your device.
* **Downloader:** A type of malware that downloads other malware onto your PC. It needs to connect to the internet to download files.
* **Downloader:** A type of malware that downloads other malware onto your device. It must connect to the internet to download files.
* **Dropper:** A type of malware that installs other malware files onto your PC.Unlike a downloader, a dropper doesnt need to connect to the internet to drop malicious files. The dropped files are typically embedded in the dropper itself.
* **Dropper:** A type of malware that installs other malware files onto your device.Unlike a downloader, a dropper doesnt have to connect to the internet to drop malicious files. The dropped files are typically embedded in the dropper itself.
* **Exploit:** A piece of code that uses software vulnerabilities to gain access to your PC and perform other tasks, such as installing malware. [See more information about exploits](exploits-malware.md).
* **Exploit:** A piece of code that uses software vulnerabilities to gain access to your device and perform other tasks, such as installing malware. [See more information about exploits](exploits-malware.md).
* **Hacktool:** A type of tool that can be used to gain unauthorized access to your PC.
* **Hacktool:** A type of tool that can be used to gain unauthorized access to your device.
* **Macro virus:** A type of malware that spreads through infected documents, such as Microsoft Word or Excel documents. The virus is run when you open an infected document.
@ -52,23 +50,23 @@ Microsoft classifies most malicious software into one of the following categorie
* **Password stealer:** A type of malware that gathers your personal information, such as user names and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit.
* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your PC. It then displays a ransom note stating you must pay money, complete surveys, or perform other actions before you can use your PC again. [See more information about ransomware](ransomware-malware.md).
* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note which states you must pay money, complete surveys, or perform other actions before you can use your device again. [See more information about ransomware](ransomware-malware.md).
* **Rogue security software:** Malware that pretends to be security software but doesn't provide any protection. This type of malware usually displays alerts about nonexistent threats on your PC. It also tries to convince you to pay for its services.
* **Rogue security software:** Malware that pretends to be security software but doesn't provide any protection. This type of malware usually displays alerts about nonexistent threats on your device. It also tries to convince you to pay for its services.
* **Trojan:** A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't spread by itself. Instead it tries to look legitimate, tricking users into downloading and installing it. Once installed, trojans perform a variety of malicious activities, such as stealing personal information, downloading other malware, or giving attackers access to your PC.
* **Trojan:** A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't spread by itself. Instead, it tries to look legitimate and tricks users into downloading and installing it. Once installed, trojans perform various malicious activities such as stealing personal information, downloading other malware, or giving attackers access to your device.
* **Trojan clicker:** A type of trojan that automatically clicks buttons or similar controls on websites or applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online polls or other tracking systems and can even install applications on your PC.
* **Trojan clicker:** A type of trojan that automatically clicks buttons or similar controls on websites or applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online polls or other tracking systems and can even install applications on your device.
* **Worm:** A type of malware that spreads to other PCs. Worms can spread through email, instant messaging, file sharing platforms, social networks, network shares, and removable drives. Sophisticated worms take advantage of software vulnerabilities to propagate.
* **Worm:** A type of malware that spreads to other devices. Worms can spread through email, instant messaging, file sharing platforms, social networks, network shares, and removable drives. Sophisticated worms take advantage of software vulnerabilities to propagate.
### Unwanted software
Microsoft believes that you should have control over your Windows experience. Software running on Windows should keep you in control of your PC through informed choices and accessible controls. Microsoft identifies software behaviors that ensure you stay in control. We classify software that does not fully demonstrate these behaviors as "unwanted software".
Microsoft believes that you should have control over your Windows experience. Software running on Windows should keep you in control of your device through informed choices and accessible controls. Microsoft identifies software behaviors that ensure you stay in control. We classify software that does not fully demonstrate these behaviors as "unwanted software".
#### Lack of choice
You must be notified about what is happening on your PC, including what software does and whether it is active.
You must be notified about what is happening on your device, including what software does and whether it is active.
Software that exhibits lack of choice might:
@ -84,13 +82,13 @@ Software that exhibits lack of choice might:
* Falsely claim to be software from Microsoft.
Software must not mislead or coerce you into making decisions about your PC. This is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might:
Software must not mislead or coerce you into making decisions about your device. This is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might:
* Display exaggerated claims about your PCs health.
* Display exaggerated claims about your devices health.
* Make misleading or inaccurate claims about files, registry entries, or other items on your PC.
* Make misleading or inaccurate claims about files, registry entries, or other items on your device.
* Display claims in an alarming manner about your PC's health and require payment or certain actions in exchange for fixing the purported issues.
* Display claims in an alarming manner about your device's health and require payment or certain actions in exchange for fixing the purported issues.
Software that stores or transmits your activities or data must:
@ -98,7 +96,7 @@ Software that stores or transmits your activities or data must:
#### Lack of control
You must be able to control software on your computer. You must be able to start, stop, or otherwise revoke authorization to software.
You must be able to control software on your device. You must be able to start, stop, or otherwise revoke authorization to software.
Software that exhibits lack of control might:
@ -110,7 +108,7 @@ Software that exhibits lack of control might:
* Modify or manipulate webpage content without your consent.
Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that do not provide supported extensibility models will be considered non-extensible and should not be modified.
Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that do not provide supported extensibility models are considered non-extensible and should not be modified.
#### Installation and removal
@ -120,7 +118,7 @@ Software that delivers *poor installation experience* might bundle or download o
Software that delivers *poor removal experience* might:
* Present confusing or misleading prompts or pop-ups while being uninstalled.
* Present confusing or misleading prompts or pop-ups when you try to uninstall it.
* Fail to use standard install/uninstall features, such as Add/Remove Programs.
@ -150,25 +148,27 @@ Advertisements shown to you must:
#### Consumer opinion
Microsoft maintains a worldwide network of analysts and intelligence systems where you can [submit software for analysis](https://www.microsoft.com/wdsi/filesubmission). Your participation helps us identify new malware quickly. After analysis, Microsoft creates Security intelligence for software that meets the described criteria. This Security intelligence identifies the software as malware and are available to all users through Windows Defender Antivirus and other Microsoft antimalware solutions.
Microsoft maintains a worldwide network of analysts and intelligence systems where you can [submit software for analysis](https://www.microsoft.com/wdsi/filesubmission). Your participation helps Microsoft identify new malware quickly. After analysis, Microsoft creates Security intelligence for software that meets the described criteria. This Security intelligence identifies the software as malware and are available to all users through Windows Defender Antivirus and other Microsoft antimalware solutions.
## Potentially unwanted application (PUA)
Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This optional protection, available to enterprises, helps deliver more productive, performant, and delightful Windows experiences.
As an individual, you can also block downloads from PUA in the new Chromium-based Edge browser by going to **Settings** > **Privacy and services** and turning on **Block potentially unwanted apps**.
*PUAs are not considered malware.*
Microsoft uses specific categories and the category definitions to classify software as a PUA.
* **Advertising software:** Software that displays advertisements or promotions, or prompts the user to complete surveys for other products or services in software other than itself. This includes software that inserts advertisements to webpages.
* **Advertising software:** Software that displays advertisements or promotions, or prompts you to complete surveys for other products or services in software other than itself. This includes software that inserts advertisements to webpages.
* **Torrent software:** Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies.
* **Cryptomining software:** Software that uses your computer resources to mine cryptocurrencies.
* **Cryptomining software:** Software that uses your device resources to mine cryptocurrencies.
* **Bundling software:** Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA based on the criteria outlined in this document.
* **Bundling software:** Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined in this document.
* **Marketing software:** Software that monitors and transmits the activities of the user to applications or services other than itself for marketing research.
* **Marketing software:** Software that monitors and transmits the activities of users to applications or services other than itself for marketing research.
* **Evasion software:** Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.

1
windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
View File

@ -64,6 +64,7 @@ See how you can [improve your security configuration](https://docs.microsoft.com
>2. Key-in the security update KB number that you need to download, then click **Search**.
## Related topics
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)

12
windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
View File

@ -127,22 +127,24 @@ h. Select **Manage > Assignments**. In the **Include** tab, select *
## Enable the Insider program manually on a single machine
In the command prompt, run:
In terminal, run:
```bash
mdatp --edr --early-preview true
```
>[!NOTE]
>For this command to work, you will need to be at version 100.78.x.
>To get the latest version of the Microsoft Defender ATP for MAC, set the Microsoft AutoUpdate to “Fast Ring”. To get “Microsoft AutoUpdate”, download it from [Release history for Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/officeupdates/release-history-microsoft-autoupdate).
For versions earlier than 100.78.0, run:
```bash
mdatp --edr --earlyPreview true
```
## Troubleshooting
### Verify you are running the correct version
To get the latest version of the Microsoft Defender ATP for Mac, set the Microsoft AutoUpdate to “Fast Ring”. To get “Microsoft AutoUpdate”, download it from [Release history for Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/officeupdates/release-history-microsoft-autoupdate).
To verify you are running the correct version, run mdatp --health on the machine.
* The required version is 100.72.15 or later.

2
windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
View File

@ -94,7 +94,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
|Protection |Do a full scan |`mdatp --scan --full` |
|Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` |
|Protection |Request a security intelligence update |`mdatp --definition-update` |
|EDR |Turn on/off EDR preview for Mac |`mdatp --edr --early-preview [true/false]` |
|EDR |Turn on/off EDR preview for Mac |`mdatp --edr --early-preview [true/false]` OR `mdatp --edr --earlyPreview [true/false]` for versions earlier than 100.78.0 |
|EDR |Add group tag to machine. EDR tags are used for managing machine groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp --edr --set-tag GROUP [name]` |
|EDR |Remove group tag from machine |`mdatp --edr --remove-tag [name]` |

11
windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
View File

@ -34,7 +34,7 @@ Section | Description
2 | Machine summary (current day)
## Machine trends
By default, the machine trends displays machine information from the 30-day period ending in the latest full day. To gain better perspective on trends occurring in your organization, you can fine-tune the reporting period by adjusting the time period shown. To adjust the time period, select a time range from the drop-down options:
- 30 days
@ -42,10 +42,17 @@ By default, the machine trends displays machine information from the 30-day peri
- 6 months
- Custom
>[!NOTE]
>These filters are only applied on the machine trends section. It doesn't affect the machine summary section.
## Machine summary
While the machines trends shows trending machine information, the machine summary shows machine information scoped to the current day.
The machine trends section allows you to drill down to the machines list with the corresponding filter applied to it. For example, clicking on the Inactive bar in the Sensor health state card will bring you the machines list with results showing only machines whose sensor status is inactive.
>[!NOTE]
>The data reflected in the summary section is scoped to 180 days prior to the current date. For example if today's date is March 27, 2019, the data on the summary section will reflect numbers starting from September 28, 2018 to March 27, 2019.<br>
> The filter applied on the trends section is not applied on the summary section.
The machine trends section allows you to drill down to the machines list with the corresponding filter applied to it. For example, clicking on the Inactive bar in the Sensor health state card will bring you the machines list with results showing only machines whose sensor status is inactive.

3
windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md
View File

@ -1,4 +1,6 @@
---
title: Perform a Machine Action via the Microsoft Defender ATP API
description: This page focuses on performing a machine action via the Microsoft Defender Advanced Threat Protection (MDATP) API.
ms.date: 08/28/2017
ms.reviewer:
manager: dansimp
@ -7,5 +9,6 @@ author: mjcaparas
ms.prod: w10
title: Note
---
>[!Note]
> This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts.md) for more information about response actions functionality via Microsoft Defender ATP.

2
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
View File

@ -23,7 +23,7 @@ ms.topic: conceptual
This topic describes how to install, configure, update, and use Microsoft Defender ATP for Mac.
> [!CAUTION]
> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Mac is likely to lead to performance problems and unpredictable side effects.
> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Mac is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of MDATP for Mac EDR functionality after configuring MDATP for Mac antivirus functionality to run in [Passive mode](mac-preferences.md#enable--disable-passive-mode).
## Whats new in the latest release

1
windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
View File

@ -60,6 +60,7 @@ Microsoft Defender ATPs Threat & Vulnerability Management allows security adm
- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization.
## Related topics
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)

6
windows/security/threat-protection/microsoft-defender-atp/prerelease.md
View File

@ -1,4 +1,6 @@
---
title: Microsoft Defender ATP Pre-release Disclaimer
description: Disclaimer for pre-release version of Microsoft Defender ATP.
ms.date: 08/28/2017
ms.reviewer:
manager: dansimp
@ -8,5 +10,5 @@ ms.prod: w10
title: "Prerelease"
---
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
> [!IMPORTANT]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

2
windows/security/threat-protection/microsoft-defender-atp/preview.md
View File

@ -44,6 +44,8 @@ The following features are included in the preview release:
- [Endpoint detection and response for Mac devices](endpoint-detection-response-mac-preview.md). Recently, [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md) released. Expanding on the protection available in Microsoft Defender ATP for Mac, endpoint detection and response capabilities are now in preview.
- [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) <BR>Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
- [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy) <BR> You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).
- [Threat & Vulnerability Management Advanced Hunting Schemas](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table) <BR> You can now use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase.

1
windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
View File

@ -183,6 +183,7 @@ ComputerName=any(ComputerName) by MachineId, AlertId
```
## Related topics
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)

11
windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md
View File

@ -34,7 +34,7 @@ Section | Description
1 | Alerts trends
2 | Alert summary
## Alert trends
By default, the alert trends display alert information from the 30-day period ending in the latest full day. To gain better perspective on trends occurring in your organization, you can fine-tune the reporting period by adjusting the time period shown. To adjust the time period, select a time range from the drop-down options:
- 30 days
@ -42,11 +42,18 @@ By default, the alert trends display alert information from the 30-day period en
- 6 months
- Custom
>[!NOTE]
>These filters are only applied on the alert trends section. It doesn't affect the alert summary section.
## Alert summary
While the alert trends shows trending alert information, the alert summary shows alert information scoped to the current day.
The alert summary allows you to drill down to a particular alert queue with the corresponding filter applied to it. For example, clicking on the EDR bar in the Detection sources card will bring you the alerts queue with results showing only alerts generated from EDR detections.
>[!NOTE]
>The data reflected in the summary section is scoped to 180 days prior to the current date. For example if today's date is November 5, 2019, the data on the summary section will reflect numbers starting from May 5, 2019 to November 5, 2019.<br>
> The filter applied on the trends section is not applied on the summary section.
## Alert attributes
The report is made up of cards that display the following alert attributes:

5
windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
View File

@ -52,9 +52,9 @@ Area | Description
(1) Menu | Select menu to expand the navigation pane and see the names of the Threat & Vulnerability Management capabilities.
(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, **Software inventory**, and **Weaknesses**.
**Dashboards** | Get a high-level view of the organization exposure score, organization configuration score, machine exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed machines data.
**Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list, a flyout panel opens with vulnerability details, open the software page, see the remediation, and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. See [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) for more information.
**Security recommendations** | See the list of security recommendations, their related components, whether applications in your network have reached their end-of-life, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list, a flyout panel opens with vulnerability details, open the software page, see the remediation, and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. See [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) for more information.
**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. See [Remediation and exception](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation) for more information.
**Software inventory** | See the list of applications, versions, weaknesses, whether theres an exploit found on the application, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. See [Software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) for more information.
**Software inventory** | See the list of applications, versions, weaknesses, whether theres an exploit found on the application, whether the application has reached its end-of-life, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. See [Software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) for more information.
**Weaknesses** | See the list of common vulnerabilities and exposures, the severity, its common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines are there. You can select each item in the list and it opens a flyout panel with the vulnerability description and other details. See [Weaknesses](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) for more information.
(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, and **Top exposed machines**.
**Selected machine groups (#/#)** | Filter the Threat & Vulnerability Management data that you want to see in the dashboard and widgets by machine groups. What you select in the filter applies throughout the Threat & Vulnerability management pages only.
@ -69,6 +69,7 @@ Area | Description
See [Microsoft Defender ATP icons](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal.
## Related topics
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)

1
windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
View File

@ -38,6 +38,7 @@ Several factors affect your organization exposure score:
Reduce the exposure score by addressing what needs to be remediated based on the prioritized security recommendations. See [Security recommendations](tvm-security-recommendation.md) for details.
## Related topics
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Configuration score](configuration-score.md)

18
windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
View File

@ -31,7 +31,13 @@ After your organization's cybersecurity weaknesses are identified and mapped to
You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.
## Navigate through your remediation options
You'll see your remediation options when you select one of the security recommendation blocks from your **Top security recommendations** widget in the dashboard.
You can access the remediation page in a few places in the portal:
- Security recommendation flyout panel
- Remediation in the navigation menu
- Top remediation activities widget in the dashboard
*Security recommendation flyout page*
<br>You'll see your remediation options when you select one of the security recommendation blocks from your **Top security recommendations** widget in the dashboard.
1. From the flyout panel, you'll see the security recommendation details including your next steps. Click **Remediation options**.
2. In the **Remediation options** page, select **Open a ticket in Intune (for AAD joined devices)**.
@ -43,13 +49,20 @@ You'll see your remediation options when you select one of the security recommen
If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
*Remediation in the navigation menu*
1. Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization. You can filter your view based on remediation type, machine remediation progress, and exception justification. If you want to see the remediation activities of applications which have reached their end-of-life, select **Software uninstall** from the **Remediation type** filter.
2. Select the remediation activity that you need to see or process.
*Top remediation activities widget in the dashboard*
1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top remediation activities** widget. The list is sorted and prioritized based on what is listed in the **Top security recommendations**.
2. Select the remediation activity that you need to see or process.
## How it works
When you submit a remediation request from Threat & Vulnerability Management, it kicks-off a remediation activity.
It creates a security task which will be tracked in Threat & Vulnerability Management **Remediation** page, and it also creates a remediation ticket in Microsoft Intune.
The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task.
## When to file for exception instead of remediating issues
@ -107,6 +120,7 @@ The exception impact shows on both the Security recommendations page column and
![Screenshot of where to find the exception impact](images/tvm-exception-impact.png)
## Related topics
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)

3
windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
View File

@ -53,7 +53,7 @@ You can click on each one of them and see the details, the description, the pote
From that page, you can do any of the following depending on what you need to do:
- Open software page - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, and charts so you can see the exposure trend over time.
- Open software page - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, application end-of-life, and charts so you can see the exposure trend over time.
- Choose from remediation options - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
@ -84,6 +84,7 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
## Related topics
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)

7
windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
View File

@ -28,9 +28,9 @@ ms.date: 04/11/2019
Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it.
## Navigate through your software inventory
1. Select **Software inventory** from the Threat & Vulnerability management navigation menu.
2. In the **Software inventory** page, select the application that you want to investigate and a flyout panel opens up with the software details, vendor information, prevalence in the organization, exposed machines, threat context, and its impact to your organization's exposure score.
3. In the flyout panel, select **Open software page** to dive deeper into your software inventory. You will see how many weaknesses are discovered with the application, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified.
1. Select **Software inventory** from the Threat & Vulnerability management navigation menu. The **Software inventory** page opens with a list of applications installed in your network, vendor name, weaknesses found, threats associated with them, exposed machines, impact, tags. You can also filter the software inventory list view based on weaknesses found in the applications, threats associated with them, and whether the applications have reached their end-of-life.
2. In the **Software inventory** page, select the application that you want to investigate and a flyout panel opens up with the same details mentioned above but in a more compact view. You can either dive deeper into the investigation and select **Open software page** or flag any technical inconsistencies by selecting **Report inaccuracy**.
3. Select **Open software page** to dive deeper into your software inventory to see how many weaknesses are discovered in the application, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified.
## How it works
In the field of discovery, we are leveraging the same set of signals in Microsoft Defender ATP's endpoint detection and response that's responsible for detection, for vulnerability assessment.
@ -62,6 +62,7 @@ You can report a false positive when you see any vague, inaccurate version, inco
## Related topics
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)

55
windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md Normal file
View File

@ -0,0 +1,55 @@
---
title: Threat & Vulnerability Management supported operating systems
description: Before you begin, ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your all devices are properly accounted for.
keywords: mdatp-tvm supported os, mdatp-tvm, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score
search.appverid: met150
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Threat & Vulnerability Management supported operating systems and platforms
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
[!include[Prerelease information](prerelease.md)]
Before you begin, ensure that you meet the following operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for.
Operating system | Security assessment support
:---|:---
Windows 7 | Operating System (OS) vulnerabilities
Windows 8.1 | Not supported
Windows 10 1607-1703 | Operating System (OS) vulnerabilities
Windows 10 1709+ |Operating System (OS) vulnerabilities<br/>Software product vulnerabilities<br/>Operating System (OS) configuration assessment<br/>Security controls configuration assessment<br/>Software product configuration assessment
Windows Server 2008R2 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities
Windows Server 2012R2 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities
Windows Server 2016 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities
Windows Server 2019 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities
MacOS | Not supported (planned)
Linux | Not supported (planned)
Some of the above prerequisites might be different from the [Minimum requirements for Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements) list.
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

1
windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
View File

@ -123,6 +123,7 @@ You can report a false positive when you see any vague, inaccurate, missing, or
## Related topics
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)

2
windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
View File

@ -31,6 +31,8 @@ For more information preview features, see [Preview features](https://docs.micro
- [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md) <BR> Microsoft Defender ATP for Mac brings the next-generation protection to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices. ([Endpoint detection and response is currently in preview](preview.md).)
- [Threat & Vulnerability Management application end-of-life notification](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) <BR>Applications which have reached their end-of-life are labeled as such so you are aware that they will no longer be supported, and can take action to either uninstall or replace. Doing so will help lessen the risks related to various vulnerability exposures due to unpatched applications.
## October 2019
- [Indicators for IP addresses, URLs/Domains](manage-indicators.md) <BR> You can now allow or block URLs/domains using your own threat intelligence.